Ragequitting SummerCon

This past Saturday, I attended SummerCon in Brooklyn. Despite being “America’s longest running hacker con,” with less than 200 attendees it’s a tiny event, even for infosec standards. It’s this relaxed|elite|familial atmosphere on which the con prides itself, and it’s pretty much a blast. Unfortunately but not surprisingly, none of the dozen-ish presenters were women. I can’t fault the organizers for this as to my knowledge, no women responded to the CFP. Much has been written about encouraging women to get on stage and present technical content; I won’t rehash that debate here except to say that more than one woman I chatted with yesterday told me in effect, “Are you kidding? I wouldn’t present here. [The environment here makes it] not worth it.”

There was one woman on stage during a presentation, but she was there of her own accord to provide double entendres and eye candy for her boyfriend’s presentation. The only other female to grace the stage was a burlesque performer who carried out the speaker name placards and ran the free-drink raffle between talks. She and some of the other performers are friends with the conference organizers, but in this instance they were there working as paid entertainment. 

It should be noted that I also perform burlesque in New York - proudly - though not at technical conferences. While I hadn’t met these specific ladies before, I know several of them by [positive] reputation and we have friends in common. I don’t consider burlesque to be inherently sexist, in fact often it is quite the opposite. My issue here is context, not content.

So by 10pm it was time for the show, which was advertised as an official conference event. Because of the lack of female presenters, the show would provide the only representation women would have onstage during the conference. Admission to the con got you admission to the show, which was held on the same stage as the talks, under the same sponsor signs.  All the performers were conventionally attractive women. According to the advertisement, they are also New York’s “nerdiest” burlesque performers. As I did not stay for the show, I cannot speak to the technical content of their material. Kidding aside, I’d like to make the point that regardless of their intelligence or other pursuits, they were there to perform traditional stripteases, etc., not opine on cryptographic weaknesses.

Throughout the day I asked friends how they felt about the inclusion of a burlesque show at a tech con. I heard the same unanimous sentiment: More women present as attendees and speakers would be awesome. More women should be in the industry, period. More women should get STEM degrees, and lots of us have daughters and we are teaching them how to code! … But they’re not here now, so we might as well have a little fun. It’s always been like this. It’s like… a tradition. Larger conferences are “work” events, so it’s ok that their guidelines for behavior are more strict. This is a “fun” event, so a few naked ladies on stage are ok. I mean look around, there aren’t more than 8 women here anyway. How can women be affected by an event which they’re not even attending? Sure, there are corporate sponsors paying for everything and the speakers are all the same as at Black Hat, but it’s just different.

By the time the show was about to start, I decided to leave. I stopped having fun and started thinking about how I have three more cons in the next two months where I can probably relive this same experience. As I walked out, I ran into the con organizer. I told him I had to “boycott this burlesque thing,” and he threw up his hands and said, “Hey, you have a point.” With all the beer flowing by then, I don’t really think the exchange meant anything one way or the other.

This was not the most scandalous thing to ever happen at a conference, by a long shot. It’s not even the only example of an “official” burlesque show at a recent infosec conference (good job, LayerOne). It was not the most sexually charged event I’ve encountered in my five years of semi-regular con attendance, and my experiences are tame in comparison to those with more longevity than me. I simply did not want to be associated with something I found to be exclusionary, so I dipped. 

Over the past decade it’s become generally understood that behavior and entertainment like what happened at SummerCon and LayerOne are likely to cause you negative public backlash. Objectifying women isn’t generally tolerated at corporate sponsored events. Hell, the grugq’s Barcon party last year at Black Hat didn’t even have sexy cocktail waitresses.

This was also not the most personally offensive experience I’ve had at a conference. In fact, I was not “offended” at all. Naked ladies don’t offend me. (Reminder: I perform a similar thing in a different setting.) However, putting sexy ladies on a pedestal to be stared  at by a group of exclusively men creates an asymmetrical gender dynamic which is not appropriate for a quasi-industry, corporate sponsored event. The near universal refusal to recognize that ranks as the most frustrating sentiment I’ve personally heard come from the professional folks and community leaders I consider my friends. It’s been said that lawfulness is what you do when you think you may get caught, ethics are the choices you make when you know you won’t. I respect and adore many of you, and on this one you disappointed me.  Saying “It could be worse” is not sufficient. We can do better.

The infosec community is pyramidal, with a broad base of consumers that supports a smaller group of leaders. Even within the more “elite” echelons of conference speakers, there is a core group that drives technical advancement, audiences, sponsor dollars, and attitudes. If more of these people committed to championing better standards – and there are some that vocally do – paradigms could change quickly. 

The goal, to me, is simple: Make everyone feel welcome. Usually, people feel welcome when attention is not being drawn to their genitals. Bonus points for not exposing your presupposition about a person’s job, skill set, or reason for attendance within the first minute of meeting them. 

To the organizers, look at the entertainment you are presenting. Imagine whether your audience would get the same enjoyment out of it if genders were reversed. In the case of SummerCon/LayerOne, do you think that an all-male burlesque review would have been an equally great choice of entertainment? Or if 50% of the attendees were female, would they have had as much fun? If not, your choice makes infosec an all-male frathouse and is alienating to a portion of your audience. 

From transparency initiatives, to personal commitments from speakers and organizers, to sponsor partnerships… a small amount of effort would make a huge amount of difference. I have some interesting ideas and am going to take some time to develop them and talk to the right people to make them awesome. In the meantime, here are some alternative ideas for entertaiment that will keep people from ragequitting or boycotting conferences because of a sexist atmosphere:

• Get a band
  Support the local scene, support nerdcore, support attendees that have bands. There are lots of them!
• Get awesome lights and a DJ
  If you attract more women to your conference, the dance floor will be less of a sausagefest. (This does not make it OK to grind on peers just because they know how to Dougie.)
• Get a comedian
  Bonus points for Kaminsky jokes.
• Get a aerialist/fire eater/circus performer/etc
  There are so many really interesting performance arts, these can be really memorable parties. See the DEFCON freakshow for ideas.
• Play games
  CanSecWest’s closing party had original arcade game cabinets from TRON. This is the only party I am sad I have ever missed.
• Give out food
  Drinking all day? Worried people are going to leave early to find food and never return? Feed them buffet, it works! Go gourmet and get a fancy chef to demo how to make something cool.
• Have a BBQ
  Summertime rooftop parties are the best. 

This is five minutes worth of brainstorming. Better ideas? Leave them in the comments. :)