Security and Safety

There’s something on my mind that’s been going on for a while. Well, another something going on in y mind.
And it’s about security and/or safety and how those concepts are used today. Or how they’ve been twisted. So, let’s start with what I mean by those terms. They’re often used as synonym for each other, but I keep thinking that they’re not meant to be.

Security, as I see it – at least in the uncountable use – is a concept related to peace of mind (even the latin form securitas is about peace of mind). It means it’s something you do not have to pay attention because it cannot hurt you. I think it’s linked to avoiding accident and incident, to put the potential cause of accident away. That’s the reason we have more and more automated features in cars, like ABS or ESC, who tries to manage traction for you to not care about traction loss (and control loss). They’re meant to avoid accident. Or to significantly reduce your exposure to the risk of an accident. Those are called securities for a reason, they make you able to feel secure while you drive half a ton of metal and plastic at high speed along other people doing the same thing while hopping no-one will fail to avoid collision with each others.
Peace of mind requires to reduce or negates the perceived risks to work. You must been aware that you were exposed to risk and then to be aware of something which allow you to think that perceived risk has been acted upon and that you’re now able to stop being worried about it. Feeling secure is something deeply rooted in most of animals, it meant to have certainty about the fact that you can eat, drink, and not being killed by something while your asleep. It means taking step to ensure that you’ll have that tomorrow, and the day after that, and the day after that, until your death.
Security is being addressed in our communities by laws and regulations. Whether they’re explicit or implicit doesn’t really matters. They’re made to ensure that, at the end of the day, all member of the community can stop thinking about the daily threats they’re facing daily. Security implies rules which purpose is to control behaviors that the community perceive as an existential risk, it also implies active measure to protect one self from them which leads to either individual arming themselves to defend themselves, or giving this power to a group of people devoted to maintain security and to control behavior. And this group of people must display that the rules are enforced, because if they’re not, then they’re not devices for peace of mind. To elaborate more on this, there’s whole segment of philosophy dedicated to it (Foucault’s “Surveiller et punir” being one of them, but 1984 by Orwell or Best of Worlds by Huxley do address this).

Safety is, on the other end, everything that exist to reduce harm done. It’s the plan B, it’s what happens when shit finally hit the fan. To stay on the car analogy, safety are safety belts and airbags. They exists only because there’s a risk of accident that have not been nullified by security measures (laws and regulations). And that is why self-driving cars is such a hard problem to solve, because you can’t have a null risk’s probability.
Safety is what allows Security measures to fail without doing much harm to everyone. It’s not really peace of mind systems, because they only exists because you’re exposed to a risk. When you put a helmet on before riding through whatever traffic with your bike, you become aware of the risks you take, and you try to reduce the harm you’ll suffer when someone you’ll eventually be thrown on the ground in the middle of a street because someone didn’t looked before opening their car door. Safety is knowing that if someone enter your house while you’re in it, you’ll have a place and space to recover and people to provides you what you’re missing.
Safety is not about control of behavior, it is about caring for others. Is is not peace of mind but it is acknowledging that you cannot achieve perfect security, and that you need to accept some harm. It is about recovering, learning, growing up.

Why do I talk about this? Because I hear a lot about (cyber)security, and not about (cyber)safety. Security being about perceived risk, and applying behavior control in a way that will be perceived as a reduction of this risk, leads to the current regime of mass-surveillance we live under.
I’ve red a Story about Jessica a while back. And I think it address the fact that we do not have (cyber)safety, that the infosec community have no clue about safety and what it means. The security focused industry means more surveillance (logging) and behavior control (don’t click on links, upgrade, choose a stronger password, don’t publish your key, and many of the do and don’t prevalent in the infosec community).
In computer science, the safety of the software an entity have to manage is, however, quite pregnant. You’ll have backup of the data, backups of the infrastructure, disaster recovery plans, etc. But this is only about the safety of the software. It is not about safety of users or the people who maintain it. If you cannot achieve software security for your company, you’ll probably end up fired at some point. All the on-calls procedures are just means of maintaining a software in a safe state (alive and running, or at least partly running after a crash).
However, users of the software are not protected by those technical safety solution. What will happens when users data will be leaked? What steps are you taking to reduce the arm being done to them? You must be able to answer this question. It could be providing legal counseling, or collaborating with law enforcement (not that I’m a big fan of cops). It could be being proactive and warn them as soon as you find out something bad happened to their data, and try to provide them assistance in recovering access to your software for instance.

Holistic security goes a deep further into control. It is based on the fact that achieving full security requires you to have a specific mindset, and that you must take care of you in order to achieve security. I find it interesting to link way of life to exposure to perceived risks. If you sleep well, you’ll be better at security. Too bad you suffer from depression and insomnia, meaning your last good night sleep was ten days ago, and it was drug induced. Holistic security tends to be, form my point of view, ableist. If you’re not emotionally, physically and socially fit, you can’t hope for security. You cannot get your mind of all the stuff that’s forbidding you to achieve security. It is, in the long run, blaming the victim. You didn’t took care of you, ergo your security has been breached.
I’m not saying that we must get rid of security. It is important to reduce risk exposure. But it has a cost: surveillance and behavior control. I’m saying that we must focus more on safety, on what happens when the cops gt you during a protest with your unlocked phone (or they unlock it using your face). What harm will you be facing when someone is black mailing you over the nudes you got in your Direct Message – or stored on your computer.
This is the question asked in the stroy about Jessica. And I didn’t find a lot of answer since this been published. Facebook tries to help with revenge porn, and there’s a lot of things being done here (go have a look at what BADASSis doing for instance. And this is an issue where technology can’t save you (it is, again, something that provide surveillance and control behavior). Safety means there’s something to take care of people and to help them to recover. It means about caring about people (not software, their just maths, they can’t be in pain), it means trying to make everyone life better (and not easier). For instance, Code of Conducts are security measures. And they’re important because they allow people coming to your community to know that they’re not at risks. Until you do not enforce your own Code of Conduct for instance.
Having a post-harassment process to help the victims, and the harasser (yes, I mean that), to understand what happened, to document it, and to provide support for the victim is safety. That is what safe space should be about. Not space where you won’t be hurt, but space where, when it happens, you’re allowed to take less harm than if you were alone. It is also a space where you’ll be told something you’ve done did hurt someone – not that you broke a rule. It is a space where people will address your behavior and helps you to stop it, not by expelling you, but by a process. It can mean that, for sometime, you cannot come in certain places. It depends on how your community provides safety.

Safety is feeling welcome, feeling belonging to something, knowing that you can make mistakes, own them, and grow out of them. It is not something you can code in your software and, in fact, a lot of the time, your software works against safety.
If your data collection algorithm can be used by cops to identify perpetrators of a crime, it can also allow anti-gay bigots to identify gay people in their surrounding. It can be used by an abusive husband to identify where’s the woman he lived with as fled. It can be used by adults to expose teenagers sexting each others. It can be used to locate where a camgirl lives to stalk her.

And what’s the perceived risks you’re collection of data is protecting users against? You have to wonder if people can conduct drug traffic or do sex wok using your software, and if, by using your data collecting software, they put themselves at risk if you cooperate with cops. Security, in this case, would be to not use your data collecting software. If you value the possibility for law enforcement community to identify sex workers more than you value their safety, it means that you’ve got a political motivation for keeping several years of activity logs.

Keeping data about people is collaborating with cops, harassers and stalkers. It is not about safety of your users, it is about security and control. If you want to do cyberSafety, then it must be impossible for cops to identify anyone with the data you got. It means that you must not be able to identify formally your users. It also means that you must not do ad tracking. It means that the well being of your users is important for you, whatever they do in their life, whoever they are.
Stop logging, start caring.

Misogyny and the hackers scene

Why this?

For some times now, I read and heard a lot on the sexual identity topic and, in particular, related to the hacker’s scene. A lot of people wrote things like this [FR] on one hand, and I hear a lot of bad stuff happening to people related to their sexual identity (sexual identity based discrimination, sexual harassment/aggression, false accusation of rape, true accusation of rape, and so on).

It’s makes me at least uncomfortable, and in some case, it makes me angry because I always saw the hackers community (whatever it means) as a collection of social experiments and as try to build a different world, call me idealist if you want.

Oh, and if you think that, because of my sexual identity not being female, I cannot talk about it, well shut up and read.

And yes, this is a rewrite of my initial post, because my ideas are too chaotic to make a good post at the first time.

The use of sexual identity

The only use of sexual identity I can find, i.e. situations where the sexual identity is a necessary information, are all related to sex. The only occasions when you need to know if someone is a girl, is when you’re attracted by girls and want to get laid (or to have a romantic story, kinky sex, whatever, not really my point).

It then means that, if you use part of your signal to deliver me this information, you’re expecting me to take it into account, in the specific case of sexual identity, it means that you want me to consider you as sexually available.

In the beginning there were the cyberspaces

In the cyberspace, nobody knows that you’re a dog

The cyberspace is a space of pure information, your identity is the amount of data you emitted and, as the internets were mainly based on text in the early days, nobody could know what you looked like. You could be a boy pretending to be a girl who thought she was a cat.

It’s still true in most of the cyberspaces where you do not have to choose a sexual identity or use meatspace data to define yourself.

So, in the cyberspaces, you can perfectly live without knowing the sexual identity of anyone you’re talking to, unless you want sex, in this case you have to publish your sexual identity online.

Wait, cyberspaceS?

Yes, there’s different cyberspaces. There are social one, where people hangs out juts to be with people, try to mate, set-up a social event or just act weird in group which share a lot of self-referenced non-sens humor that nobody can get if they’re not part of the group.

And there’s spaces where people share technical details, try to find some solution to a problem they have, where a lot of stuff is done. Those are the cyberspaces where hackers do things.

There’s also cyberspaces reserved to bots, or to tentikles monsters. There’s a lot of dirty back alley to, but that’s how cyberspaces are.

Girls don’t code

As well as boys. Girl and boy (and queer or else) are sexual identities. Sexual identities have sex not code. I’m totally aware that a sexual identity is a big part of a self, but it’s not the part that will code.

The part that code is the hacker part of self. It is unrelated to the gender, sexual identity or orientation of the person. When a person come online and they say: ‘Hey, I’m a girl, I want to learn python’, they will be answered by ‘Girls don’t code’ (at best).

So, is it a ‘don’t ask, don’t tell’ policy? Well, yes and no. In a technical context, in the case you wanna learn things, your sexual identity is irrelevant. It’s of no use. If you use it to obtain help, it means that you think the fact that you’re different will makes people answering favorably to you because of this difference. You use your sexual identity to obtain what you want? Do not complain because people see you as a pair of boobs then.

We’re defined by what we’re doing

Another big topic among the hackers’ communities is the doocracy. We are interacting with each other depending on what those people are doing, or thinking, not depending on appearance.

Our wealth is based on our knowledge and skills, and we try to share them a lot, not on things you can buy. Most of the physical discriminations someone has to deal with in the meatspace just do not exist on the cyberspaces as long as you’re not using it to define your identity.

In the cyberspaces we have a unique opportunity to ignore all the discriminations based on nationality, gender, sexual identity and orientation, colour or handicap. Each time someone is defining itself on physical criteria, they require a lot of work to everyone not to injure them. For the one who cares about not injuring people at least at least.

We’re not online for social reasons. Most of us are online because it’s an easy way to share technical point of view with someone on the other side of the earth. If we wanted to get laid, we will be in other cyberspaces, but it’s not our goal. When a girl comes here telling ‘Hey, look I’m a girl’, we mostly see ‘hey, look: boobs’ because that’s how she wanted to be considered (else she wouldn’t have told us she’s a girl).

Here be trolls.

About the ‘jokes’ online, and the sexist memes that emerge from the cyberspaces. Most of them come from /b/ and there’s a rule for that. The number 1 rule of the internet. Don’t talk about /b/. Also, you’re not forced to go there.

And those memes are not the problem. Humor can and will offend people, especially humor based on the identity of someone. And yes, I can perfectly understand the fact that some jokes are not funny for everyone and will offend people.

A lot of topics can offend people. I could, for instance, being offended by the fact you see me only as a boy who can’t get laid, or the too smart with big glasses one, or the regular weirdos of the group, or the IT guy that will fix all the torture your electronic stuff endure by just living with you. And you could be offended because I just see you as a pair of boobs because you told me you’re a girl.

But I do not see a reason to censor a speech. Even a heinous one. And I think that everyone should have a way to express their opinion without getting bashed for that. And last, you should not feed the troll because that’s how trolls live.

Yes, there are sexists trolls, there are also racists ones, antisemitic ones or BSDist ones (the worst kind if you want my opinion). It is the worst part of the cyberspace, it’s the part nobody is proud of, but it’s a necessary part. As soon as this part disappear, it will mean that we’ve undergone some serious self-censorship for a so-called greater good. You want to fight in the troll area, so be it, be warned you will get hurt.

But we’re made of meat

And this is the problem. Your body carries a lot of information. When I’ll see you, before knowing your name, I’ll know your gender, your size, your skin color, your weight, your attractiveness and so on.

All those informations we’re not using in most of our interaction (because I spend more time talking to people in the cyberspaces than talking to people in the meatspace) are mandatory, a bit like on Facebook. And you cannot fake them, unlike on Facebook.

The other problem of the meatspace is that it does not provide filter, ignore functionality, or quit button. You’re forced to interact with people, and not replying to someone is considered as rude. So, rules differs a lot and we sometimes tend to forget that.

When we meet people we already know from a cyberspace, it can become extremely awkward, but most of the time we are able to cope with it. And, due to pseudonym, we can even meet in the meatspace without making the link to pseudo (and it happens a lot). So, problems occurs mainly with people we do not know yet.

Outsiders running away scared to death because they have been hurt is a bad thing. It’s either because the outsiders just panicked because they didn’t understand what were the problematics and the social rules, either because the insiders were mean and forgot they can’t be ignored.

Is there an RFC for that?

I think we are aware of this situation. And it’s not that easy to fix thing, especially when both sides do not share the same set of rules. Feminists tends to define themselves as girls while we defines ourselves as hackers. It’s kind of expectable since their fight is the equality of the people whatever their sexual identities are, while our is the gathering and sharing of all the knowledge needed to understand the world.

As soon as there’s a difference, there’s discrimination. Girls complain about us being sexists, they should see how we deal with the ones that are on Windows. The main problem is probably that a lot of us do not care about these problematics. It’s not a problem, it’s how it works in a doocracy. Not everyone is thinking of a way to get rid of the root in DNS, or to find a new dynamic meshing protocol, the people interested in those problematics are working on it, and when they’ll reach an achievement, they will do a nice talk at a conference or publish their work silently somewhere.

The sexist problem is just another topic. There’s a lot of people thinking about it and it begins to reach some visibility. We are aware of the concern and we are aware that this is not solvable by a RFC.

Problems officer?

We are a bit rough around the edge. And so we can get rude without necessarily noticing it. It’s more related to a latent misanthropy than a latent misogyny. When we are in hackerspaces, we’re not here mainly for the social call, so people coming and saying ‘Hey, hello, I’m Luke’ and nothing more are annoying.

Another thing I do not like is positive discrimination. I won’t do a special effort to be kind with girls in specific. I try to be equal with everyone (and yes, it means being an asshole with everyone).

I think there’s also a small proportion of us, that are socially inept. They do not get, or do not want to get, the social conventions. I still think they are not the biggest part of us, but they are the part that suits the cliché everyone have about hackers. Remove the cliché of the balance, and you’ll see there is a lot of interesting people that will talk to you about a lot of different topics.

But you have to admit that, even in social conventions considered as normal by most of people, invading the information space of someone with topic that do not interest them is rude. This is perfectly OK for me. You’re not interested in the crafting of a quadocpter, tells me, I’ll stop bothering you with that. If you come at me and talk of subject that do not interest me, I’ll tell you, you just have to deal with it, it’s not because I do not like what you are, it’s just because the topic you want to discuss about are of no interest to me.

And then it gets physical

This is the problem. We are far from perfect. Some of us tend to consider themselves as a hero and world savior. Some of us are real sociopath that do not mind to crush people as long as they have what they want. But those people are everywhere, not only in our places.

When it gets physical, when someone is trying to crush a person, by harassment, by bullying or by explicit sexual assault we must intervene. I think the way the hackers’ chaotic world works grant us the possibility to try to fix that.

I have no idea for that. But I think that not trying to get the rules of the social games you want to play is a problem we can’t fix. You want to interact with hackers? Be one. Then if you still have problems, speak about them publicly, document the cases, find a way to work around the issue, be in charge of it. We can’t provide solutions since we are the problems it seems.

This post can be seen like excuses for some. Well, I try to understand how those things works and I’m mostly lucky, I’ve undergone few discriminations those last ten years (and the few I get was mainly because I act like a weirdo on purpose) and I may not be legitimate.

Off topic

I did not speak about the porn, or the fact that few girls are going into tech school, because they are excuses and symptoms, not causes. I did not use the my-childhood-was-a-hell-so-let’s-avenge-ourselves excuse neither, because you can then justify everything. I’d try to explain how I see the problem from my side, to understand what are the root causes.

I still think it’s a peripheral problem (not a small one), but focusing it on the sexual identity problem is, in my mind, wrong. We should not discriminate. Point.

Some patching has been made do to mathieui, thanks for that This is the second rewrite of this post, and a some people (ping quota_atypique and Intruse) shared their insigth about it. That was helpfull, thanks for that