I get a lot of emails from job recruiters that, even to this day, I’m not qualified for. They often ask for ridiculous requirements, like a Master’s Degree or Ph.D in Computer Science, for what would otherwise be a standard programming job without any particular specializations (e.g. cryptography, which I happen to specialize in).

One time I humored one of these opportunities for a PHP Developer position and was immediately told over the phone that my number of years of experience with PHP was too low, because I didn’t start working with it in 1996 like the rockstar developers on their payroll, but that they’d call me back if they had any “junior” openings in the future. Given that I was born in 1989 and didn’t have access to a computer until about Christmas 1999, I won’t even begin to pretend this is a reasonable ask.

In a lot of ways, I have it easy. I have enough experience with software development and security research under my belt to basically ignore the requirements that HR puts on job listings and still get an interview with most companies. (If you want a sense of what this looks like, look no further than rawr-x3dh or my teardown of security issues in Zed Shaw’s SRP library… which are both things I did somewhat casually for this blog.)

The irony is, I’m probably deeply overqualified for the majority of the jobs that come across my inbox, and I still don’t meet the HR requirements for the roles, and the people who are actually a good fit for it don’t have the same privilege as me.

So if the rules are made up and the points don’t matter, why do companies bother with these pointlessly harrowing job requirements?

The answer is simple: They’re being toxic gatekeepers, and we’re all worse off for it.

Toxic Gatekeeping

Gatekeeping is generally defined as “the activity of controlling, and usually limiting, general access to something” (source).

Gatekeeping doesn’t have to be toxic: Keeping children out of adult entertainment venues is certainly an example of gatekeeping, but it’s a damned good idea in that context.

In a similar vein, content moderation is a good thing, but necessarily involves some gatekeeping behaviors.

As with many things in life, toxicity is determined by the dose. I’ve previously posited that any group has a minimum gatekeeping threshold necessary for maintaining group identity (or in the example of keeping kids out of 18+ spaces, avoiding liability).

When the amount of gatekeeping exceeds the minimum, the excess is almost always toxic. To wit:

Toxic Gatekeeping in Tech

The technology industry is filled with entry-level gatekeepers. Sometimes this behavior floats up in the org chart, but it’s most often concentrated at neophytes.

In practice, toxic gatekeeping often employs arbitrary Purity Tests, stupid job requirements, and questionably legal hazing rituals. Conversations with toxic gatekeepers often–but not always–involve gratuitous use of No True Scotsman fallacies.

But what’s really happening here is actually sinister: Toxic gatekeepers in tech are people with internalized cognitive distortions that either affirm one’s sense of superiority or project their personal insecurities–if not both things.

This is almost always directed towards the end of excluding women, racial or religious minorities, LGBTQIA+ and neurodivergent people, and other vulnerable populations from the possibility at pursuing lucrative career prospects.

If you need a (rather poignant) example of the above, the gatekeeping behaviors against women in tech even apply to the forerunners of computer science:

If you’re still unconvinced, I have my own experiences I can tell you about; like that one time my blog’s domain was banned from the netsec subreddit because of other peoples’ toxicity.

That Time soatok.blog Was Banned from Reddit’s r/netsec Subreddit

Earlier this year, I thought I’d submit my post about encrypting directly with RSA being a bad idea to the network security subreddit–only to discover that my domain name had been banned from r/netsec.

Prior to this, I’d had some disagreements with other r/netsec moderators (i.e. @sanitybit, plus whoever answered my Reddit messages) about a lack of communication and transparency about their decisions, but there were no lingering issues.

A lot of the times when something I wrote ended up on their subreddit, I was not the person to submit it there. Usually this omission was intentional: If I didn’t submit it there, I didn’t feel it belonged on r/netsec (usually due to being insufficiently technical).

The comments I received were often hostile non sequitur about being a furry. This general misconduct isn’t unique to r/netsec; I’ve received similar comments on my Lobste.rs submissions, which forced the sysop’s hand into telling people to stop being dumb and terrible.

The hostility was previously severe enough to get noticed by the r/SubredditDrama subreddit (and, despite what you might think of drama-oriented forums, most of the comments there were surprisingly non-shitty towards me or furries in general).

So was my domain name banned by a r/netsec moderator because other people kept being shitty in the comments whenever someone submitted one of my blog posts there?

It turns out: Yes. This was later confirmed to me by a r/netsec moderator via Twitter DM.

As I had said publicly on Twitter and reiterated in the DM conversation above: I had already decided I would not return to r/netsec in light of this rogue moderator’s misconduct.

Trust is a funny thing: It’s easy to lose and hard to gain. Once trust has been lost, it’s often impossible to recover it. Security professionals should understand this better than anyone else, given our tendency to deal with matters of risk and trust.

What Could They Have Done Better?

Several things! Many of which are really obvious!

1. Communicating with me. If nothing else, they could have told me they were banning my domain name from their subreddit and given a reason why.
   • Maybe there was some weird goal in mind?
     (E.g. to stop people from submitting posts on my behalf, since I had made it clear that I’d intentionally not share stuff there if I didn’t think it belonged.)
   • I’ll never know, because nobody told me anything.
2. Communicating with each other. I mean, this is just a matter of showing respect to your fellow moderators. It’s astonishing that this didn’t happen.
3. Taking steps to protect members of vulnerable populations from the kinds of shitheads that make Reddit a miserable experience.
   • For example: If someone’s previously been a target of bigotry, have auto-moderator prune all comments not from the OP or Trusted Contributors–and if any TCs violate the mods’ trust, revoke their TC status.

Since then, I’ve been informed that they implemented my suggestion to prevent themselves from having to suffer through a bunch of negative vitriol.

Truthfully, I still haven’t decided if I want to give r/netsec another chance.

On the one paw: The moderators really burned a lot of trust with me and I expect security professionals to fucking know better.

On the other: Representation matters, and removing myself from their community gives the bigots that caused the trouble in the first place a Pyrrhic victory.

I wish I could put a happy ending on this tale, but life doesn’t work that way most of the time.

If you’re looking for non-toxic subreddits, r/crypto is always a pleasant community. I also contribute a lot to r/furrydiscuss.

When to Be a Gatekeeper

If someone is a threat to the safety or well-being of your group, you should exclude them from your group.

In the furry community, we had a person that owned a widely-used costume making business get outed for a lot of abusive actions. Their response was to try to file a SLAPP suit against some unrelated person that merely linked to the victims’ statements on Twitter.

In these corner-case situations, be a gatekeeper!

But generally, it’s not warranted. Gatekeeping compounds systemic harms and makes it harder for newcomers to join a community or industry.

Gatekeeping hurts women. Gatekeeping Hurts LGBTQIA+ folks. Gatekeeping hurts non-white people. Gatekeeping hurts the neurodivergent.

But if that’s not enough of a reason to avoid it: Gatekeeping hurts straight white males too!

Newcomers who aren’t narcissists almost always experience some degree of Impostor Syndrome. If you apply the gatekeeping behaviors we’ve discussed previously, you’re going to totally exacerbate the situation.

People will quit. People will burn out.

The only people who stand to gain anything from gatekeeping are the survivors who made it through the gate. If the survivors are insecure or arrogant, the vicious cycle continues.

So why don’t we simply…not perpetuate it?

There’s an old saying that’s popular in punk and anarchist circles: “No gods, no masters.” I think the correct attitude to have regarding gatekeeping is analogous to the spirit of this saying.

#NoGatesNoKeepers

The excellent artwork used in the blog header was made by Wolfool.