The information security community (infosec) has reacted angrily today to calls to abandon the use of the terms ‘black hat’ and ‘white hat’, citing that the two, and especially the ‘black hat’, do not have nothing to do with racial stereotypes.
Discussions on the matter began last night after David Kleidermacher, Google’s vice president of engineering and in charge of Android Security and Google Play Store, pulled out of a scheduled talk he was due to give in August at the Black Hat USA 2020 security conference.
In his recall announcement, Kleidermacher asked the infosec industry to consider replacing terms like black hat, white hat, and man in the middle with neutral alternatives.
These changes remove harmful associations, promote inclusion, and help us tear down the walls of unconscious bias. Not everyone agrees on what terms to change, but I think our language needs (this one in particular).
– David Kleidermacher (@DaveKSecure) July 3, 2020
While Kleidermacher only asked the industry to consider changing these terms, several members mistook his statement as a direct request to the Black Hat conference to change his name.
Since Black Hat is the biggest event in cybersecurity, online discussions on the subject quickly became widespread among cybersecurity experts, dominating the weekend of July 4.
While a part of the infosec community agreed with Kledermacher, the vast majority did not, and described the virtue signaling as extreme.
Most security researchers pointed to the fact that the terms had nothing to do with racism or skin color, and originated from classic western movies, where the villain usually wore a black hat, while that the good guy wore a white hat.
Others pointed out that the dualism between black and white represents evil and good, concepts that have existed since the dawn of civilizations, long before racial divisions existed between humans.
Little confused by all this argument “The black hat is racist”. The term comes from the colors of the hat in western movies, and has nothing to do with race. Inventing racist connotations for non-racially charged terms, then trying to change them for those reasons just feels bad.
– MalwareTech (@MalwareTechBlog) July 4, 2020
All blacks want is the end of systemic #racism. Overreacting to each mention of the word “black” doesn’t help.
That’s just as silly as people who say “I don’t see color.” That’s stupid. YOU SHOULD see the color, that’s the beauty of life! #Infosechttps: //t.co/oON1QqHW76
– Peter Mbele 🇿🇦 (@PeterMBL_) July 5, 2020
I’m confused, I thought black and white hats were based on old westerns where product types used white hats and villains used black. If I am being ignorant, I apologize https://t.co/220EbXzoft
– Fenrir (@semibogan) July 4, 2020
Well, help me here … because my first instinct here is to say that changing “Blackhat” because it has the word black is silly and performative.
Is there any of this? https://t.co/uJzvLQ3tAW
– Viking Sec #BlackLivesMatter (@Viking_Sec) July 4, 2020
At this time, the infosec community does not appear to be willing to abandon the two terms, which they do not see as a problem when used in infosec related writings.
Part of a broader trend to clean up tech jargon
But in the grand scheme of things, Kleidermacher’s call to replace the two terms with alternatives is not a singular effort and follows a general trend to clean up technical language in the broader tech community.
After Black Lives Matter protests erupted in the US and in some parts of Europe, several companies announced plans to stop using race and slavery-laden terms in their technical documentation.
Companies like Twitter, GitHub, Microsoft, LinkedIn, Google, Ansible, and others pledged to change the technical language in their products and infrastructure to remove terms like master, slave, blacklist, whitelist, and others.
We start with a set of words that we want to stop using in favor of a more inclusive language, such as: pic.twitter.com/6SMGd9celn
– Twitter Engineering (@TwitterEng) July 2, 2020
But these efforts to get away from offensive terms like master, slave, blacklist, whitelist started even before the Black Lives Matter protests.
Companies and open source projects like Drupal, Python, PostgreSQL, and Redis had removed the offensive terms years earlier, some in the late 2000s.
In May 2020, even the UK government’s cyber security agency NCSC announced that it would stop using the “white list” and “black list” due to the stigma and racial stereotypes surrounding the two terms.
The trend for cleanup technical language was on, but the Black Lives Matter protests gave it a boost and helped it gain media attention and more support.
However, the infosec community is not willing to accept changes at this time for terms it does not consider offensive, and the terms are likely to be here to stay.
