Security and hacking conferences provide platforms for cutting edge research into computer vulnerabilities, exploitable systems, and new defensive measures. These often vast events also let researchers and hackers rub shoulders with their friends and peers, network, and blow off steam.
But a lingering problem remains for some women at a number of conferences: harassment and prejudice.
In a recent example, women were targeted at an after-party of internet and human rights conference Rightscon, which took place between March 30 and April 1 in San Francisco.
"There were incidents of sexual harassment at last night's CloudFlare party," tweeted RightsCon, adding that the conference has a zero tolerance policy for this sort of behavior.
Matthew Prince, CEO of cybersecurity company CloudFlare, added in a tweet on March 31, "Not just us. Pervasive at tech industry events. Men who perpetuate it need to be called on it."
But harassment at conferences doesn't always make it into the tweets of a high-profile CEO. Motherboard spoke to several established women in the information security and digital rights sectors about their own experiences of harassment, and other incidents they knew about. Many of them spoke to Motherboard on the condition of anonymity, either because they weren't authorized by their employers to talk about such issues publicly, or because they did not want to face further harassment. Some also asked not to name the specific conferences, where this would likely identify them.
"More times than I can count, strangers have totally dismissed me as an infosec professional's girlfriend"
Ass grabbing, verbal insults, and being inappropriately hit-on all came up. One common complaint was the suggestion that women were just there to help out men, who were, people assumed, the actual security researcher giving a talk.
"I was setting up my laptop to speak at an event, and a man walked up to me and remarked that it was sweet of me to set up my boyfriend's laptop for his talk," said security researcher Jessy Irwin.
Another woman in the industry described something similar: "More times than I can count, strangers have totally dismissed me as an infosec professional's girlfriend."
"I've had enough crappy experiences at security conferences that I no longer attend them alone," said Leigh Honeywell, a security engineer. "I'm lucky to have a solid network of friends in the field, but it makes me sad for women who don't have an established network."
It's hard to know how many women have come across this sort of thing, because it's likely many incidents go unreported, and conferences don't always have a good mechanism in place for handling complaints of this nature.
"I think that it is a small percentage, but it's also very difficult to measure because frequently there is no place to report it to, and people have different ideas about what qualifies as harassment," Eva Galperin, global policy analyst at the Electronic Frontier Foundation, told Motherboard in a phone call. "We can't really know."
"You think you're going to a professional conference and instead you get hit on by six guys in the lobby of a hotel"
Harassment doesn't just have an immediate effect. Several people said it was a real possibility that women, in particular those new to the industry, could be discouraged from attending conferences or continuing to work in their industry because of bad experiences.
"If women don't feel safe in the areas where their profession grows and learns and shares intelligence, they are left behind. This is a huge problem in terms of professional advancement, and it sucks," said Irwin.
"Since networking, training, and name recognition in information security are crucial, avoiding conferences can be career-damaging," said another female infosec professional.
Of course, conferences can be very different from one another. For example, Black Hat and RSA are more corporate affairs than the grassroots Defcon and Chaos Computer Congress. One is not necessarily better than the other in terms of gender issues, but they can offer different challenges.
"Not all hacker conferences are created equal," Galperin said. "There are people who go to these conferences with the expectation that this is serious business, where you go to present your research and rub shoulders with the people in the industry who can get you a job."
"And then there are people who are there to party and drink," she continued. "Sometimes these are even the same people. Both Black Hat and Defcon are located in Las Vegas, which is all about encouraging you to drink as much as possible and not take responsibility for your actions … You think you're going to a professional conference and instead you get hit on by six guys in the lobby of a hotel."
Most conferences contacted by Motherboard did not respond. Steve Wylie, general manager for hacking conference Black Hat, said in an emailed statement that, "The sexual objectification and harassment of women (or anyone) at our conferences will not be tolerated."
Positive changes have been made at certain conferences, especially after raised awareness from members of the wider community. After the 2014 RSA conference, Chenxi Wang, chief strategy officer at Twistlock, co-authored a blogpost calling for an end to booth babes—scantily-clad women used by security companies in an attempt to lure in customers. The following year, booth babes were banned from RSA.
"We were at least an influence," Wang told Motherboard in a phone call.
"We're in a norm building phase when it comes to addressing sexual harassment and other forms of abuse at conferences, and so it comes down on everybody who is involved in organizing them to be out in front on that," Josh Levy, advocacy director at Access Now, which organizes Rightscon, told Motherboard in a phone call.
Changes that can be made include reliable ways for women to report incidents, and an effective form of enforcement.
"In my experience, the organizers of a con make a huge difference. If they make it clear they have zero tolerance for harassment or assault, and enforce this policy from the start, it's a big help," said one woman from the infosec industry.
But beyond codes of conduct, it'll take more fundamental changes for harassment of women to really dissipate from hacking and security conferences.
"I think what broadly needs to change is really the culture of the industry," Wang said. "The security industry has a little bit of a problem where it's not only male dominated, but it's dominated by a particular kind of personality."
Bug bounty and vulnerability disclosure consultant Katie Moussouris offered an additional solution: "Promote women's work, not their gender, and more women will view security as a career path that recognizes and rewards their hard work."
Silicon Divide is a series about gender inequality in tech and science. Follow along here.