[Techtalk] Gender as a weapon? Pen-testing and female auditors

Raven Alder raven at oneeyedcrow.net
Mon Mar 15 10:44:54 EST 2004 

Heya --

	I'm genuinely not sure which list this belongs on.  I'm voting
for techtalk because, while it's not "look at this config file", it *is*
what I do in my day job.  If the thread drifts, feel free to move it to
grrltalk, grrls-only, or wherever.  Permission given to cross-post.
(I'm not on "issues", though, so if you move it there, I would
appreciate a cc:.)

	There was recently a thread on pen-test at securityfocus.com about
companies using female pen-testers and security auditors to essentially
scam lonely guys out of information.
(http://archives.neohapsis.com/archives/sf/pentest/2004-03/0036.html)
All the people posting were male. I weighed the "do I want to remind
them that there are actually women reading this list" factor and the "I
have something relevant to contribute" factor against the "I don't want
any more creepy stalker men" factor, and posted.
(http://archives.neohapsis.com/archives/sf/pentest/2004-03/0056.html)

	Seventeen "will you date me" mails and two marriage proposals
later (sigh), I had a few intelligent reasonable replies. There is
strong community demand for me to write a case study about my
experiences testing security, it seems. I'm up for it, but I want to
keep it professional and interesting without encouraging anyone to treat
me like a piece of meat. I am still very of two minds about using my
sexuality in my line of work. Yes, it could be devastatingly effective,
and the point of a vulnerability assessment is to test the strength of
their defenses. Holding back or refusing seems like doing less than a
full job. And in an industry where it actually does kind of suck to be a
girl sometimes, it seems mad not to use every advantage I've got. But on
the other hand, I can't constantly be telling me people "just treat me
like any other geek, not like a piece of meat" and then turn around and
act like a piece of meat. That's hypocritical.

	I normally solve this problem by staying mostly on the tech side
of the house and letting others do the social engineering.  I'm a rotten
liar anyway.  But the few times that I have even dipped my toes in, it's
been shockingly effective.  But ew.  Slimy.

	So, I'd like to poll some other geekfemmes. If you have any
stories about being able to get what you wanted in a tech capacity or a
social engineering capacity, and you think being a girl had anything to
do with it (or, conversely, if you're a guy who has used his sexuality
to social engineer), I'd love to hear about it.  Is it okay to do this
sort of thing?  Is it encouraging or setting back feminism?  (That bit
might be more appropriate on one of the chatty lists.)  But there's a
professional paper in this somewhere. 

Cheers,
Raven

"We want to follow each citizen from birth to death with the all-
 knowing protection power of our databases."
  -- Mr. Herold, head of German police, ~1970

More information about the Techtalk mailing list