Defcon Survey: Hackers want more Crypto, less NSA

Hackers are an interesting bunch and somewhat predictable, if I may be so bold as to generalize. Before Defcon this summer, I asked all the hackers I know to participate in a survey about their opinions on a variety of security industry-related topics, and I asked them to spread the word through social channels. It’s taken me a month, but I’ve finally tabulated the results. Many of the findings aren’t shocking, but the passion the respondents have for their work is, frankly, inspiring.

The first thing I learned is that hackers don’t like long surveys. Actually, few people do. Maybe I needed to offer a reward for completing it. Granted, the survey had 34 questions, most multiple choice with a number of them soliciting essay answers. A whopping 96% of the respondents who started the online survey finished it. So, I’d like to say a heartfelt “Thank You!” to those 53 people who took the time to answer all the questions.

And before I dive into the results, I should probably get the demographic data out of the way first because I’d probably be seeing somewhat different responses from younger or less experienced hackers. The respondents’ ages ranged from a low of 27 years to a high of 68, with most in the 25-35 range and a median of 39. The average number of years of experience was 13.5, nearly evenly divided between researcher, IT professional, engineer/programmer and VP-level executive, and more than one-third work at a security provider. So this is a very savvy crowd. Now for the results…

‘Never-ending playground’

If I were to create a word cloud, “Encryption” would be 36-point font size, at least. It’s the most important thing hackers said they do to protect their data, along with using strong and diverse passwords — both eliciting 75% of the responses with multiple choices possible, followed by use of VPN and safe Web browsing tools. Encryption, specifically HTTPS by default, along with passwords, public awareness and computers running outdated versions of Windows are considered the most solvable security challenges.

As far as new technologies they are excited about — top answer was…. Encryption! But it’s got to be made easier to use in order for it to be more widely adopted, they said. Other technologies and trends they like: IPv6, DNSSEC, the maker/hacker movement, “virtualization to move exploitable systems away from the data,” self-diagnostic troubleshooting tools and “Steve Mann’s space glasses.”

And they’re not really too jaded, although they like to act like it. Asked how optimistic they are that the work they do is making a difference, 40% said they are “pretty satisfied,” with an average of 20% each responding “very optimistic,” “neutral” and “cynical.” And a couple of astute quotes: “Teachers make a difference. I just increase shareholder value,” and “All I can do is inform, but who listens?”

Asked what they like about their jobs, the top responses were “the challenge,” and “solving puzzles” or “solving problems,” although they are also fond of their hacker comrades, the fast pace of the industry and that it’s never boring. “It’s an ever changing field, like a never-ending playground and I think compared to most other industries it will still be as colorful in like 20 years from now,” one wrote.

They might like their jobs, but not everything is hunky dory either. Sixty-five percent said the industry has high levels of stress and burnout. Asked for their opinion on allegations of sexism and sexual harassment at Defcon, half said “it happens and is inexcusable,” 37.5% hadn’t seen it but are sure that it happens, and 6% each said “boys will be boys,” and “women get the same respect as men.” Clearly, there’s a gender gap at the show and even a female journalist who has attended Defcon for a dozen years stereotypes — I failed to ask respondents to this survey what gender they are. Next time, the options will be “male,” “female,” and “transgender,” to be all inclusive.

‘Do what sucks least’

Asked which disclosure practice they follow, 40% said “it depends,” 31% said “responsible,” 14% said “coordinated,” 10% said “none,” and 4% said “full.” As for their primary ethical principle, the answers, as you can imagine, were interesting: “Do what sucks least;” “target technology, not people;” and “principle of multiple discovery, that it is unlikely I am the only one to have found the bug, and unlikely to be the last to find it before it is patched.”

I was curious about their thoughts on the marketplaces for Zero-Day threats that have cropped up and governments being among the big buyers. Here’s what they had to say about that: “The intelligence community is now stockpiling them like Twinkies,” Today, exploits equate to either big sums of money (or) going public, which can lead to jail time… so our government has, in effect, destroyed full disclosure and built a secretive community that holds exploits much closer to the vest … It’s no longer an open, sharing community like it used to be.”

I asked about the concept of “hacking back,” which has moved from the realm of fantasy to probability in some security circles. More than half said “proceed with caution,” 40% said “wildly irresponsible,” and only 9% said “it’s my cyber Second Amendment right.”

Not surprisingly, there was a lot of anger directed at the U.S. government over the NSA surveillance that has come to light as a result of Edward Snowden’s leaks. Eighty-five percent feel the answer is to build technology solutions that counter surveillance, with 66% saying work within the existing political system and slightly fewer preferring online and offline activism. They were almost equally divided on whether there is a way for the average citizen to restore his/her privacy.

Meanwhile, they weren’t exactly fans of the Anonymous activist movement, either. Nearly 60% said they considered Anonymous “confused kids,” 33% said “criminals and miscreants,” and only 9% said “digital heroes,” with about 70% saying their views about the movement had not changed over the past few years.

Finally, another emotionally charged topic for the hackers is the suicide of hacker and activist Aaron Swartz, who faced charges under the Computer Fraud and Abuse Act. In general, many respondents said the tragedy shows the need for support for the community and for the Electronic Frontier Foundation, and reform of the CFAA. One respondent wrote: “This really hit home. If my childhood had gone slightly differently, I could have been Swartz.”

ADDENDUM: One of the respondents said it would be helpful to know exactly what the questions were to understand the context of the responses. While I was grabbing the questions from the survey to include here I figured out how to create charts, so they are included now as well.

• What are the most important things you do to protect your data? (Options: Encrypt the hard drive, Use VPN, Disable Bluetooth, Use safe Web browsing tools, Use strong and diverse passwords, Avoid social networks, Use encryption on mobile, Lock the mobile device)
• What in security keeps you up at night? Can it be resolved? How?
• What is the most solvable security challenge? Why haven’t we solved it yet?
• How has the industry changed in the last 10-15 years … or since you were a script kiddie?What positive change(s) do you see in the industry? (None, Companies have more tools to secure their networks/data, People are more aware of what they need to do to secure data, HTTPS adoption)
• How optimistic are you that the work you do is making a difference? (Very optimistic, Pretty satisfied, Neutral, Somewhat discouraged, Cynical)

• We need more: (Breakers, Builders, or Fixers
• What do you like most about working in security?
• Why did you get into security? (I’m a puzzle solver, I’m a defender/protector, Job security)
• Why do you stay in security?
• What new developments (technologies, businesses, etc.) are you most excited about?
• Which disclosure practice do you follow? (None, Full, Responsible, Coordinated, It depends)
• What is the primary ethical principle to which you hold for your research and disclosure processes? From whom do you seek guidance before you act?
• What would increase the adoption of encryption technologies like PGP and Perfect Forward Secrecy?
• Now that Zero Days get big bucks instead of just bragging rights, how has that changed the security landscape?
• What’s your take on the idea of “hacking back?” (It’s wildly irresponsible, Proceed with caution, It’s my cyber Second Amendment right)
• In light of wide-scale nation-state surveillance (e.g. PRISM) and the United Nations’ play for Internet governance, what can hackers do to keep the Internet free and open? Check all that apply (Build technology solutions, Online activism, Offline activism, Work within the existing political system (vote, lobby, etc.)
• What do you think about Defcon asking Feds to stay away? (Who needs them anyway?, Wait, isn’t Jeff Moss on a federal advisory board?, Now we will miss our chance to hold their feet to the fire)
• What is your opinion of Anonymous? (Criminals and miscreants, Confused kids, Digital heroes)
• Have your views on Anonymous changed over the last few years?
• Is there a way for the “Average Joe” to restore privacy?
• One of the talks on the Defcon schedule deals with suicide risk assessment and prevention tactics and there’s been talk on Twitter and elsewhere about burn out among security professionals. Which statement do you agree with? (The industry has high levels of stress and burn out, The levels of burnout are normal relative to other professions, They are just a bunch of whiners)
• What do you think about allegations of sexism and sexual harassment at the hacker conferences? (Women get the same respect as men, I haven’t seen anything improper but I’m sure it occurs, Harassment happens and it’s inexcusable, Boys will be boys)
• What has the death of Aaron Swartz meant to you? What should the hacker community take from this situation?
• What are your preferred sources of information on security? (blogs, podcasts, analysts, authors, speakers, conferences) Please specify.
• If you were “President of the Internet” and could make one executive order what would it be?
• Boxers or briefs… or Spanx? (Boxers, Briefs, Spanx, Commando)
• What’s your title? (C-level executive, Director/VP-level executive, IT professional, Researcher, Engineer/programmer)
• Where do you work? (Security provider, University, Government agency, Large non-security company, Small non-security company, Non-profit, Self-employed, Student)
• Age?
• Number of years working in security?
• What question(s) should we have asked?
• Any other comments on security, the state of the Internet, or any other topic you find compelling?
• If you would like us to send you the results of the survey please provide your email address. It will not be shared with anyone or used for any other purpose. Thank you for your help!

‍