Infosec Community Debates Changing ‘Black Hat’ Terminology
A Google security researcher has chosen to withdraw from speaking at the Black Hat security conference this year and has asked the information security community to stop using the terms āblack hatā and āwhite hatā, as reported by ZDNet. David Kleidermacher, VP of Engineering at Google, said that the terms contribute to racial stereotyping.
āIāve decided to withdraw from speaking at Black Hat USA 2020,ā Kleidermacher wrote on Twitter. āBlack hat and white hat are terms that need to change. This has nothing to do with their original meaningā¦ These changes remove harmful associations, promote inclusion, and help us break down walls of unconscious bias.ā
Iāve decided to withdraw from speaking at Black Hat USA 2020. Iām deeply grateful for the offer to speak, and for the great work the conference has done over the years to protect users through transparency, education, and community building.
— David Kleidermacher (@DaveKSecure) July 3, 2020
Kleidermacher also referred to the need to update gendered terms like āman-in-the-middle,ā a type of cyber attack, to a gender-neutral term like āperson-in-the-middle.ā
Many in the infosec community pointed out that the terms āblack hatā and āwhite hatā did not originate from references to race, but rather to the tradition in Western movies in which the hero typically wears a white hat and the bad guy wears a black hat. But Kleidermacher anticipated this objection, writing that, āthe need for language change has nothing to do with the origins of the term black hat in infosec. Those who focus on that are missing the point. Black hat/white hat and blacklist/whitelist perpetuate harmful associations of black=bad, white=good.ā
Although this latest debate was clearly inspired by recent Black Lives Matter campaigning and a broader conversation around racial justice in the U.S. and beyond, this discussion is not new. A similar discussion has been going on for decades over software terms like āmasterā and āslave,ā which are frequently used to describe dependencies in documentation. Programming language Python, for example, removed this terminology from its documentation in 2018.
However, unlike the master/slave example which was broadly agreed over time to be offensive, the black hat/white hat issue has been more contentious. Hackers concerned with racial justice worried on Twitter that there was a āhuge danger that we waste the moment shuffling words around instead of changing power systemsā and argued for āmore than a name changeā such as inviting more Black hackers to speak at events, funding scholarships for Black hackers, and paying to train more Black hackers.
It may be fine for white folks to cloak themselves in the imagery of black: black hats are enigma, sinister, counterculture, cool. But Black folks donāt need your help being associated with criminality. Itās not cool. For us. We donāt own that image. 10/x
— Brian Anderson (@btanderson72) July 4, 2020
Information security analyst Brian Anderson wrote a thread discussing the harm done by careless terminology. He concluded that changing naming conventions without addressing the larger issues affecting minority hackers, such as cost and the predominantly white lineup of speakers at events, was performative. āIām glad people are actively or thinking of giving up their coveted roles in Black Hat,ā he wrote. āThatās great. But. But. Who is being served by this action? Whatās the objective? Who benefits? How? Thatās the conversation we have to have.ā
Editors' Recommendations
Gloss