I’ve often said that guilt is not a useful emotion, and in particular I’ve always thought that “white guilt” was whiny self-serving bullshit. White people can choose to leave the status quo as it is, with all the institutional, unconscious, and direct ways that white people are privileged in American and other cultures. Or we can choose to take action to support equality – to stand in solidarity with people of colour and recognize their full humanity. Acts like the white supremacist terrorist assault on the Emanuel African Methodist Episcopal Church in Charleston last week are stark reminders that there are white people who most definitely do not recognize that humanity. In the wake of such violence, doing nothing says that you are ok with the world as it is.
Inspired in part by my friend Val’s earlier donations, but in particular by Zoé S.’s tweet:
If you're a white person who has ever uttered "I wish I could do more," there's a 86% chance you could be doing far more than you are.
Black Women’s Blueprint works “to develop a culture where women of African descent are fully empowered and where gender, race and other disparities are erased” through research, historical documentation, and movement-building. Follow @BlackWomensBP on Twitter, and donate here. Donations are tax-deductible and eligible for employer matching – you’ll need to get the match by looking up JustGive (EIN 94-3331010) in your employer’s matching system and designating the donation towards BWB.
The Equal Justice Initiative works “to reform the criminal justice system, challenge poverty and the legacy of racial injustice, educate the public and policymakers, and create hope in marginalized communities.” Follow @eji_org on Twitter, and donate here. Donations are tax-deductible and eligible for employer matching.
Giving to any (or all!) of these four organizations is a direct way to fight racism and white supremacy in the United States. Guilt is useless. Take action.
Please feel free to leave comments with links to other organizations which fight for racial justice in the US and around the world.
I grew up pretty much smack dab on the middle of the Canadian Shield, one of the more seismically stable places on the planet. Now that I live in San Francisco, I’m basically always thinking about how to survive an earthquake. When I went to hang some pictures, this ended up being a major research project, so for all my Canadian friends in the Bay Area or just other paranoid types, here’s what you need to have pictures hung as well as these:
1) OOK Tremor Hangers – these babies have a clip to keep your cable from jumping out of the hook, and come with OOK’s excellent hardened picture-hanging nails. The kit I linked to is the best deal for a bunch of them; if you need fewer, check out Home Depot. One alternative which some friends speak highly of but which I haven’t tried are the Quakehold “maze” style hangers – these might be easier to find at your hardware store, too.
2) Quakehold Putty – it’s like the blue sticky tacky stuff used to put posters up in camp and university dorms, except it doesn’t stain everything that nasty greasy blue. There’s even a clear version for sticking glassware to shelves etc.
3) 3M Picture Hanging Strips – I could write a whole blog post about how much I freaking love 3M Command Adhesive stuff. It’s the best. The picture strips are this weird velcro-like stuff that is great for hanging lightweight stuff on its own, or also are great at stabilizing and load-balancing in conjunction with the OOK hangers.
Those will do you right for drywall walls. If you’re a renter and nervous about your landlord noticing your hasty post-move-out spackle job, I highly recommend the 3M Sticky Nails. They don’t have clips like the OOKs, but if you’ve got quake putty and the hanging strips you’ll be alright up to a point. There’s a version for sawtooth type picture frames (which I hate), or wire-backed.
I had one concrete wall at my first SF apartment (the one that jacked up my rent by $500/mo when the lease was up for renewal… needless to say I don’t live there any more) and this taught me the joys of hard wall hangers. These are plastic hooks with small nails embedded in them, which will get just enough grip on a concrete wall to hold up a pretty large picture. I was nervous about the cable “jumping” out of the anchor, so I fashioned a complicated arrangement where I sandwiched the cable between the anchor hook on the bottom and a 3M Command “sticky nail” on top to keep the wire from jumping. And earthquake putty on both the anchor hook itself as well as a couple places on the frame. And 3M picture strips on the sides. This was a real belt and suspenders kinda operation…
I’ve linked to products on Amazon, but Home Depot carries all of these as well, and the Container Store has quake putty and the full assortment of 3M Command delights. Cole Fox, which is a wonderful local hardware chain in SF, carries putty, 3M stuff, and hard wall hangers, the “maze” hangers, and some safety/tremor hangers that look similar to the OOK ones.
Most anyone I know will confirm that I love telling stories. I stew on and re-tell anecdotes, and given enough of them on a given topic string them together into theories – theories of organization, models to understand and change the world. I sometimes forget that I’ve told you a particular story before, and tell it again – sorry about that :)
I’m a big fan of the CBC’s annual Massey Lectures, and one of my favourites is Thomas King’s “The Truth About Stories: A Native Narrative” from 2003. In it, King tells us as a sort of refrain or chorus that “the truth about stories is that’s all we are.” It’s one of those lines that gets under your skin, that sticks with you. It’s stuck with me for over a decade.
He closes one of the stories he tells in the lectures as such:
Take Charm’s story, for instance. It’s yours. Do with it what you will. Tell it to friends. Turn it into a television movie. Forget it. But don’t say in the years to come that you would have lived your life differently if only you had heard this story. You’ve heard it now.
This is we tell stories – in the hopes of sharing things we’ve learned, of giving another person data to “life their life differently” – whether by choosing to take a particular story into account, or to not do so. We tell stories in the hopes that we’ll help others make better mistakes. Or at least, different ones.
I’ve been trying to write more lately, and one metric I’ve been using is that if I tell a story more than three times, I should blog about it. So far this has resulted in dozens of drafts strewn across WordPress, Trello, and Google Drive, but I found myself telling people my idea that if you tell a story three times you should blog it… at least three times, so here we are.
Some of the stories I am hoping to tell this year:
finishing my series of posts on undermanagement in tech
The ISC2 is running their annual salary survey, but I want something a bit more personal, and hopefully, localized. So I’m going to run my own survey. Hopefully I don’t end up regretting this :)
Send me as much or as little of the following via FB message, email (salaries at hypatia dot ca), Twitter DM, or carrier pigeon, and I will collate, anonymize, and publish the results:
On hire stock and cash
Annual bonus (stock and cash)
Years at current job
Total years experience
Gender / ethnicity if you’re comfortable sharing – I will only use these in aggregate because they are so identifying when one is a minority :(
Anonymization-wise, I will bucketize the titles so they aren’t too specific. I will report all figures in $10k bands and years of experience in ~3-year ranges for obfuscation purposes. For companies with fewer than 5 reports, I won’t mention the company. I’m really good at de-anonymization; I’ll apply that level of expertise to anonymizing your data. And I will delete your data once I’m done this project.
I’m pleased to announce that I am joining Mod N Labs, a new security startup accelerator based in San Francisco, as an advisor. I’ll bring my industry experience as well as diversity and inclusion expertise as we help entrepreneurs build the next generation of security companies. I’m still at Heroku as my day job – it continues to be awesome.
If you have a cool security startup idea and would like to work with an amazing community of advisors and investors, please reach out – we want to hear from you. We are particularly interested in hearing from founders who are currently underrepresented in the security industry, including women, people of colour, LGBTQ people, and people with disabilities. We recognize that there is a mountain of research showing that diverse teams perform better, and we’d be remiss in not seeking out founders as diverse as the security landscape we live in.
I myself had a scary brush with burnout in the past year, and with a lot of work and amazingly supportive colleagues I’ve gotten through it. I want to stay in this field – but I need your help to make that happen. So if you’ve ever benefited from something I said or did – had an “ah-ha!” moment, got an interview you wanted, or finally understood threat modeling – I’m asking you to donate to the organization that kept me on this side of burnout: the Ada Initiative.
“The key to the Ally Skills workshop is that it creates an environment where, with some basic ground rules, it’s possible to talk through all of those awkward day-to-day moments we all face as professionals in an industry with a gender disparity. Turning the cringeworthy into the teachable is no small feat, but the structure of the workshop makes it not only possible, but fun and surprisingly painless. Awesomesauce.” –Shawn Moyer
“As a woman in security, I thought I knew everything there was to know on the subject, and mostly attended for the promised snacks. To my surprise, I found the workshop to be deeply meaningful. It was encouraging to be in a room full of considerate people that wanted to improve their community, and it was a fantastic, introspective exercise figuring out what those improvements could be.” –Marisa Fagan
“The material presented and the trainer were both excellent, but what made it stick in a meaningful way were the stories shared by the participants. Everyone contributed thoughtfully which made it much easier to imagine how you might act on the information in real situations.” –Chet Wisniewski
Knowing that I’m not alone – that these people support me and they are going to take action when they see bad stuff going down – lets my shoulders come down from around my ears and allows me to think, hey, maybe I can keep doing this.
And here’s my second challenge: I heard from a lot of people who were unable to make the workshops in Las Vegas that they would love to attend one. So if we can raise $4096, I will personally teach a free workshop – with content I’ve written specifically for information security – in San Francisco in the next six months.
Scaling this workshop up is, to me, one of the most powerful things happening right now in working to improve conditions for women in geeky fields, and especially information security. I want you to join me in making this happen.
“It was great to have conversations, among people who support the aims of geek feminism, about how to handle situations and improve things. Online discussions tend to devolve into debating “how sexist something is”, which “side” is “overreacting”, or worse. Anyone who appreciates the depth, balance, and nuance found on the Geek Feminism wiki would enjoy one of your workshops.” –Jesse Ruderman
“It was enlightening to explore topics around sexism which, as a man in information security, I’m rarely exposed to with such honesty. The ability to have discussions with other men and women in the group was key to fully ingesting Leigh’s great skills lessons and questioning my own attitudes.” –Ryan O’Horo
There’s a great piece of Old Internet Culture called Charles’ Rules of Argument. I’ve found it to be extremely useful in how I discuss difficult issues online, in particular in deciding how to pick my battles, what I’m trying to get out of an argument, and how to fight burnout and manage my energy.
Don’t go looking for an argument [there will always be enough of those headed your way]
State your position once, speaking to the audience [it’s hard to convince people to change their minds, but you can often sway observers who are less invested in Being Correct]
Reply one more time to correct any misunderstandings of your first statement [Do this after waiting a bit for replies to roll in]
Do not reply again [IMPORTANT]
Spend time doing something fun instead [Self care! It’s a thing! You should do! Eat some ice cream, watch trashy TV, hug a friend.]
I find that I often underestimate the toll that Arguing On The Internet takes on my energy levels. It seems amusing at first and then I look up and it’s two hours later and I’m exhausted. Charles’ Rules are incredibly helpful as a tool to keep you mindful of the impact on your life that online debate can have.
I’m excited to announce that I’ll be co-teaching a workshop next Friday, September 12th with Justice Marianna Warmee of the EEOC. The workshop is the second day of two days of classes the EEOC is putting on to celebrate the 50th anniversary of the 1964 Civil Rights Act.
Content note: discussion of harassment, sexual assault, and community responses to them.
It’s Vegas Security Dog-and-Pony Show Week, and I’ve come to dread the stories I will inevitably hear about harassment and assault at Defcon and the assorted computer security events that happen around it. It’s an occupational hazard of being one of the few people speaking out about harassment in infosec – I end up being the person people vent to, a safe outlet for the terrible things people don’t feel safe airing in public. Every year, it’s the same awful litany – assault, groping, drink-spiking, and all varieties of harassment – 5-10 incidents every year for the past five years. I hear these stories from people of all genders, from respected experts and neophytes. I didn’t even attend last year, and I still heard stories. Every year, I learn that another person I once respected as a professional peer is accused of being a predator. Every year. [edit: This wasn’t my story to tell, but the latest instance of someone I had immense professional respect for being accused of rape was made public yesterday. I had no knowledge of this when I wrote this post.]
If you’re thinking “Why don’t I hear these stories?” you should know that most people who experience harassment and worse in our field are afraid to speak out publicly about the specifics of what’s happened to them. They are afraid of backlash, further harassment, and professional ostracism – and with good reason. Here’s the target of a violent attempted rape at an infosec conference, writing about her fears on a blog post she later deleted: “I don’t want to write this. I don’t want to get caught up in anything to do with this women in infosec bit. […] People I thought were my friends and colleagues have said things to me about this that have cut deeper than the actual assault ever could.” How fucked up are we as a community that someone is afraid to talk publicly about a violent assault and attempted rape by her fellow conference speaker?
And yet, my friend Jack once told me that I “see things as they are and yet manage to hang on to some optimism.” Dan Farmer’s recent post criticizing sexism at Defcon has renewed my optimism that now is the time to start making change. So I am asking you to take two leaps of faith: 1) trust me when I say that things are really bad (even worse than what you read), and 2) believe me when I say that it doesn’t need to be that way. Believe me that small interactions change behavior and change expectations around what we as a community are willing to tolerate.
If you care about making the security community a better place for women (and everyone!), here are some things you can do:
Stop tolerating casual bigotry
So someone “makes a joke” about faggots, scenewhores, or uses a racial slur. What are you going to do? Casual bigotry dehumanizes people, and tells predatory people that you will not be likely to speak out if they choose to harass someone around you – or you yourself. But you can change that by speaking up. Never underestimate the power of a simple “pardon me?” or a more direct “wow, that was a messed up thing to say.”
People will object, “Oh but it was just a joke!” Read this about how rape jokes give comfort to rapists and speak up the next time you hear a rape joke. Or people will say, “They didn’t mean it, they are just socially awkward!” This is the biggest myth of all. Socially awkward people are more likely to be the targets of predatory people, especially when predators have power over them.
Stepping up in cases like this feels awkward, but you weren’t the one making it awkward – the bigot already did. Make them own their own awkward. Push through it. That’s what change feels like. And it gets easier with practice. I also highly recommend spending some time on Captain Awkward for more on learning to handle awkward moments with grace, and Yo! Is This Racist? for snappy comebacks to racism.
Stand up to harassment
Making it clear that harassment is unacceptable helps stop it before it turns into something worse. Here are some great tactics from Hollaback, a group that works to fight street harassment:
Direct Action – As a bystander, you can directly intervene when you see a situation of street [or other] harassment by confronting the situation head on. For example, you can ask the harasser to stop bothering the person she/he is targeting.
Distraction – A bystander can take an indirect approach to intervening. For example, if you notice someone being harassed, you can approach her/him to ask for directions or say ‘hello’ as if you know them, thus de-escalating that situation.
Delegation – This is when you seek outside assistance to intervene in the situation. For example, a bystander can seek help or assistance from the police, a public transport worker or another outside party on behalf of the victim/target.
Delay – This is when you wait for the situation to pass and you check in with the person who was targeted to make sure that they are okay. Even if you were unable to intervene at the time, checking in later makes a difference to the person who was harassed.
Believe and support people who speak up
Most of the time, the disincentives are so high for people speaking up that there’s zero incentive for them to lie about being assaulted or harassed. Operating from a default mode of believing people who speak up is a powerful change of frame. Choose to identify with survivors, rather than sympathizing with harassers and abusers.
Choose to believe that the person who is suffering in order to seek justice is telling the truth, as otherwise you’re choosing to accuse them of lying.
Advocate for codes of conduct
Incident response 101 says: have a playbook that covers the scenarios you already know about. We know that harassment and assault happens at conferences. Having a plan to handle the set of known issues helps you deal them should they arise, and to at least have a starting point should new kinds of issues appear. Communicating your plan publicly acts as a powerful social signal as to what behavior is not acceptable in your community. Anil Dash wrote a great post a while back titled “If your website’s full of assholes, it’s your fault” – in the same way, those who run conferences have the power to set social norms and expectations. Choosing to not set those norms means preferring abusers and predators over other attendees.
Probably at this point someone is going to pop up and say, “But what about Violet Blue’s talk at BSides SF? You are against rape prevention education!!1!11″ I want to finally call bullshit on this whole argument. I did my first training as a sex educator 12 years ago, and helped run the Sex Ed and Peer Counselling Centre at the largest university in Canada. I have given awkward demonstrations involving bananas. I have counselled survivors of sexual assault, and been there for friends who were escaping intimate partner violence. I know this stuff. I watched the recording of the talk Violet eventually gave at BSides LV, and it was Sex Ed 101, with a smattering of advice about safety (and a long rant about the Ada Initiative, an organization which I’ve supported since its inception with both volunteer labour as an advisor, and thousands of dollars of my own money).
Flared bases are not the most important part of our threat model here, people. I do not have 5-10 sad people per year tell me about their failure to use their toys correctly. I do have that many people telling me about their experiences getting roofied or stalked or worse – people from our community. People you care about. As a community, we need good education about rape culture, consent, and not being a bystander – but that hour-long “where is the clitoris” festival of the bad kind of awkwardness wasn’t it. And a good code of conduct that indicates clearly that sex-positive content is on-topic certainly won’t stand in the way of the talks our community does need.
We aren’t doomed to being the harassment and sexual assault capital of the tech world. We can make a difference. And it starts with each one of us standing up for what we think is right, in the moment when it happens.
 I’ve lost track of the sheer number of events, but there’s BlackHat, Defcon, BSides LV, and all of the associated off-conference parties that vendors throw, for starters.
 Some folks like to play semantics on “scene” vs. “community” vs. “professional field.” I think those semantics are a cop-out. You get to choose the kind of environment you want to be part of, whatever the word you choose to use for it is.
 Note: I have heard enough reports at this point of harassment from Defcon Goons themselves, or mishandling of issues reported to them, that I wouldn’t personally be inclined to reach out to them for help. Goons are volunteers and I have no idea what training they go through; I’ve only seen its effects. Use your judgement as to whether or not that would be a good idea. I myself would call hotel security or the cops rather than ask a Goon for help unless it happened to be one of the handful I trust.
Comment moderation note: Please keep the focus in the comments on moving forward: things that you want to do to make things better, questions about strategies in specific types of interactions, resources that you have found helpful in fighting sexism. I’m just going to delete any whining about BSidesSF, so don’t even bother. Trust me, I’ve heard enough about it in the last 18 months to last a lifetime, and you’re not going to make a new argument.
I was re-pinkifying my hair a few weeks ago and realized that there isn’t a very good guide out there for how to use the type of hair colour I prefer, so I’m writing myself some instructions and sharing them with the world for posterity. This thread on the Long Hair Community helped me figure a bunch of this stuff out, as Goldwell does not publicly document their products for amateur hair scientists like myself :)
What you need
Bowls you don’t care about staining, or which are stain resistant (I used Corelleware ones and they didn’t stain; your mileage may vary)
Cling wrap (get good quality stuff, the kind that sticks well to itself)
2-3 towels you don’t care about staining/bleaching
The following Goldwell Elumen products, which you can get on Amazon or eBay:
Colour(s) of your choice – there’s a list here as they have weird codenames
Clean (this removes the colour from any skin you get it on)
You may also want the Return product if you’re switching colours – it will lift some of the Elumen out of your hair without bleaching. I’ve not used it myself, and have heard mixed reviews of its effectiveness
Optional: whatever bleach stuff you need; see below for links to better stuff others have written about bleaching
The bleaching process
I’m not going to write up much about bleaching, because it’s not my area of expertise. Seriously, last time I bleached I just followed the instructions in a Splat colour kit. The bleach worked fine, but the colour didn’t hold very well… so read on for better colour tips.
Also, importantly – you can use Elumen on un-bleached hair, and it’ll give you either a cool tint / sheen of colour if your hair’s dark, or various different intensities of colour if your hair is lighter. And it’ll make your hair feel supah soft.
My friend Courtney has a cool guide to brightly coloured hair over on her blog which includes extensive bleaching instructions, but the main thing for me in the past has been to not over-do it. The Elumen pinks and oranges, in particular, are so intense that it’s ok if you have some brassiness left in your hair. I haven’t done blues or greens in a while but I suspect you might need to bleach more for those… but regardless, it’ll look fine. Don’t stress, and don’t burn your scalp.
The key to my lazy process is to set yourself up so that your hair can grow out a bit, fade a bit, and you can re-colour again without bleaching and make it look good even if you have roots showing – it looks like you did frosted tips on purpose rather than that you’re lazy and hate bleaching :D
The colour process
Elumen is a 3-step process. There’s a prep step (“Prepare), the colour itself, and then a fixative (“Lock”). Sounds like high school chemistry, right? The colouring goes like this:
Wash hair if you’re not coming from the bleaching process. Don’t use conditioner.
Wearing gloves, apply Prepare to dry-ish hair. Smush it around until your hair feels slick; it doesn’t need to be soaked.
While you’re letting it sit, put out the colour(s) you’re using in some bowls. For short hair, I used up about 4-5 tablespoons worth (60-75mL).
Towel dry. The Prepare stuff doesn’t seem to stain, but still use a towel you don’t care about.
Using a cheap hairbrush, fancy dyeing brush, or just your gloved hands, apply colour to your head. Be careful not to get too much on your skin or fling it around the room, this stuff does stain. Also don’t get it in your eyes.
If you want multiple colours, you can separate them out with bits of tinfoil; if you don’t do this they will kinda blend together, which is a cool effect too! I like blending, because I’m lazy.
Comedy time now: once you’ve got a fair amount of colour on your hair, you want to apply heat to speed up and intensify the effect of the colour. Here’s my lazy technique:
Wrap your head in clingwrap, coiling/pinning it up first if you’ve got long hair
Blast your head with a hairdryer a bit
Wrap your toasty clingwrapped head in a towel
Chill out and do something low key for about half an hour to an hour. Write a blog post, perhaps. Take care not to drip colour out from under your tenuous clingwrap/towel arrangement.
Rinse time! If you’ve got a sink you can do this in, go for that, otherwise just hop in the shower. The colour will stain grout, so be careful if your shower features that.
Apply the Lock to towel-dried hair and let it sit for a while, then rinse again. You’ll get some colour bleed for the next few times you wash your hair, but it’ll stop and your hair will be super bright for many weeks.
Use the “Clean” product to get the colour off your skin. It’ll be on the top of your ears, I promise.
And that’s it! Enjoy how amazing you look, and how you brighten up the day of everyone around you!