Block/Allow: The Changing Face of Hacker Linguistics
Terms such as "whitelist," "blacklist," "master," and "slave" are being scrutinized again and by a wider range of tech companies than ever before.
Hackers generally love to embrace change, from executing new exploits to reconsidering past paradigms. But like most of technology, the cybersecurity companies that use it have been slow to abandon exclusionary language that has returned to the spotlight thanks to the Black Lives Matter protests.
Terms such as "whitelist" and "blacklist," which refer to lists of approved or blocked websites, IP addresses, privileges, and services, or "master" and "slave" when talking about one device that controls another are being scrutinized again and by a wider range of tech companies than ever before.
Several major companies and tech development organizations have announced their intentions to replace those words in professional and development settings, including Apple, Google's Android, Microsoft's GitHub, Splunk, Red Hat, and GitLab. Several cybersecurity organizations are also making the change, including Cisco's Talos research division and the UK National Cyber Security Centre.
They're not the first to do so, an honor that many believe belongs to Los Angeles County, which in 2003 began requiring its computer suppliers to use terms other than "master" and "slave." The most recent wave of changes demonstrates that more, and more powerful, tech organizations take watching their language as a serious concern, even though the history of the terms predates their use in computing, says Christina Dunbar-Hester, an associate professor of communication at the University of Southern California and the author of "Hacking Diversity: The Politics of Inclusion in Open Technology Cultures."
"Language is symbolic and powerful but can also feel superficial. Certainly in the moment we're in, some people are asking to abolish the police, not to change unfortunate computer terms," she says. "But Black Lives Matter and the current moment gives people the ammunition to say that language does matter."
However, there's a difference between changing word choices in documentation and getting people to change the words they use on a daily basis. Convincing developers, hackers, and other professionals to switch to more inclusive language has been a long struggle that predates the current norms.
Tech has long faced a serious imbalance in how it pays and promotes white men more than women and black, indigenous, and people of color. There's a gender pay gap of 17% in the US and 19% in the UK, according to Tessian's Opportunity in Cybersecurity Report published in March. But the racial pay gap is significantly worse, with Black Americans facing a difference of 46% in some states and up to 91% in others, according to a June study by employment research company Zippia.
So shouldn't cybersecurity and other tech companies focus on improving their hiring and promotion practices rather than what language they use in production environments?
"It would be all too easy to make certain changes to a technical handbook, a conference website, or even an API, and leave some of the other questions unanswered," Dunbar-Hester argues. "Diversity itself is a protean concept, but especially in corporate and work spaces it can be a mushy and market-friendly term that draws attention away from conversations about justice and equity."
Changing language can help frame those workplace equity conversations, says Brianne Hughes, a linguistics expert and the lead editor on Bishop Fox's Cybersecurity Style Guide. Language, especially the kinds of technical terms that cybersecurity professionals use every day, needs to be accurate, consistent, and usable by people — and so do any changes made to it if those changes are to have an impact.
"We have a rule [at Bishop Fox] that we don't use 'hack' in a report. Instead, we explain what happened with more specific verbs. We also don't use 'abuse' as a verb. It's vague, but for the people that it matters to it's another microaggression, another miserable part of their day," she says. "We also include guidance for abort. If you have a choice, you could say 'force quit,' or 'interrupt.' As verbs, there are better words you can use than abort and abuse."
Eventually, says Dunbar-Hester, the terms will change just as online communities advocating for codes of conduct finally got the changes they were seeking. The challenge for most companies will be in changing their workplace cultures and business practices to be more inclusive, as well as updating the language they use.
"If we're talking about changes in technology and technical language, in relative isolation without other kinds of equity we are perpetuating a system that serves people with more power than those initiating those conversations," she says. "If there was greater social equity, the language questions wouldn't be so important."
Related Content:
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024