Already I have heard from a Colonial Pipeline PR firm in Washington DC about my blog post yesterday pondering an overt promotion of Bob Jones University in a press release supposedly about security.
I was told on the phone by Sara Sendek, Senior Director, Crisis Communications (and former Nevada communications director of the Republican National Committee, former press secretary of Ron Johnson), “you think someone is racist because they went to Bob Jones”.
This wasn’t a fair depiction of my thoughts, but it’s expected.
It’s like being told that I think something is vulnerable when I ask why it has Log4j in its manifest. What is the meaning of Log4j when you see it?
Seeing Log4j might not be proof today that someone is vulnerable, but the burden is upon those with Log4j to demonstrate they have closed gaps by being anti-vulnerability. Code is never completely free of vulnerabilities (e.g. can be misleading to say something is not vulnerable), so we really just want know whether someone is committed to fight against serious flaws, including in their own code.
Even more to the point, everyone treated Log4j differently before 2022 so any claims today from the past are colored by what we think now relative to safety.
I therefore actually that think someone has invited a burden of proof to demonstrate they are anti-racist when their Bob Jones degree from 2000 is being promoted by a PR firm; trying to get people to notice Bob Jones in a promotional piece invites integrity assessments.
Again, the question always should not be about whether someone is racist or not, but whether they are anti-racist as Ijeoma Oluo wrote in 2019.
The beauty of anti-racism is that you don’t have to pretend to be free of racism to be an anti-racist. Anti-racism is the commitment to fight racism wherever you find it, including in yourself. And it’s the only way forward.
Bob Jones University very clearly existed as an attack on integrity since it was created by racists to perpetuate racism. Bob Jones took their case all the way to the Supreme Court arguing that claims of “faith” should allow them to avoid fixing their obvious racism (in other words invoking “God” as a loophole to avoid compliance with U.S. public safety laws).
The PR firm representative said she had hoped to explain to me how a PR statement works so that I wouldn’t react to the meaning of the words used in it, to which I replied that my blog post asks why the obvious racist meaning to Bob Jones didn’t block it from being included in a release.
When I was told by the PR firm that everyone has their academic background listed in an unmistakable “that’s the way we do things around here” tone, I asked whether they gave the CISO an option to not list Bob Jones.
Would she release vulnerable code to production just because that has been the way things were done before?
Did the CISO consent to having this specific information shared?
She refused to answer.