The information security (infosec) community has angrily reacted today to calls to abandon the use of the ‘black hat’ and ‘white hat’ terms, citing that the two, and especially ‘black hat,’ have nothing to do with racial stereotyping.
Discussions about the topic started late last night after David Kleidermacher, VP of Engineering at Google, and in charge of Android Security and the Google Play Store, withdrew from a scheduled talk he was set to give in August at the Black Hat USA 2020 security conference.
In his withdrawal announcement, Kleidermacher asked the infosec industry to consider replacing terms like black hat, white hat, and man-in-the-middle with neutral alternatives.
These changes remove harmful associations, promote inclusion, and help us break down walls of unconscious bias. Not everyone agrees which terms to change, but I feel strongly our language needs to (this one in particular).
— David Kleidermacher (@DaveKSecure) July 3, 2020
While Kleidermacher only asked the industry to consider changing these terms, several members mistook his statement as a direct request to the Black Hat conference to change its name.
With Black Hat being the biggest event in cyber-security, online discussions on the topic quickly became widespread among cyber-security experts, dominating the July 4th weekend.
While a part of the infosec community agreed with Kledermacher, the vast majority did not, and called it virtue signaling taken to the extreme.
Most security researchers pointed to the fact that the terms had nothing to do with racism or skin color, and had their origins in classic western movies, where the villain usually wore a black hat, while the good guy wore a white hat.
Others pointed to the dualism between black and white as representing evil and good, concepts that have been around since the dawn of civilizations, long before racial divides even existed between humans.
I’m confused, I thought black and white hats had their basis in old westerns where the goods guys wore the white hats and the villains wore the black. If I’m being ignorant I apologise https://t.co/220EbXzoft
— Fenrir (@semibogan) July 4, 2020
Okay help me out here… Because my first instinct here is to say changing “Blackhat” because it has the word black in it is silly and performative.
Is there anything to this? https://t.co/uJzvLQ3tAW
— Viking Sec #BlackLivesMatter (@Viking_Sec) July 4, 2020
Right now, the infosec community doesn’t seem to be willing to abandon the two terms, which they don’t see as a problem when used in infosec-related writings.
Part of a larger trend to clean up tech lingo
But in the grand scheme of things, Kleidermacher’s call to have the two terms replaced with alternatives is not a singular effort and follows a general trend to clean up technical language in the larger tech community, as a whole.
After the Black Lives Matter protests erupted across the US and in some parts of Europe, several companies announced plans to stop using racially- and slavery-charged terms in their technical documentation.
Companies like Twitter, GitHub, Microsoft, LinkedIn, Google, Ansible, and others committed to changing technical language in their products and infrastructure to remove terms like master, slave, blacklist, whitelist, and others.
We’re starting with a set of words we want to move away from using in favor of more inclusive language, such as: pic.twitter.com/6SMGd9celn
— Twitter Engineering (@TwitterEng) July 2, 2020
But these efforts to move away from offensive terms like master, slave, blacklist, whitelist started even before the Black Lives Matter protests.
Companies and open-source projects like Drupal, Python, PostgreSQL, and Redis had removed offensive terms years before, some as early as the late 2000s.
In May 2020, even the UK government’s cyber-security agency, the NCSC, announced it would stop using “whitelist” and “blacklist” due to stigma and racial stereotyping surrounding the two terms.
The trend of cleaning tech language was well underway, but the Black Lives Matter protests gave it a boost and helped it gain mainstream media attention and more backing.
However, the infosec community is not willing to accept change at this moment for terms it doesn’t see as offensive, and chances are the terms are here to stay.