Crowdfunding Summer Camp, and Bad Arguments
When I am passionate about something I am almost always very loud about it. There are a lot of conversations about people "panhandling" for money to travel to BlackHatUSA 2017 and DEFCON 25. Most of the conversations I've seen are dominated by people being very vocal against people crowdfunding any part of their trip, right down to someone who paid travel, lodgings, and tickets out of pocket and couldn't afford food while in Vegas.
"How dare they ask if anyone wants to give him some money so they eat?" - Aristocrats, probably
I am going to talk about conference travel, barriers, and elitism.
A Quick Note On Elitism
I wrote a thread on twitter, here, regarding high-priced certificates being used as arbitrary barriers to entry into the field of information security. Halfway through that thread I talked about networking, here, and how the combination of high-barrier to entry and side-stepping traditional hiring processes through networking created a cycle of elitism. Here's the raw text:
All of that advice is given in concert with "networking." Nobody says it but we all know nobody gets jobs because of their application.
We get jobs because we know people. Because we sidestep the hiring process. Then laud ourselves like we uniquely rose above the rest.
This is where elitism comes from. The people who got their jobs through networking are "special," because they were treated differently.
And so they either don't fight against or contribute to the arbitrary barriers in the hiring process.
So those barriers get larger, requirements get stricter, and CISO John passes his friend David's resume directly to the hiring manager.
Because those requirements shouldn't apply to David because John has seen David work really hard and he deserves this chance.
It's a cycle, and most people stop thinking about how one thing leads to the other at "My hard work got noticed, so a friend helped out!"
Networking is important and there's no better place to network than an event dedicated to your field of study/work. Workshops fill up quickly and you can watch a lot of talks from BlackHatUSA or other conferences on youtube. Networking face-to-face is the reason to go to these cons.
Typical getting-to-conventions advice is:
Crash with other people, because hotel rooms are expensive.
Volunteer at the conference, doing so usually merits a free badge for attendance.
Speak at a conference! Free badge! (But also anxiety and not guaranteed.)
Not Everyone Has Things So Easy
There have been a couple threads on Twitter about unseen barriers getting out to cons. I wrote a long one, here, and Sarah Jamie Lewis has posted a couple here, and here. There's a lot to say about the needs of a lot of people who that are being ignored by a lot of the arguments being made right now.If you are just going to write "hitch a ride, volunteer, sleep on a strangers couch, eat crap food" then urgh, the world is bigger than you.— Sarah Jamie Lewis (@SarahJamieLewis) July 6, 2017
We Don't Want You Here
So I could just say that people are being elitist and don't want you to be at BlackHat or DEFCON. But I could and have said that in a tweet and been done with it. Instead, I am going to break down a bunch of the arguments being made. These are the things that stood out most prominently to me on my timeline.
"I didn't mind shoveling shit to save up for widgets" / "Earn your way there."The people who I know that are crowdfunding for travel/lodgings, and in some cases tickets, to summer camp are students with limited income. Some other people who are new to infosec are crowdfunding most of their expenses because they work full time already, who don't have enough time to work a side job to get there.
"Raise money on your own, do some bug bounties or something"
Same thing as before. But wait, there's more! Where do I go for bug bounties? How much knowledge do I have to have already to be able to handle a bug bounty? How many would I have to do to be able to afford this? I've seen reports of some bug bounty programs not paying out, so which programs do you suggest I investigate? This suggestion assumes new people are already skilled and knowledgeable enough for this to be an option for them, in which case they would probably already be doing this to go.
"Don't buy a $8 latte every day."
Aight, go fuck yourself. Buying an $8 latte every day is a bad idea but that's not the intent behind this statement. This statement really reads, "Don't spend money, then don't be poor." This is a very American view on poverty because American culture says that if you're poor it's probably your fault and you just need to stop wasting money. Poverty is a really difficult thing to survive, let alone break out of.
This is a disingenuous argument, intentionally mocking self-care and depression. This argument is akin to any "Poor people aren't allowed to be happy" argument, like when people say people on welfare shouldn't be allowed to buy chocolate or see movies because it's a waste.
Let us examine a practical case. I buy $4 worth of chocolate three times a week, so roughly once every two days. At the end of the year that will add up to roughly $575. Look at all that money I'm wasting! And for what?
So that every other day I force myself into a routine of basic hygiene, putting on fresh clothes, leaving my house to get fresh air and sunlight, and to interact with other people face to face. If I didn't have a reason to go outside, then why go outside in the awful desert heat. If I don't go outside, then why bother taking care of myself since nobody is going to see me. If I don't bother taking care of myself, then why bother getting out of bed? If I'm just going to lie in bed all day every day why the fuck am I even alive?
Depression. It's real. Just because someone's self-care routine doesn't make sense to you, it doesn't mean that it isn't the only thing keeping them alive at times.
"People are just trying to scam money from us."This is fair. People will try to scam. Even if they go to summer camp, they might not have needed to raise money to do it but did because it was easy. Being scammed is a legitimate concern. Here is what you should do if you think someone is scamming: Don't promote them or donate to them, and if you see their fundraiser shared nudge the people who shared it and let them know. Don't decide that nobody should raise funds because everyone must be a scammer.
This is not a matter of being against generalization. The people who are putting up scam fundraisers don't care about your opinion. They are not stealing money from you, they are stealing money from the people who needed the money you donated. By condemning all people raising funds as scammers, you are just hurting the victims more. Just be vigilant and do some research before donating to someone.
I Didn't Mean You!I've been told privately and publicly, "They aren't referring to you when they say this, you don't have to justify yourself." No. I don't have to justify myself. And yes, they are referring to me in some cases except I get a pass because they know/respect me. Where have we seen that before?
Geez, I knew that sounded familiar. I bypassed the exclusionary standards people set because I have been around and talked to people enough for them to get to know me and my struggles. I am now a human being they know and not a name and a picture. Who could have seen that coming? Certainly not me.Because those requirements shouldn't apply to David because John has seen David work really hard and he deserves this chance.— Amanda (@AwfulyPrideful) June 7, 2017
Well, You Are Clearly Biased
The framing of this blog post is intentional. If you have made it this far then you probably have formulated some counterpoints and Opinions™. I am going to address some of the better arguments that people have made against new people going to summer camp.
There are plenty of local conferences...For some people, yes. The closest Local Conference™ to me is BSides Vancouver. Travel and ticket price came to roughly $300-350. I crashed on the couch of a friend while people came and went and violence occurred on the floor above. No privacy and nowhere safe for my belongings, so I had to carry all my stuff at the con. It isn't a very feasible option to go repeatedly.
... Or you can start your own meetups if there aren't!People who are new to InfoSec should start InfoSec meetups where there probably isn't a scene, and take on the burden of promoting and managing the event. This requires a lot of social skills and time/monetary investment. You are asking for a lot from someone who was trying to get $800 to go to DEFCON. It isn't an solution that works for everyone.
You won't get into talks at DEFCON, and the workshops fill up in seconds.Having been to conferences, and been around Infosec twitter long enough to know what DEFCON is, I know that is not what it is about. I have heard the stories. I have never heard someone tell a story about DEFCON about that one talk they saw, or how cool the workshop they got into was. DEFCON is a social event for networking - and it is the type of networking you can't do at your Local Conference™. DEFCON is about meeting people and making friends, and getting to see what the heck that nerd with the animu avatar on twitter really looks like.
BlackHatUSA costs too much for what you'll get out of itYou are absolutely right. If someone wants to crowdfund a BlackHatUSA ticket, tell them to go to BSides Las Vegas instead because they will get way more out of it for way less money. BlackHatUSA has an audience, and that audience is probably different than DEFCON. If you got a scholarship that didn't come with free travel and lodgings, I think it is perfectly acceptable to crowdfund your way there if you don't have other options.
I don't want this to become a Thing™ students do just because.I do not approve of just any student considering infosec to crowdfund a full-ride to hacker summer camp just because it's a Thing™ students do. I think people should have reasons they can express clearly before they attempt to crowdfund. As someone potentially funding a student's trip you have the ability to decide whether they have made their case well enough before committing your money to them.
DEFCON/Summer Camp shouldn't be your first conference(s)At the end of the day this is my argument. I found that at my first conference I was at a complete loss. I didn't know anyone at the conference which made it impossible to get into any conversations. I watched some of the talks but I didn't know which ones would be good for me and which ones wouldn't be.
I think before crowdfunding a trip to hacker summer camp for networking you need to know people. You need to know who you're looking to meet, and where they are going to be at. Going to any conference to network with people without already having contacts makes things very difficult. You can mitigate that by volunteering so you are given time and a reason to be around people.
Wait, I Did You Just Flip Sides?
No. I had a lot of problems with the way people were framing their arguments and the hostility and malice they delivered their points with. That malice can spill over and deter people with good reasons and good intentions from trying, and actively sway people away from helping those who deserve the chance.
I do not expect those with malice to change because of this post. Imparting social responsibility onto those who do not care about other people is ineffective. I made this post for the people who are being targeted unfairly by that hostility. Those people can learn things from this post, hopefully.
I always run out of steam at the conclusion. That is all I have to say on the matter. So I done. Conclusion!