James Martin/CNET

Defcon isn't your typical tech conference. Happening in the heat of Las Vegas every summer, it attracts throngs of hackers -- 15,000 this year -- who are eager to learn about, and test out, the latest methods of breaking into computer networks, hacking phones, and general slaying of any type of security system imaginable.

Security professionals and researchers give highly technical talks, but the event is known as much for its side-show theatrics, hacking contests, and DJ and booze-filled parties as it is the sessions. Black t-shirts and jeans predominate among the mostly young adults, though many have families of their own and even bring their children to attend Defcon Kids. Males have always way outnumbered females, although that too is changing.

However, it's one thing to be one of the few women hackers at Defcon. It's another to feel so threatened by some of the male antics that you don't want to go back.

Several women have complained recently of sexual harassment at Defcon, prompting heated debate about sexism among a community responsible for much of the work into technology-related security offense and defense in the world. The loss of these attendees tips an already gender-imbalanced industry even further, and that's not good for women hackers, Defcon, or security as a whole.

"Aside from the fact that this is utterly reprehensible behavior by the perpetrators involved, this is a real problem for our community." <br />--Bruce Schneier

Citing inappropriate touching (i.e. groping and even licking), sexual taunting, and lewd demands they or their female friends have experienced, two women say they no longer go to the event. To combat the problem, San Francisco-based journalist KC created "Creeper Move" cards that can be handed out to offenders. There are three cards. The red one reads: "Creeper Move! If you have received this card, you have done something wildly inappropriate or otherwise harassed the person who handed this to you. You should be happy you got a card and not a punch in the face. Check yourself - you might not be this lucky twice!" The yellow one is for "mildly inappropriate" behavior and urges the recipient to be "respectful and mindful of peoples' boundaries." A third card, which is, you guessed it, green, reads: "Thank You! The person who handed you this card appreciates that you were respectful and mindful instead of overbearing and harassing. It might not seem like much, but you could have received a red or yellow card instead. Cheers!"

I agree with many of my hacker friends that this won't go over well with a community that prides itself on breaking rules and acting naughty. Handing a misbehaved hacker a card like that will more often than not be taken as a challenge to respond in an equally obnoxious way. At Defcon the cards were met with derision and ridicule, with some men turning them into a game to see who could collect the most cards.

But that doesn't mean they haven't already been effective. The cards have sparked serious debate and even action. In addition to the discussions on e-mail lists and social media sites like Twitter, The Ada Initiative, a nonprofit devoted to supporting women in technology, has taken up the cause and issued a challenge to hacker conferences to adopt an anti-sexual harassment policy. Two European event organizers have answered the call: BruCon and DeepSec.

Bruce Schneier, who is revered by many in the community as a cryptography pioneer and critic of the government's " security theater ," weighed in earlier this week. "Aside from the fact that this is utterly reprehensible behavior by the perpetrators involved, this is a real problem for our community," he writes. Schneier likes the idea of the cards, calling them a "hackerish sort of solution," but says an even better answer is for Defcon and other events to adopt anti-harassment policies.

But some in the community who felt the criticism was unjustified were happy to see a female hacker "call bullshit" on the women who have complained. "Of all the places I have been, of all the people who have been around me, I have never felt safer than at Defcon," writes a hacker whose handle is "Nous" in a post on Reddit. I doubt that her sexism barometer is calibrated the same as other women, though. "I was there for the infamous Pool 2 Girl and Hot Tub Orgy incidents," she writes, adding that "what hasn't been related in those stories are the people who stopped to check in on the participants in those events to make sure they were where they wanted to be, doing what they wanted to be doing, and were capable of those decisions." But this defense speaks more to the nuances of consensual activity and individual morality than it does to overt sexism and illegal behavior.

I've been going to Defcon since 1995 and I too have never had a problem. But I've heard from a number of female and male attendees who say they've seen sexual harassment or experienced it firsthand. It's no wonder more women haven't complained because, as one friend put it, whining is not "hackerly." I don't think it's all that widespread, but I believe it does happen. I just think the tolerance level and manner of handling it varies from person to person.

There's also no question that Defcon isn't alone in this respect. For instance, a female blogger complained that the only women on the speaker's stage at SummerCon in New York in July were the professional burlesque dancers who were hired by the organizers to strip at an official conference event. "I don't consider burlesque to be inherently sexist, in fact often it is quite the opposite. My issue here is context, not content," writes "Amberella," who says she dances burlesque, but not at security conferences. "Putting sexy ladies on a pedestal to be stared at by a group of exclusively men creates an asymmetrical gender dynamic which is not appropriate for a quasi-industry, corporate sponsored event...The goal, to me, is simple: make everyone feel welcome."

Some have suggested that women hackers should just toughen up and learn to handle it. But telling women that the solution is to modify their response to abuse is crazy and will only make matters worse. The fact is, the best way to improve the demographics at Defcon and in the community and benefit the industry as a whole is not by blaming the victims, but giving women the same opportunities as men, including the chance to attend a conference without feeling hassled. Valerie Aurora writes in a post on The Ada Initiative blog:

"When you say, 'Women shouldn't go to Defcon if they don't like it,' you are saying that women shouldn't have all of the opportunities that come with attending Defcon: jobs, education, networking, book contracts, speaking opportunities -- or else should be willing to undergo sexual harassment and assault to get access to them. Is that really what you believe?"

The cards have brought up for scrutiny a host of activities that take place at Defcon and elsewhere that have been taken for granted and wiped under the carpet. The problem might be greater for Defcon because of its Las vegas-honed party atmosphere.

There should be no confusion about what distinguishes a lame pick-up attempt from harassment. The legal definitions for sexual harassment include bullying or coercion of a sexual nature, as well as "unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature," according to the U.S. Equal Employment Opportunity Commission. "Harassment does not have to be of a sexual nature, however, and can include offensive remarks about a person's sex," the agency adds. As to the subtler distinctions of unwanted attention, basically if you are making someone feel uncomfortable, don't do it.

Part of the problem is a clash between two cultures -- hackers and feminists, according to hacker Raven Alder, who says she has been attending Defcon since 2001. "Most feminists, I think rightly, feel that hacker culture at conferences is pretty hostile," she wrote in a post to an e-mail list. "However, the feminist sphere's way of addressing these issues is tonally enraging for many hackers (Hackers often see this sort of feminism as hostile -- someone is telling us what to do!), and you get things like this card drama. Since women are a small percentage of the population at most hacker cons, something that simultaneously makes feminist women happy and enrages many hacker dudes is going to end in backlash."

Declan McCullagh

I reached out to Defcon organizers to ask for comment but have not heard back yet. Defcon founder Jeff Moss has expressed support for the Card Project. In response to a tweet from KC about the cost of printing up the cards, Moss tweeted from his "@TheDarkTangent" account: "@KdotCdot Don't sweat the price, as long as it is reasonable I will pay for it. Love the idea."

This problem, even if you think it's not that widespread, is important enough to be taken seriously. We need more women represented in the security industry and alienating the few who attend the biggest, arguably most important, hacker conference in the world is not the way to achieve that.

I hope the Defcon organizers will adopt an anti-harassment policy and find a way to effectively get the message across that this behavior will not be tolerated. It's up to the rock stars and role models in the community to let everyone know that sexists suxxor.

Updated 4 p.m. PT to include Nous' correct hacker handle, which was not used on Reddit. She also clarified her position on the subject matter in an e-mail after this article was posted saying certain activities and behaviors are not appropriate for a technical conference and that the event has a system in place to deal with egregious actions. "The largest point of my post is that there *is* already a policy at DEF CON regarding harassment of any nature," she writes. "It is an unwritten policy. However, every (Defcon security) Goon is trained on it, and it *is* enforced. The fact that there are women who, for whatever reason, have been unable to avail themselves of the assistance that is in place to deal with situations perpetrated by random douchebags, who generally aren't part of our community, might indicate that additional outreach on this policy is warranted. It certainly does not justify the calls for a complete overhaul of our conference or our culture."