Defcon Survey: Hackers want more crypto, less NSA

Hackers are an interesting bunch and somewhat predictable, if I may be so bold as to generalize. Before Defcon this summer, I asked all the hackers I know to participate in a survey about their opinions on a variety of security industry-related topics, and I asked them to spread the word through social channels. It’s taken me a month, but I’ve finally tabulated the results. Many of the findings aren’t shocking, but the passion the respondents have for their work is, frankly, inspiring.

The first thing I learned is that hackers don’t like long surveys. Actually, few people do. Maybe I needed to offer a reward for completing it. Granted, the survey had 34 questions, most multiple choice with a number of them soliciting essay answers. A whopping 96% of the respondents who started the online survey finished it. So, I’d like to say a heartfelt “Thank You!” to those 53 people who took the time to answer all the questions.

And before I dive into the results, I should probably get the demographic data out of the way first because I’d probably be seeing somewhat different responses from younger or less experienced hackers. The respondents’ ages ranged from a low of 27 years to a high of 68, with most in the 25-35 range and a median of 39. The average number of years of experience was 13.5, nearly evenly divided between researcher, IT professional, engineer/programmer and VP-level executive, and more than one-third work at a security provider. So this is a very savvy crowd. Now for the results…

‘Never-ending playground’

If I were to create a word cloud, “Encryption” would be 36-point font size, at least. It’s the most important thing hackers said they do to protect their data, along with using strong and diverse passwords — both eliciting 75% of the responses with multiple choices possible, followed by use of VPN and safe Web browsing tools. Encryption, specifically HTTPS by default, along with passwords, public awareness and computers running outdated versions of Windows are considered the most solvable security challenges.

As far as new technologies they are excited about — top answer was…. Encryption! But it’s got to be made easier to use in order for it to be more widely adopted, they said. Other technologies and trends they like: IPv6, DNSSEC, the maker/hacker movement, “virtualization to move exploitable systems away from the data,” self-diagnostic troubleshooting tools and “Steve Mann’s space glasses.”

And they’re not really too jaded, although they like to act like it. Asked how optimistic they are that the work they do is making a difference, 40% said they are “pretty satisfied,” with an average of 20% each responding “very optimistic,” “neutral” and “cynical.” And a couple of astute quotes: “Teachers make a difference. I just increase shareholder value,” and “All I can do is inform, but who listens?”

Asked what they like about their jobs, the top responses were “the challenge,” and “solving puzzles” or “solving problems,” although they are also fond of their hacker comrades, the fast pace of the industry and that it’s never boring. “It’s an ever changing field, like a never-ending playground :) and I think compared to most other industries it will still be as colorful in like 20 years from now,” one wrote.

They might like their jobs, but not everything is hunky dory either. Sixty-five percent said the industry has high levels of stress and burnout. Asked for their opinion on allegations of sexism and sexual harassment at Defcon, half said “it happens and is inexcusable,” 37.5% hadn’t seen it but are sure that it happens, and 6% each said “boys will be boys,” and “women get the same respect as men.” Clearly, there’s a gender gap at the show and even a female journalist who has attended Defcon for a dozen years stereotypes — I failed to ask respondents to this survey what gender they are. Next time, the options will be “male,” “female,” and “transgender,” to be all inclusive.

‘Do what sucks least’

Asked which disclosure practice they follow, 40% said “it depends,” 31% said “responsible,” 14% said “coordinated,” 10% said “none,” and 4% said “full.” As for their primary ethical principle, the answers, as you can imagine, were interesting: “Do what sucks least;” “target technology, not people;” and “principle of multiple discovery, that it is unlikely I am the only one to have found the bug, and unlikely to be the last to find it before it is patched.”

I was curious about their thoughts on the marketplaces for Zero-Day threats that have cropped up and governments being among the big buyers. Here’s what they had to say about that: “The intelligence community is now stockpiling them like Twinkies,” Today, exploits equate to either big sums of money (or) going public, which can lead to jail time… so our government has, in effect, destroyed full disclosure and built a secretive community that holds exploits much closer to the vest … It’s no longer an open, sharing community like it used to be.”

I asked about the concept of “hacking back,” which has moved from the realm of fantasy to probability in some security circles. More than half said “proceed with caution,” 40% said “wildly irresponsible,” and only 9% said “it’s my cyber Second Amendment right.”

Not surprisingly, there was a lot of anger directed at the U.S. government over the NSA surveillance that has come to light as a result of Edward Snowden’s leaks. Eighty-five percent feel the answer is to build technology solutions that counter surveillance, with 66% saying work within the existing political system and slightly fewer preferring online and offline activism. They were almost equally divided on whether there is a way for the average citizen to restore his/her privacy.

Meanwhile, they weren’t exactly fans of the Anonymous activist movement, either. Nearly 60% said they considered Anonymous “confused kids,” 33% said “criminals and miscreants,” and only 9% said “digital heroes,” with about 70% saying their views about the movement had not changed over the past few years.

Finally, another emotionally charged topic for the hackers is the suicide of hacker and activist Aaron Swartz, who faced charges under the Computer Fraud and Abuse Act. In general, many respondents said the tragedy shows the need for support for the community and for the Electronic Frontier Foundation, and reform of the CFAA. One respondent wrote: “This really hit home. If my childhood had gone slightly differently, I could have been Swartz.”

ADDENDUM: One of the respondents said it would be helpful to know exactly what the questions were to understand the context of the responses. While I was grabbing the questions from the survey to include here I figured out how to create charts, so they are included now as well.

  1. What are the most important things you do to protect your data? (Options: Encrypt the hard drive, Use VPN, Disable Bluetooth, Use safe Web browsing tools, Use strong and diverse passwords, Avoid social networks, Use encryption on mobile, Lock the mobile device)
  2. What in security keeps you up at night? Can it be resolved? How?
  3. What is the most solvable security challenge? Why haven’t we solved it yet?
  4. How has the industry changed in the last 10-15 years … or since you were a script kiddie? ;)
  5. What positive change(s) do you see in the industry? (None, Companies have more tools to secure their networks/data, People are more aware of what they need to do to secure data, HTTPS adoption)
  6. How optimistic are you that the work you do is making a difference? (Very optimistic, Pretty satisfied, Neutral, Somewhat discouraged, Cynical)
  7. We need more: (Breakers, Builders, or Fixers
  8. What do you like most about working in security?
  9. Why did you get into security? (I’m a puzzle solver, I’m a defender/protector, Job security)
  10. Why do you stay in security?
  11. What new developments (technologies, businesses, etc.) are you most excited about?
  12. Which disclosure practice do you follow? (None, Full, Responsible, Coordinated, It depends)
  13. What is the primary ethical principle to which you hold for your research and disclosure processes? From whom do you seek guidance before you act?
  14. What would increase the adoption of encryption technologies like PGP and Perfect Forward Secrecy?
  15. Now that Zero Days get big bucks instead of just bragging rights, how has that changed the security landscape?
  16. What’s your take on the idea of “hacking back?” (It’s wildly irresponsible, Proceed with caution, It’s my cyber Second Amendment right)
  17. In light of wide-scale nation-state surveillance (e.g. PRISM) and the United Nations’ play for Internet governance, what can hackers do to keep the Internet free and open? Check all that apply (Build technology solutions, Online activism, Offline activism, Work within the existing political system (vote, lobby, etc.)
  18. What do you think about Defcon asking Feds to stay away? (Who needs them anyway?, Wait, isn’t Jeff Moss on a federal advisory board?, Now we will miss our chance to hold their feet to the fire)
  19. What is your opinion of Anonymous? (Criminals and miscreants, Confused kids, Digital heroes)
  20. Have your views on Anonymous changed over the last few years?
  21. Is there a way for the “Average Joe” to restore privacy?
  22. One of the talks on the Defcon schedule deals with suicide risk assessment and prevention tactics and there’s been talk on Twitter and elsewhere about burn out among security professionals. Which statement do you agree with? (The industry has high levels of stress and burn out, The levels of burn out are normal relative to other professions, They are just a bunch of whiners)
  23. What do you think about allegations of sexism and sexual harassment at the hacker conferences? (Women get the same respect as men, I haven’t seen anything improper but I’m sure it occurs, Harassment happens and it’s inexcusable, Boys will be boys)
  24. What has the death of Aaron Swartz meant to you? What should the hacker community take from this situation?
  25. What are your preferred sources of information on security? (blogs, podcasts, analysts, authors, speakers, conferences) Please specify.
  26. If you were “President of the Internet” and could make one executive order what would it be?
  27. Boxers or briefs… or Spanx? (Boxers, Briefs, Spanx, Commando)
  28. What’s your title? (C-level executive, Director/VP-level executive, IT professional, Researcher, Engineer/programmer)
  29. Where do you work? (Security provider, University, Government agency, Large non-security company, Small non-security company, Non-profit, Self-employed, Student)
  30. Age?
  31. Number of years working in security?
  32. What question(s) should we have asked?
  33. Any other comments on security, the state of the Internet, or any other topic you find compelling?
  34. If you would like us to send you the results of the survey please provide your email address. It will not be shared with anyone or used for any other purpose. Thank you for your help!

 

41 Comments »

 
  1. Emily Woods says:

    Wow! Thanks for such an extensive blog post! Here’s my bit of contribution. Use SoGoSurvey‘s online survey software to create customized online surveys. They have some pretty exciting features to work with.

  2. next page says:

    I read through quite a few superb material the following. Definitely worth bookmarking pertaining to revisiting. I’m wondering the best way much endeavor you placed to generate this type of excellent informative site.

  3. sanny says:

    Hi, i believe that i saw you visited my web site so i got here to return the favor?.I am trying to find things to improve my site!I guess its ok to make use of a few of your concepts!!

  4. solo haz click para ver la página…

    Defcon Survey: Hackers want more crypto, less NSA…

  5. m88 says:

    Normally I don’t read article on blogs, but I would like to say
    that this write-up very pressured me to take a look at
    and do it! Your writing syle has been amazed me.
    Thanks, quite nice post.

    Haave a look at my web site m88

  6. Good info. Lucky me I came across your website by accident (stumbleupon).
    I’ve saved it for later!

  7. Nicee blog here! Also your site loads up fast! What web host are you using?
    Can I get our affiliate link to your host? I wish my site
    loaded up as quickly as yours lol

  8. each time i used to read smaller content which also clear their motive, and that is
    also happening with this article which I am reading here.

  9. Cheap Chanel Bags Outlet
    Hello, Neat post. There’s a problem with your site in internet explorer, may test this?
    IE nonetheless is the marketplace leader and a big part of other people will miss your fantastic writing due to
    this problem.

  10. Darden expects the cash sale to Golden Gate Capital will generate $1.
    Finish the weekend with a round of golf at the Monarch Dunes Golf Resort,
    famousfor its natural beauty and world-class
    fairways. Red Lobster first opened in 1968 in Lakeland,
    Florida and was the first seafood restaurant to gain nationwide prominence with 700 locations.

    my site :: chops steakhouse naples florida

  11. Although nursing homes and assisted living
    compounds can be quite fun and exciting, it is definitely not for everyone.
    Senior Care Services in San Francisco provides a
    wide range of home care services that include grooming, preparing
    meals, nursing and rehabilitation services. You still have to pay for everything from medical
    costs beyond what Medicare pays, to installation of a grab bar in the shower, to installation of a wheelchair ramp, to adult diapers.

  12. Ezine says:

    Hi, thhe whole thing is going nicely here and ofcourse every one is sharing data, that’s genuinely excellent, keep up writing.

  13. And always make sure it’s 100% organic (some companies load their superfood up with Niacin and other non-organic components — go for the organic green superfood and avoid the Niacin hangover).

    So it has a less full bodied flavor than tamari and
    it has a larger alcohol content which isn’t necessarily a problem but there’s less
    flavor to it and since it has wheat in it people with wheat allergies and people with
    gluten intolerance which is a big percentage of the
    population cannot consume it. When you give your body a daily dose of these super foods it’s like renovating your body the way someone would renovate an old house that has seen better days.

    my webpage … Athletic Greens reviews original site

  14. It’s going to be finish of mine day, however before
    end I am reading this impressive paragraph to improve my knowledge.

  15. An intriguing discussion is worth comment. I do believe that you need to write more on this subject,
    it may not be a taboo matter but typically people do not discuss these issues.
    To the next! Cheers!!

  16. It’s truly a great and useful piece of info.

    I’m satisfied that you shared this useful information with us.
    Please stay us informed like this. Thank you for sharing.

  17. moving says:

    It’s very trouble-free to find out any topic on net as compared to
    books, as I found this piece of writing at this web site.

  18. When choosing quality lingerie go along with the brand names which you have confidence in most.
    Plus, Hips and Curves has an 800 number for customer service.

    Red-heads impress with earth tones and other Earth-inspired colors,
    like greens and blues.

    Feel free to surf to my site :: lingerie wholesale suppliers

  19. The phrase adsense may possibly be a small foreign to some.
    It can be nothing at all discouraging however you’ll locate you pondering first ahead
    of carrying out something else. Though meant primarily for youthful young
    children, persons of all ages have observed computer
    online games extremely enjoyable and entertaining.

    My blog post :: Addicting Games

  20. Anyhow, I commenced paying out substantially a lot more and supplemental time celebs like
    Lady Ga – Ga and Usher. When a video clip video game can take more than, for the
    subconscious aspect of the intellect it is as genuine
    as true can be. Planet of Warcraft (BLIZZARD) This
    activity will take hrs out of your lifespan just by the sheer content by itself.

    My blog: Addicting Games

  21. Therefore, the answer to the question as to which of these two algae should you
    take is that you should definitely have both of them in your diet.
    Its leaves are withered and steamed, not fermented like black
    and oolong teas — green tea’s unique catechins, especially EGCG,
    which may be able to obliterate cancer cells without disturbing neighboring tissues.

    The multi-packs of Naked Juice Superfood Smoothies are not available yet,
    but may definitely help cut back on the total cost if
    you develop a daily Superfood Smoothie habit.

    Look at my web page; Chris Ashenden Diet

  22. hey there and thank you for your info – I’ve certainly picked up something
    new from right here. I did however expertise several technical points
    using this website, as I experienced to reload the web site lots
    of times previous to I could get it to load properly.

    I had been wondering if your web host is OK? Not that I’m complaining, but slow
    loading instances times will very frequently affect your placement in google and can damage your high
    quality score if ads and marketing with Adwords. Well I am adding this RSS
    to my e-mail and can look out for much more of your respective
    exciting content. Make sure you update this again very soon.

  23. Good day! I know this is somewhat off topic but I was wondering which
    blog platform are you using for this website? I’m getting sick and tired of WordPress
    because I’ve had issues with hackers and I’m looking at alternatives for another platform.
    I would be awesome if you could point me in the direction of a good platform.

  24. An impressive share! I’ve just forwarded this onto a colleague who
    had been conducting a little research on this. And he
    actually bought me dinner because I stumbled upon it
    for him… lol. So let me reword this…. Thanks for the meal!!
    But yeah, thanx for spending time to discuss this issue here on your web
    page.

    Feel free to surf to my web-site – cialis information [http://doylervvu.unblog.fr]

  25. Hi there, simply changed into aware of your weblog thru Google, and located that it’s really informative. I am gonna be careful for brussels. I will be grateful in case you continue this in future. Numerous other people will probably be benefited out of your writing. Cheers!

  26. I visit daily a few websites and websites to read articles
    or reviews, but this website provides quality based writing.

    Check out my blog post – hirsuties coronae glandis

  27. World of Tanks is a team-based massively multiplayer online action game dedicated to armored warfare.
    Incredibly agile, very fast, but even less armor than the BT-7.

    This tank is slightly slower and less maneuverable than the Ausf – A (above) but has more
    armor.

  28. How To Old Vehicles Wooing Larger Patrons!

    My weblog – cash for junk cars san diego

  29. My brother recommended I might like this
    website. He was totally right. This post actually made my day.
    You can not imagine just how much time I had spent for this info!
    Thanks!

  30. It’s going to ƅe end օof mine daу, however before ending I aam reading this impressive artiicle to imprߋve my knoԝledge.

  31. I was suggested this web site by my cousin. I’m not sure whether
    this post is written by him as no one else know such detailed about
    my problem. You’re amazing! Thanks!

  32. youtube.com says:

    Hello. Just wished to question a simple question. Now i am
    piecing together my own, personal web site in addition to would choose to understand where by you still have your current concept?
    Ended up being it no cost? Or perhaps had been it settled?
    I can’t often uncover something just like this place,
    so hopefully you are able to let me learn. Thanks.
    PS, my own sorry. Uk isn’t my own very first words.

  33. What’s up i am kavin, its my first time to commenting anyplace, when i read this piece of writing i thought i could also make comment due to this good article.

  34. I’m gone to say to my little brother, that he should also pay a quick visit this webpage
    on regular basis to get updated from newest reports.

  35. Dafabet says:

    Hi there Dear, are you truly visiting this site regularly, if so then you will absolutely get fastidious knowledge.

  36. The society may doubly sneer at the lady who writes or talks about
    the sex. Try skipping as soon as just to check how
    she’ll respond. Vaccines are preferably offered to people
    to protect them from certain virus.

    My homepage; home std test kit

  37. Lorna says:

    Just desire to say your article is as astounding. The clarity in your post is simply great and
    i could assume you are an expert on this subject.

    Well with your permission let me to grab your feed to keep updated with forthcoming post.
    Thanks a million and please keep up the enjoyable work.

    Look at my site: best shower radio 2014 (Lorna)

  38. Gloria says:

    It’s in fact very complex in this active life to listen news on TV, thus I simply use the web for that purpose, and get the latest information.

  39. Unemployment increases susceptibility to malnutrition, illness, menfal
    stress, and loss of self-esteem, leading to depression. You can ask for an online quote annd compare the prices before choosing the service.
    Any action taken by the reader duee to the information provided in this article
    is solely at the reader’s discretion.

    Feel free to visit my webpage; full service moving companies [https://profiles.wordpress.org/]

  40. test says:

    Very nice post. I just stumbled upon your blog and wished to say that I’ve truly enjoyed surfing around your blog posts.
    After all I will be subscribing to your rss feed
    and I hope you write again soon!

 

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>