Overcoming Insularity, Part 2: Moving Beyond the “Try Harder” Mentality
Creating Open Learning Communities
In my last post, we explored how the hacking community’s insular culture, with its “try harder” mentality, disempowers and discourages those seeking entry into the field. Here I discuss steps our community can take to demystify hacking so it is no longer seen as an arcane practice open only to the chosen few.
The ham radio community, a model of open learning, has a deeply engrained ethic of mentorship and expectation of mentorship. Every piece of preparatory material for the technician’s exam, at least that I have seen, has long sections about community expectations. You are expected to have a mentor and to work with this person to develop core understanding. You are further expected to innovate, or try to, and publicize that to everyone who wants access. You are expected to mentor others, participate in community events, and create an environment that anyone, regardless of class, race, gender, or social standing, can access with nothing more than information about a meetup and a $30 Baofeng. Even the materials to prepare for the exams are available freely online.
The mentality in the ham community exists as an inversion from many of the dynamics we see in hacking communities, even if the structures are somewhat similar. Just as in the ham community, we have structures of training, mentorship, and community. We are not necessarily expected to participate, though, even as many of us do. In ham communities, basic knowledge of radio is widely available. We hackers tend to lock knowledge up in products, paid training courses, and social environments which, if we are to be honest with ourselves, are not always the most welcoming to outsiders. This is not helped by always telling everyone to just “try harder.”
There is definitely a LOT of value in encouraging people to force their way through learning certain things. We develop processes, tenacity, and confidence by figuring out things that seem impossible to understand; it’s all part of the high of hacking. At the same time, by restricting core understanding in this way, by making everything a question of access or otherwise being in a position in life to engage in an endeavor like this, we create this problem of insularity.
We already do things that provide the foundation necessary to challenge this dynamic. Hacking communities readily share information collaboratively, and even enthusiastically, though the information can seem impossibly complex at times. We already do social events, even if it’s mostly a recurring cast of the usual suspects. We also have open software and knowledge environments, although they often take effort to access and understand. Using the building blocks already available to help solve this problem means taking, at the very least, several steps.
Build organized mentorship structures
We already have a mentorship structure, sort of, but it is one of those structures in the community that you either stumble into (sometimes literally, at a party during a conference) or that you access by knowing someone already involved. We also have loads of free information and tools out there, but you need to wade through a lot of bad information and develop your own learning path. As a result, many people who try to learn are left to their own devices (literally and metaphorically). The result is this unevenness, where those of us who are self-taught often have odd gaps in understanding, and sometimes weird notions that have built up in the self-learning process.
We have to encourage self-learning. It is not only a critical work skill but also a core part of autonomy within the hacker ethic. However, we must do so in a way that also makes sure everyone can start from a solid foundation. To solve this requires us to build more structured, accessible entry points for learning the foundations of hacking and security. This involves developing materials and open mentorship structures that would allow people like me, with no formal background in computer science, to have a good basis from which to start the process in which we can “try harder,” without getting completely discouraged and quitting.
Make knowledge feely available, and do not allow profit motivations to get in the way of information sharing.
OK, I am going to pick on Microsoft again for a little bit. Even though we’ve seen some profound and incredibly positive changes with the way Microsoft engages with open-source communities, we are still dealing with the legacy of when that was not the case. Due to the concealment of much of the core elements of Windows (including the NT API), a lot of research, both in the red team space and in the EDR space, is centered on trying to figure out some of the basic building blocks of the system, then monetizing that secret knowledge. As we have seen, that approach does not improve security. It just means that there is an arms race between red teamers and EDR, with every red teamer seemingly having their own secret loader and execution mechanism.
We can, and should, do better than this. No, this does not mean that everyone needs to dump the code for their super-secret C2 onto GitLab tomorrow. However, we must do better with sharing foundational knowledge and techniques, without core information ending up the purview of copyright and therefore limited in its reach and impact. To democratize this knowledge means placing knowledge distribution ahead of profit motivations and changing business models so they do not rely on denial of access to information.
Work to actively engage with the outside community and encourage an openness to “outsiders”.
Mentorship structures and the democratization of knowledge rely on active engagement with communities outside the boundaries of what we consider the hacker scene. To be honest, we kind of suck at this. A lot of people in our immediate proximity professionally or technically are, let’s just say, not great with people. This is so much the case that the figure of the cantankerous IT person condescending to someone looking for help has become a banal trope of modern media. The reality is that we do a wonderful job of building mentorship structures and sharing knowledge already, but this often does not escape a small circle of people.
The structures we build tend to be passive. They exist, but one needs to access them first. One needs to already be interested in this, already have enough knowledge to understand people, have enough access to know where to meet people, and have enough social confidence to just go ahead and meet people who, again, are often thought of as wizards by the outside world. It is a bit of a hurdle that we just expect others to surmount. In many cases, this expectation is there because we ourselves overcame it.
Ending this isolation requires (dun-dun-dun) going out into the world, actively. It's not enough to hold conferences, we need to open those up to our wider community. We can involve robotics teams, arts collectives, bands, and the local ham radio group. We must intentionally get involved in community festivals, join ham radio people preparing for emergency communications, and throw cryptoparties in open public venues. We not only need to make it easier for someone to get involved once they find us, but we must put out big, huge, flashing lights that make finding us far easier and more inviting.
We already do many of the things that are necessary for us to be able to break down the gatekeeping structures that isolate us and fundamentally make the world less secure. But for us to expand access, to make spaces more inviting, and to expand our own perspectives, we need to get beyond the “try harder” mentality. This, by no means, implies that we should make things easy or give people answers; no one benefits from that. At the same time, we do not have to settle for building spaces that are intimidating, difficult to access, and prohibitive to many. We thrive, both as a community and in our mission, to the degree that we can ease that pathway, provide the necessary support, and open ourselves out onto the world.
Credits
Prepared by: Thomas Pieragastini
LinkedIn: (https://www.linkedin.com/in/thomas-pieragastini-932974ba/)