4 Problems with Krypt3ia’s Krampus List

I like Scot “Krypt3ia” Terban. The security researcher has a crotchety communication method I enjoy, and I read his posts a lot. I especially enjoy when he goes after security vendors for FUD (fear, uncertainty and doubt).

So when he released his annual Krampus List — a naughty list for the security community — I read it and laughed a lot.

But as I read through it, I found some of it mean spirited. By the end I found myself in a familiar quandary: How could I laugh and be disgusted at the same time? My brain has always been a mass of contradictions, and this is just another example.

There’s a razor-thin line between good-natured jabs and outright venom. From my perspective, picking on Boris Sverdlick because he “took his third job in two years and moved his family across the country for the third time” was a good-natured ribbing. He has switched jobs a lot and there’s nothing wrong with that. You gotta go where your heart takes you. But when his adventures are chronicled on Facebook, his friends — myself included — like to pick on him, as good friends often do. He gives as good as he gets.

Picking on Kelly Lum (@aloria) for narcissistic drama and a lack of contributing to the community? That was pretty shitty. Sure, her posts can be dramatic, but the same can be said about most of us. Hell, my posts have been all about family deaths and unfinished family business all year. I’m sure some of you don’t like it, but that’s what has been on my mind and you’re welcome to unfriend me any time. Kelly has been open and honest about dealing with mental illness. She’s done her day job well despite all that and has set a good example for the rest of us. Whine all you want about her not contributing to the community. In my book, the example she sets is a big contribution.

But there are bigger problems with Scot’s list:

  • It’s made up of anonymous submissions. It’s easy to rip on someone when nobody knows who you are: You don’t have to back your comments up. You don’t have to worry about being attacked in kind. That’s awfully convenient — and cowardly.
  • People who make the comments almost certainly spread their own drama. The worst hypocrisy is the kind where the hypocrite doesn’t show their face.
  • People love to bitch about “a lack of contribution” to the security community. I find that odd, because if you’re doing your job well, you are contributing to the community.
  • Terban endorses all the comments. Though it’s made up of anonymous submissions, Terban collects them and distributes them, essentially endorsing the mudslinging. When a lot of people are criticized for talking shit and spreading drama, Terban is spraying bullets inside a glass house.

Infosec is hard. The people it attracts can be difficult to work with, myself included. Since we’re connected to each other by Facebook and Twitter, we’re exposed to each other’s personal drama. None of us are perfect. We all have different ways of contributing to the community, and what’s useless to one person is valuable to another.

Laugh all you like at the Krampus List. But if you don’t see some of yourself in there, you might be part of the problem.

Cyber Krampus Logo

Stripping the Drama from DEF CON

People in my industry love the word drama. The word is tossed out like Tootsie Rolls at a holiday parade. In my opinion, the word is used a bit too much, especially in the month or two before the DEF CON hacker conference in Las Vegas.

Mood music:

Each year, someone suggests there’s sexism at the conference, and someone responds by yelling “Drama!” Each year, someone complains about an overabundance of drunken debauchery and someone else cries “Drama!” This year, I saw the word floating around because some spouses have a group called H(a)ck3rWives, designed to help “spouses, kids, parents, supporters in general everywhere decode their hackers and come together.” In this case, the drama appears to be that some spouses feel a support network is needed in the first place.

Personally, I don’t see these things as drama.

If some people want to network and their common bond is that their loved ones are away at hacker conferences all the time, good for them. If it helps, more power to them. If someone sees sexism or drunken disturbances and wants them dealt with, have at it.

Most people can handle their booze at these events, and most treat the opposite sex with the appropriate respect. But there are usually one or three who cause trouble. In those cases, it’s reasonable if people complain and demand action.

Good people can and certainly will disagree with me on those points. That’s not drama, either. It’s part of a healthy discussion.

To be fair, ours is a community with many colorful personalities. When strong personalities debate and disagree, it’s easy to see the situation as dramatic, even if the issues they discuss aren’t dramatic in the true sense of the word.

I’m looking forward to DEF CON next month. I’ll network, spread the good word for my company, blog and podcast about the talks and hopefully walk away smarter than when I arrived.

Those aren’t dramatic things, but they’ll do just fine.

Comedy and Tragedy Masks on a Stage