Infosec community debates changing ‘Black Hat’ terminology

A Google security researcher has chosen to withdraw from speaking at the Black Hat security conference this year and has asked the information security community to stop using the terms “black hat” and “white hat”, as reported by ZDNet. David Kleidermacher, VP of Engineering at Google, said that the terms contribute to racial stereotyping.

“I’ve decided to withdraw from speaking at Black Hat USA 2020,” Kleidermacher wrote on Twitter. “Black hat and white hat are terms that need to change. This has nothing to do with their original meaning… These changes remove harmful associations, promote inclusion, and help us break down walls of unconscious bias.”

Kleidermacher also referred to the need to update gendered terms like “man-in-the-middle,” a type of cyber attack, to a gender-neutral term like “person-in-the-middle.”

Many in the infosec community pointed out that the terms “black hat” and “white hat” did not originate from references to race, but rather to the tradition in Western movies in which the hero typically wears a white hat and the bad guy wears a black hat. But Kleidermacher anticipated this objection, writing that, “the need for language change has nothing to do with the origins of the term black hat in infosec. Those who focus on that are missing the point. Black hat/white hat and blacklist/whitelist perpetuate harmful associations of black=bad, white=good.”

Although this latest debate was clearly inspired by recent Black Lives Matter campaigning and a broader conversation around racial justice in the U.S. and beyond, this discussion is not new. A similar discussion has been going on for decades over software terms like “master” and “slave,” which are frequently used to describe dependencies in documentation. Programming language Python, for example, removed this terminology from its documentation in 2018.

However, unlike the master/slave example which was broadly agreed over time to be offensive, the black hat/white hat issue has been more contentious. Hackers concerned with racial justice worried on Twitter that there was a “huge danger that we waste the moment shuffling words around instead of changing power systems” and argued for “more than a name change” such as inviting more Black hackers to speak at events, funding scholarships for Black hackers, and paying to train more Black hackers.

Information security analyst Brian Anderson wrote a thread discussing the harm done by careless terminology. He concluded that changing naming conventions without addressing the larger issues affecting minority hackers, such as cost and the predominantly white lineup of speakers at events, was performative. “I’m glad people are actively or thinking of giving up their coveted roles in Black Hat,” he wrote. “That’s great. But. But. Who is being served by this action? What’s the objective? Who benefits? How? That’s the conversation we have to have.”

Editors' Recommendations