Change whitelist and blacklist terms

[NicoleSchwartz]

Hello!

Although currently common terms whitelist and blacklist, these terms are hurtful to some people. I'd like to propose a change to equally descriptive terms Allowlist and Denylist - see other projects changing here https://github.com/rails/rails/issues/33677

It could be done as a deprecation where for a (extended) period of of time both terms could be used (a mapping) until a specific version/date where only the new terms would work.

[NicoleSchwartz]

@blacklistisnotracist - A few months ago, an NCSC customer contacted me to ask if we would consider making a small but significant change to some of the wording we use on the NCSC website. When she asked the question, I immediately smacked myself in the head for not thinking of it a long time ago. And I was really glad to say: yes, we will make this change straight away, and I'm sorry you had to come and ask us to do it.

It's fairly common to say whitelisting and blacklisting to describe desirable and undesirable things in cyber security. For instance, when talking about which applications you will allow or deny on your corporate network; or deciding which bad passwords you want your users not to be able to use.

However, there's an issue with the terminology. It only makes sense if you equate white with 'good, permitted, safe' and black with 'bad, dangerous, forbidden'. There are some obvious problems with this. So in the name of helping to stamp out racism in cyber security, we will avoid this casually pejorative wording on our website in the future. No, it's not the biggest issue in the world - but to borrow a slogan from elsewhere: every little helps.

You may not see why this matters. If you're not adversely affected by racial stereotyping yourself, then please count yourself lucky. For some of your colleagues (and potential future colleagues), this really is a change worth making. From now on, the NCSC will use 'allow list' and 'deny list' in place of 'whitelist' and 'blacklist' on our website. Which, in fact, is clearer and less ambiguous. So as well as being more inclusive of all, this is a net benefit to our web content. We are editing our guidance across the website to update the terms, but if you do spot any in the meantime then please do contact us.

I hope that if you're seeking to make this, or similar changes in your own organisation, this blog post helps you to convince people around you that it's worth doing. And finally, a word from the NCSC's Technical Director Ian Levy (supported by the full NCSC Management Board): "If you’re thinking about getting in touch saying this is political correctness gone mad, don’t bother."

Emma W Head of Advice and Guidance, NCSC https://www.ncsc.gov.uk/blog-post/terminology-its-not-black-and-white

[NicoleSchwartz]

@blacklistisnotracist a, i watched the video b, i am native american c. yes if my product used terminology or coloring which discouraged a group of people from using it (for example bad color combinations for those who are color blind) yes I would change it. Denylist / Blocklist are equally as descriptive and useful terms and easy to use.

[NicoleSchwartz]

Our terminology is based upon the behavior/functionality of the code - a whitelist is a list of items that are allowed. A blacklist is a list of items that are to be denied. Simplicity. Call the terms what they are. The true functionality in the specific case is not linked to that of a colour, or the presence or absense of light.

Since there are alternate terms are more descriptive and direct, we should remove the use of terms that cause hurt to others and are less descriptive and direct.

Allow and deny are more descriptive. You also have then the side benefits of non-techies and users of other languages understanding what it actually does without having to look up or interpret the terminology.

https://www.lifehack.org/articles/communication/common-words-use-that-hurt-others.html - what you are saying by proxy is that you don't respect the diversity and inclusion of others by your words and actions. All members of a group need not be harmed by a term for that term to be offensive and worth consideration of change.

[NicoleSchwartz]

@blacklistisnotracist avoiding the strawman arguments

1. reskin is actually considered offensive and is trying to be removed, so in instances where people have taken offense some action is being taken, no one is taking issue with the word black, this is where the strawman starts, it's specifically "blacklist"

I am not striving to remove all occurrences just specific occurrences.

2. Having seen your github history I will summarize it as we shall have to agree to disagree as many more people have discussed this with you with varying sources and you don't seem inclined to change.

as you have concurred the overall change, but not the reasoning, is for the better I am now working with some programmers to try and create PRs to make the changes and from there shall see how it goes within the project.

[Ro0t-OS]

@blacklistisnotracist I get what you're trying to say, I really do, but I don' t think you really get it. I, as a conscious black female red teamer, get really annoyed by the way some syntax in infosec has been 'developed'. We, as black ethical hackers historically didn't have a say and kind of still don't. What's being discussed here is specific to the terms blacklist and whitelist. Not yellow and every other color you're trying to bring in (that's being very 'all-lives/colors-matter-ish'). I'm not sure if you know this but the InfoSec/Developer field has been predominantly white males historically and still is today sadly. Being that a lot of tech terms were developed by white men with unconscious/conscious biases, I'm not surprised in the least that they didn't come up with SilverList or TurquoiseList. I understand not wanting to change something because of how its always been but that's simply not an excuse to not make our syntax systems better (as we do with our code/tools) and have some real conversations around it. It's really not that difficult. Based on the conversation above, it appears you're very passive in your counter arguments. Also, not all words are offensive. You stated that people can get offended by any words. You should be more precise in saying that people get offended by flat out ignorant/stereotypical words that have been used historically to hurt a group of people. This really isn't that hard to grasp in my opinion/experience as a black woman. Lastly, white people aren't the only ones that claim this. Do you speak for the whole white race or something? If so, ya'll need to sit and have some unconscious bias training. I've definitely heard from other black people in the ethical hacking space about infosec's usage of some of the words. Not all. So in conclusion, critical thinking is not limited to what we've been taught or believe. It also applies to 'what could be'. Growth of the mind and growth of the systems/infosec/dev field is a choice. Those that fight against change and growth will merely be in conflict with themselves and continue thriving in their echo chambers. Do better.

[Ro0t-OS]

@blacklistisnotracist Yikes.....you legit don't get it and aren't aware that you don't get it. This is where I stop. You can't speak with a closed mind or wall. Best of luck with your continued success (?) in showing you don't get it.