Defcon Survey: Hackers want more crypto, less NSA

Hackers are an interesting bunch and somewhat predictable, if I may be so bold as to generalize. Before Defcon this summer, I asked all the hackers I know to participate in a survey about their opinions on a variety of security industry-related topics, and I asked them to spread the word through social channels. It’s taken me a month, but I’ve finally tabulated the results. Many of the findings aren’t shocking, but the passion the respondents have for their work is, frankly, inspiring.

The first thing I learned is that hackers don’t like long surveys. Actually, few people do. Maybe I needed to offer a reward for completing it. Granted, the survey had 34 questions, most multiple choice with a number of them soliciting essay answers. A whopping 96% of the respondents who started the online survey finished it. So, I’d like to say a heartfelt “Thank You!” to those 53 people who took the time to answer all the questions.

And before I dive into the results, I should probably get the demographic data out of the way first because I’d probably be seeing somewhat different responses from younger or less experienced hackers. The respondents’ ages ranged from a low of 27 years to a high of 68, with most in the 25-35 range and a median of 39. The average number of years of experience was 13.5, nearly evenly divided between researcher, IT professional, engineer/programmer and VP-level executive, and more than one-third work at a security provider. So this is a very savvy crowd. Now for the results…

‘Never-ending playground’

If I were to create a word cloud, “Encryption” would be 36-point font size, at least. It’s the most important thing hackers said they do to protect their data, along with using strong and diverse passwords — both eliciting 75% of the responses with multiple choices possible, followed by use of VPN and safe Web browsing tools. Encryption, specifically HTTPS by default, along with passwords, public awareness and computers running outdated versions of Windows are considered the most solvable security challenges.

As far as new technologies they are excited about — top answer was…. Encryption! But it’s got to be made easier to use in order for it to be more widely adopted, they said. Other technologies and trends they like: IPv6, DNSSEC, the maker/hacker movement, “virtualization to move exploitable systems away from the data,” self-diagnostic troubleshooting tools and “Steve Mann’s space glasses.”

And they’re not really too jaded, although they like to act like it. Asked how optimistic they are that the work they do is making a difference, 40% said they are “pretty satisfied,” with an average of 20% each responding “very optimistic,” “neutral” and “cynical.” And a couple of astute quotes: “Teachers make a difference. I just increase shareholder value,” and “All I can do is inform, but who listens?”

Asked what they like about their jobs, the top responses were “the challenge,” and “solving puzzles” or “solving problems,” although they are also fond of their hacker comrades, the fast pace of the industry and that it’s never boring. “It’s an ever changing field, like a never-ending playground :) and I think compared to most other industries it will still be as colorful in like 20 years from now,” one wrote.

They might like their jobs, but not everything is hunky dory either. Sixty-five percent said the industry has high levels of stress and burnout. Asked for their opinion on allegations of sexism and sexual harassment at Defcon, half said “it happens and is inexcusable,” 37.5% hadn’t seen it but are sure that it happens, and 6% each said “boys will be boys,” and “women get the same respect as men.” Clearly, there’s a gender gap at the show and even a female journalist who has attended Defcon for a dozen years stereotypes — I failed to ask respondents to this survey what gender they are. Next time, the options will be “male,” “female,” and “transgender,” to be all inclusive.

‘Do what sucks least’

Asked which disclosure practice they follow, 40% said “it depends,” 31% said “responsible,” 14% said “coordinated,” 10% said “none,” and 4% said “full.” As for their primary ethical principle, the answers, as you can imagine, were interesting: “Do what sucks least;” “target technology, not people;” and “principle of multiple discovery, that it is unlikely I am the only one to have found the bug, and unlikely to be the last to find it before it is patched.”

I was curious about their thoughts on the marketplaces for Zero-Day threats that have cropped up and governments being among the big buyers. Here’s what they had to say about that: “The intelligence community is now stockpiling them like Twinkies,” Today, exploits equate to either big sums of money (or) going public, which can lead to jail time… so our government has, in effect, destroyed full disclosure and built a secretive community that holds exploits much closer to the vest … It’s no longer an open, sharing community like it used to be.”

I asked about the concept of “hacking back,” which has moved from the realm of fantasy to probability in some security circles. More than half said “proceed with caution,” 40% said “wildly irresponsible,” and only 9% said “it’s my cyber Second Amendment right.”

Not surprisingly, there was a lot of anger directed at the U.S. government over the NSA surveillance that has come to light as a result of Edward Snowden’s leaks. Eighty-five percent feel the answer is to build technology solutions that counter surveillance, with 66% saying work within the existing political system and slightly fewer preferring online and offline activism. They were almost equally divided on whether there is a way for the average citizen to restore his/her privacy.

Meanwhile, they weren’t exactly fans of the Anonymous activist movement, either. Nearly 60% said they considered Anonymous “confused kids,” 33% said “criminals and miscreants,” and only 9% said “digital heroes,” with about 70% saying their views about the movement had not changed over the past few years.

Finally, another emotionally charged topic for the hackers is the suicide of hacker and activist Aaron Swartz, who faced charges under the Computer Fraud and Abuse Act. In general, many respondents said the tragedy shows the need for support for the community and for the Electronic Frontier Foundation, and reform of the CFAA. One respondent wrote: “This really hit home. If my childhood had gone slightly differently, I could have been Swartz.”

ADDENDUM: One of the respondents said it would be helpful to know exactly what the questions were to understand the context of the responses. While I was grabbing the questions from the survey to include here I figured out how to create charts, so they are included now as well.

  1. What are the most important things you do to protect your data? (Options: Encrypt the hard drive, Use VPN, Disable Bluetooth, Use safe Web browsing tools, Use strong and diverse passwords, Avoid social networks, Use encryption on mobile, Lock the mobile device)
  2. What in security keeps you up at night? Can it be resolved? How?
  3. What is the most solvable security challenge? Why haven’t we solved it yet?
  4. How has the industry changed in the last 10-15 years … or since you were a script kiddie? ;)
  5. What positive change(s) do you see in the industry? (None, Companies have more tools to secure their networks/data, People are more aware of what they need to do to secure data, HTTPS adoption)
  6. How optimistic are you that the work you do is making a difference? (Very optimistic, Pretty satisfied, Neutral, Somewhat discouraged, Cynical)
  7. We need more: (Breakers, Builders, or Fixers
  8. What do you like most about working in security?
  9. Why did you get into security? (I’m a puzzle solver, I’m a defender/protector, Job security)
  10. Why do you stay in security?
  11. What new developments (technologies, businesses, etc.) are you most excited about?
  12. Which disclosure practice do you follow? (None, Full, Responsible, Coordinated, It depends)
  13. What is the primary ethical principle to which you hold for your research and disclosure processes? From whom do you seek guidance before you act?
  14. What would increase the adoption of encryption technologies like PGP and Perfect Forward Secrecy?
  15. Now that Zero Days get big bucks instead of just bragging rights, how has that changed the security landscape?
  16. What’s your take on the idea of “hacking back?” (It’s wildly irresponsible, Proceed with caution, It’s my cyber Second Amendment right)
  17. In light of wide-scale nation-state surveillance (e.g. PRISM) and the United Nations’ play for Internet governance, what can hackers do to keep the Internet free and open? Check all that apply (Build technology solutions, Online activism, Offline activism, Work within the existing political system (vote, lobby, etc.)
  18. What do you think about Defcon asking Feds to stay away? (Who needs them anyway?, Wait, isn’t Jeff Moss on a federal advisory board?, Now we will miss our chance to hold their feet to the fire)
  19. What is your opinion of Anonymous? (Criminals and miscreants, Confused kids, Digital heroes)
  20. Have your views on Anonymous changed over the last few years?
  21. Is there a way for the “Average Joe” to restore privacy?
  22. One of the talks on the Defcon schedule deals with suicide risk assessment and prevention tactics and there’s been talk on Twitter and elsewhere about burn out among security professionals. Which statement do you agree with? (The industry has high levels of stress and burn out, The levels of burn out are normal relative to other professions, They are just a bunch of whiners)
  23. What do you think about allegations of sexism and sexual harassment at the hacker conferences? (Women get the same respect as men, I haven’t seen anything improper but I’m sure it occurs, Harassment happens and it’s inexcusable, Boys will be boys)
  24. What has the death of Aaron Swartz meant to you? What should the hacker community take from this situation?
  25. What are your preferred sources of information on security? (blogs, podcasts, analysts, authors, speakers, conferences) Please specify.
  26. If you were “President of the Internet” and could make one executive order what would it be?
  27. Boxers or briefs… or Spanx? (Boxers, Briefs, Spanx, Commando)
  28. What’s your title? (C-level executive, Director/VP-level executive, IT professional, Researcher, Engineer/programmer)
  29. Where do you work? (Security provider, University, Government agency, Large non-security company, Small non-security company, Non-profit, Self-employed, Student)
  30. Age?
  31. Number of years working in security?
  32. What question(s) should we have asked?
  33. Any other comments on security, the state of the Internet, or any other topic you find compelling?
  34. If you would like us to send you the results of the survey please provide your email address. It will not be shared with anyone or used for any other purpose. Thank you for your help!

 

76 Comments »

 
  1. Hello there, You have done an incredible job. I’ll certainly digg it and personally
    recommend to my friends. I’m confident they’ll
    be benefited from this site.

  2. more info says:

    Today, I went to the beachfront wuth mmy children. I ound a sea shell annd gave it to my
    4 year old daughter and said “You can hear the ocean if you put this to your ear.” She
    put the shell to her ear and screamed. There was a hermit crab inside and it pinched
    her ear. She never wants to go back! LoL I know this is completely off topic but I had tto tell someone!

    Review my webpage – more info

  3. What’s up colleagues, how is all, and what you would like to say
    about this piece of writing, in my view its really amazing for me.

    Feel free to visit my site – best video ever

  4. Comparing dedicated servers with shared servers for hosting purposes is like comparing apples and oranges (still such comparison is often made nowadays).
    Make note of whether or not they are trying to downplay all but one of the hosts they are “reviewing”.

    When you are thinking of having your website hosted on a VPS server the first thing that you will have
    to think about is the pricing.

  5. Link exchange is nothing else but it is simply placing the other person’s website link on your page
    at appropriate place and other person will also do similar in favor of you.

  6. Excellent weblog here! Also your website lots up very fast!

    What web host are you the usage of? Can I am getting your affiliate link on your host?
    I wish my website loaded up as fast as yours lol

  7. Anytime you send out automotive direct mail pieces, you’re faced with the issue that you have to work twice as hard at
    appearing trustworthy to potential customers as people in other industries.
    Direct marketers speak about key leverage
    points to increase profits, and from our Gadgets and Widgets example
    above you can clearly see the leverage points.
    Note that the white edge is part of the QR code, it is actually black patterns on a
    white box, so make sure you get it all.

  8. And when a player decides to head into the endgame content
    of inferno, these packs have four different abilities.
    The fight that would put Boxing front and center and mark
    its return to prominence. VAMPIRELLA MASTERS SERIES TP VOL 05 KURT
    BUSIEK $24.

    Look into my homepage :: pool live tour hack tool

  9. Tyrell says:

    Hello, i think that i noticed you visited my site thus i
    came to go back the favor?.I am attempting
    to find issues to enhance my web site!I guess its adequate
    to make use of some of your concepts!!

  10. Admission varies with the number of activities selected.
    Pensions enable people to ready themselves for retirement.
    Clearly, this can make things difficult when trying to find tinnitus remedies that can be
    applied effectively.

    My website :: triche hay day android

  11. Youtube.Com says:

    Ask for sedan rate instead of stretch limos they are pretty nice and
    comfortable. Since a wedding is about elegance, the couple should consider the image and reputation of each
    of the company’s they have selected. These vehicles provide customers
    with a novel experience and can inspire sales by adding additional target
    markets to the mix.

  12. Katja says:

    This way you should always consider creating the best content,
    without stuffing it with useless repetitions of keywords, like a big turkey on Thanksgiving.
    A Search Engine Optimization service brings substantial
    web traffic on to the website. This is a two fold
    category, including both links on your page itself and one-way links from other pages to your site.

  13. youtube.com says:

    Without the need to house tubes or accommodate a labyrinth of wires, they can be
    created to provide power for the smallest of electronic devices.
    The epoxy resin prepreg is used to laminate dielectric insulating layers.
    Deliver A Presentation, most performers from the witout
    a doubt throughout-deal through the development of awful
    excessiveness amount the actual malfunction stacking
    wire small business, even worse.

  14. Thank you a bunch for shuaring this with all of us you actually recognize what you are
    speaking approximately! Bookmarked. Kindly additionally talk over wirh mmy site =).

    We can have a link trade agreement between us

    my blog post … how to lose weight

  15. My partner and I stumbled over here by a different web
    page and thought I might as well check things out. I like
    what I see so now i’m following you. Look forward to exploring
    your web page yet again.

  16. This is a great tip particularly to those new to thee blogosphere.

    Brief but very precise information… Thanks for sharing this one.
    A must read article!

    Feel free to surf to my web blog: social media marketing programs

  17. Hey! This is kind of off topic but I need some advice from an established blog.
    Is it very hard to set up your own blog? I’m not very techincal but
    I can figure things out pretty quick. I’m thinking about
    creating my own but I’m not sure where to start. Do
    you have any ideas or suggestions? Thanks

    Here is my homepage doctor blog (drhousecallbeverlyhills.com)

  18. It’s really very complex in this busy life to listen news
    on Television, so I just use internet for that purpose, and get the most recent news.

  19. quivana says:

    Excellent, what a webpage it is! This weblog provides helpful data
    to us, keep it up.

    Here is my webpage … quivana

  20. My brother recommended I might like this website.
    He was once entirely right. This submit actually
    made my day. You cann’t consider simply how much time I had spent for
    this info! Thank you!

  21. imgur says:

    This is also possible if they offer SEO as part of their service.
    A dedicated rented machine can be rented for operating
    complex web applications and for the multiple sites interconnected to
    your business. There are thousands of web-hosting service providers and all of them claim to be the best.

  22. ” أنه أيضا إشارة إلى شخصيته الزائفة في شظايا أغنية في ألبوم سجلت ابدأ إعادة: “Phil اوتشس
    دققت في فندقتشيلسي, هناك كان الدم
    على ملابسه وقطار قطار قطار والمجرم وله brain. ومن بين أهم المراكز الثلاثة الأولى النجوعالتي رأيتها، لسبب بسيط: وهو Hamlet.
    غراند MGM هو ربما واحد من
    الفنادق الأكثر شعبية في لاس فيغاس يحتوي أيضا على الأخت عدة خصائص
    في قطاع غزة مثل الأقصر، سراب، بيلاجيو، السيرك
    السيرك، Monte Carlo، بريئة و Bay.

    My web-site; one line slots

  23. I do agree with all of the concepts you’ve presented on your post.
    They’re very convincing and can certainly work.
    Nonetheless, the posts are too brief for starters. May just you please extend them a little
    from next time? Thanks for the post.

    Here is my web-site; Athletic Greens superfood powder

  24. Amazing steam showers, my family had one of these
    built around five years ago and so it could do with replacing, never get a dull or boring old typical type of shower ever again

    Feel free to surf to my homepage: steam shower unit (http://snoo.be)

  25. Hi there I am so excited I found your blog, I really found you by error, while I was researching on Bing for something else, Anyhow I am here now and would just
    like to say thanks a lot for a incredible post and a all round enjoyable blog (I also love the theme/design), I don’t have time to read
    through it all at the minute but I have saved it and also added your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the excellent work.

  26. If some one desires to be updated with most up-to-date technologies afterward he must
    be go to see this web site and be up to date daily.

 

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>