Tuesday, December 29, 2015

Security reminds me of the gym on January 2

If you have any sort of gym membership you dread the month of January. Every year, there are countless people who make a resolution to get in shape, so the gym is flooded with people for much of January. I'm in favor of everyone staying in shape and having a gym membership, my point isn't to claim how annoying the n00bs are. The point of this story is how few people stick around, and most give up because doing nothing is often easier than doing something.

What does this have to do with security?

The parallel here worries me. Let's use Heartbleed for our context.

After Heartbleed (January 1), everyone was talking about security, it was super important and everyone wanted more security (flooding the gym). After a while (February) most people stopped obsessing over security, a few stick around, most don't. As a species we're not really doing any better now than we were before Heartbleed. You could make some arguments, but it's a rounding error at best.

The real issue here is this is how humans work. We love running to whatever is popular, pretending we always knew it was cool, and watching for whatever next hip thing will pop up for us to latch on to.

Our current security problems aren't technology problems, they are human problems. We have to assume we can't change human nature. The vast majority of people will never take security seriously. They know it's important, they might even want to do it right, but at the end of the day they're not going to do anything about it.

The only solution is to make secure the default option.

This is probably harder than changing human nature.

Can this problem actually be fixed? I'm not sure. I need to think about it. I don't want to say no, but my crystal ball is pretty fuzzy here. There are a lot of weird problems all tied together in bizarre ways. I'm always happy to listen to new ideas, let me know if you have any. The more I learn the less I know seems to be the only constant.

Join the conversation, hit me up on twitter, I'm @joshbressers

Monday, December 21, 2015

A Christmas Cyber

Mallory was dead: to begin with. Bob knew he was dead, and nobody liked Bob, he was the security guy, nobody likes the security guy.

"Merry Christmas Bob!" said Alice. "Bah humbug!" was the reply. Bob had to work over Christmas protecting the network, he had no reason to be merry. As Bob opened the door to the server room he noticed the door knocker looked like Mallory, which was odd as the server room door didn't have a knocker. A closer inspection led Bob to believe his mind was playing tricks on him.

Bob sat down at the terminal and heard the door slam shut. This is of course impossible as the door has a slow closer on it so this sort of thing couldn't happen. As Bob peeked around the side of the terminal he saw the ghost of Mallory.

"How now!" said Bob, "What do you want with me?"

"Much!" said Mallory.

"Tonight you will be visited by 3 spirits, they will guide you in hopes that you can avoid my path."

Mallory walked backwards, hit his head on the door, fell down, then stood up, looked around, and snuck out as best as one can after running into a door and falling down.

"Still an idiot" thought Bob. "I can't imagine any of this is real."

Cyber Past

Later that night while reading Alice's mail instead of checking the IDS logs, Bob heard a sound that made him look up quickly. There standing before him was a woman with a ghostly appearance.

"I am the ghost of cyber past" whispered the spirit. "The ... what, wait, what? This stupid thing is real?" "I'm here to show you how you used to be, the shadows of things that once were."

Instantly Bob was transported to the server room ten years ago. He was speaking with the lead architect about how to secure the infrastructure.

"I remember him" recalled Bob. "He should have been fired for incompetence." "You weren't always like this" said the spirit "You once had hope you could change things and help them." "Well, I was a foolish youth, these people are beyond help now" Bob recalled.

The Spirit gazed at the youthful Bob. "We should create a security policy that will help keep the network secure, it's important not to get in the way too much, I have no doubt we can do this if we work together!"

Just then the scene faded and they were returned to the server room of today, a drab place that had no joy or good ideas anywhere you looked.

"Sigh, there are going to be two more of these bozos who come tonight I suppose. I probably won't get anything done. This will be worse than end of quarter."

Cyber Present

The clock struck one, which was odd given there isn't a clock in the server room. "Now why is that even needed" yelled Bob.

Bob looked up and saw another Spirit. "You're the one who will show me nobody likes me right!" The spirit looked at him and sighed. "This is why nobody likes you Bob, let's go."

The first stop was a party where Alice is talking to some friends. "Then he actually said bah humbug. I mean, who even does that. The guy is totally mental." Bob shouted "It's not like you're any better!" "She can't hear you" said the Spirit. Bob grumbled something foul to himself.

"I had hoped to show you more, but this is the only person I could find who even talked about you, seriously Bob, you need to be nicer to, well, anyone."

The scene changed to Bob's apartment. It was a disheveled room with clutter everywhere. The computer chair was the only place that didn't have a mess on it. "I have friends in World of Warcraft!" "That's a lie and you know it!" said the Spirit. "They kicked you out of the guild because you treat them all horribly."

"Really Bob, I've been doing this a long time, you're without a doubt the most unlikable person I've seen, you need to be nicer." "Maybe if they were nice to me!" "It really doesn't work that way. Stop being such a jerk." Bob looked at the Spirit "Aren't you supposed to be all mysterious and not tell me what to do?" "I've made an exception. Also, clean up this dump when you get home."

With that the room vanished and Bob was again in the server room.

"What a waste of time" he sighed. "That guy was dumber than the people I have to work with."


Cyber Future

The last Spirit was waiting for Bob as soon as he arrived. "This one is supposed to scare me" thought Bob. He looked up and saw one of his sales reps. "Oh FOR ..." "Hi Bob, shall we get going?" "I always knew there was something up with you, you actually are the devil!" "Spirit Bob, I'm a spirit." "Oh whatever, look, I'm busy, can we just assume you show me a terrible future so I can finish up?"

"No."

The server room was suddenly much brighter, it was clearly daytime at some point in the future. There were two people talking. "Will you miss him?" said the first person, Bob didn't recognize them. "Absolutely not" said the second person. "That guy was horrible. Nobody liked him, I'm amazed it took so long to fire him, what a pain". "You can't just be a tyrant, security is important, we need someone who can help, not just tell us 'no' anytime a question is asked." "Hah, that's true, all Bob ever did was say no and yell. Thank goodness they fired him."

"They fire me!" asked Bob. "They had no choice" said the Spirit. "You weren't actually helping, you just made problems worse really. Remember this is but the future that could be if you don't change your ways. There is still hope for you Bob, you can make things better instead of just being part of the problem. Tonight was all about showing you the error of your ways so you can become the security person you once thought you could be. The security person the world needs, it's important. It's time to go now, you've seen enough. I'll call you on Monday, I think your firewall it out of compliance."

With that the server room scene changed back to the present, it was dark outside and Bob was alone in the room. He shivered, it was suddenly chilly.

Bob took a deep breath, what a night. He looked up at the clock, it was almost time to head home. The future Bob saw made him nervous. "That's not how I want to go out, I'm smart enough to make things right" he thought. Bob leaned back in his chair. After thinking about what to do Bob decided he had to change things. That's not the future he wanted he had to build a new future. A great future, a future he deserves!

Bob grinned, grabbed a scrap of paper and started writing something down. He taped it to the door. The note read "Merry Christmas everyone, Love Bob."

"This will be a Christmas to remember" Bob said out loud.

He then shut off the power to the whole server room and left. His phone started ringing immediately and he ignored it as he walked to his car. "Nobody fires me!" he thought to himself. "I wonder if the guild will let me back in?"

Monday, December 14, 2015

Security is the new paperless office!

If you're old enough, you remember reading a lot about the coming "paperless office". It never came, but I realized there are parallels we can draw in the context of our current security problems.

Back in the 90's, everyone wanted a paperless office. It sounded neat and with the future coming, who would need paper with all the flying cars and hoverboards! It turns out paper didn't go away. Everyone keeps talking about how security is the most important thing ever, investing in the paperless office was once the most important thing ever.

Stage 1: Magic!

This is where security is today. Everyone knows it's neat, but nobody knows what to really do. Well some people know, but nobody listens to them. Instead we want a magic solution that will fix everything. Most of it doesn't work but who cares, it's magic, shut up and take my money!

The paperless office had tons of bizarre things from magic scanners to document systems to things that almost looked like a tablet to store all your paper. None of those things really worked well, they were't purchased by a lot of people. Anyone who owned an early Palm Pilot probably remembers how just keeping the thing working took at least double the time a paper book consumed. That doesn't even count the odd writing style you had to use, I'm having flashbacks just thinking about it.

Back in those days most companies had rooms to store the documents. It generally had a lock on it that was never locked, and most of the documents got filed away and were never ever looked at again. The amount of wasted paper and floor space was crazy. If there was a fire, everything got lost. The reasons to get your data out of those rooms was pretty obvious. Just like the reasons to now protect that data is obvious, but how to actually do these things is not.

Stage 2: There is no stage 2

The thing is, there wasn't ever some mega event that ushered in the paperless office, there will probably never be a paperless office. What actually happened, and is still happening, is we saw a lot of incremental change over the course of decades to bring us to where we are today. I wouldn't say we're anywhere near paperless, but we will continue to approach zero. There are some things that make life a lot nicer and things seem to keep getting better.

Most companies don't have massive document rooms anymore, they store much of that paperwork on a server somewhere. A decent system can tell you exactly who viewed what, when, and why. We do this because it's better in almost every way, but it took a long time to work out how everything fits together. I never print out maps or travel information anymore, it's all on my phone. I don't keep receipts, I just scan them. A lot of HR documents are filled out through a web browser. I pay many bills through a web browser.

There are still people who claim paper is better with a nostalgic glee. There are plenty of crazy arguments about why paper is better, these people aren't worried about utility though, they have a view of reality that isn't based on the utility of something, they like things they way they are. More on this person later though, we all know one, keep them in mind.

None of these paperless changes happened quickly or with much fanfare. It was just the slow march of progress. Security is happening the same way. There isn't going to be a singular giant event that changes everything, there will be lots of little ones. Over the course of the next decade some people will continue to make incremental improvements. Things will get better one step at a time. Security today is better than it was ten years ago, it's still bad, but it is better.

Here's the catch though. a lot of security people today are actually fighting change. It's not the way they would have done it, and instead of helping they like to complain about how nothing will work. They are going to be the people in ten years talking about how much better life was when everything was on paper in a giant warehouse. Those trees had it coming!

Stage 3: Wait, but there was no stage 2 ...

So the question now is what can we do? The question of how do we fix all this mess keeps coming up over and over again. Nobody can answer it, some people don't even understand the question. If you consider yourself a security person, just start helping. Be patient, answer questions, give good advice. As everyone learns new lessons things will improve. There isn't one fix. Regulation won't fix anything, huge corporations won't fix anything, insurance won't fix anything. Everything will slowly fix itself. The best we can do is try to go from slowest to slower.

There is a bigger issue of are the bad guys moving faster than us? I think today they are, if that will ever change is a debate for a different day.

The world is going to deal with these problems, if the experts help it will go a lot smoother, if they don't we'll still get there, it just takes longer. Don't be the guy who wishes for the good old days. Figure out how to help.

Join the conversation, hit me up on twitter, I'm @joshbressers

Monday, December 7, 2015

Security lacks patience

I had a meeting with some non security people to discuss some of the challenges around security. It's a rather popular topic these days but nobody knows what that means (remember 5 years ago when everyone talked about cloud but nobody knew what that meant?). The details are irrelevant, the most important thing that came out of this meeting was when someone pointed out as a group we are impatient.

I sort of knew this, but I wouldn't have listed this in the top 10 of "what's wrong with us".

What does it mean to be impatient? We don't listen as well as we should. We get tired of having to explain the same thing over and over again. We don't like to talk to someone who knows less than us (which is everyone). There are plenty of other examples, I'm not going to dwell on them though. It's likely many of us have no idea we're impatient.

I think the most important aspect of this though is how we deal with new idea. In almost every instance of someone proposing a new idea, we rarely talk to them about it, we spend time telling them why they're wrong. There is nothing security people like to do more than tell someone why they're wrong. Being technically correct is the best kind of correct!

I was at a working group recently where a number of people suggested new ideas. In almost every case the majority of time was spent explaining to them why their ideas were stupid and would never work. This isn't a good use of time. It's the help or shut up concept. We're not patient, we don't want to engage, we just want to prove why we're right and get back to doing nothing. Don't be this person, if you don't have constructive feedback listen instead of talking. Bad ideas generally self destruct during discussion, and discussion makes good ideas great.

Has bluntly telling someone their idea is stupid ever actually worked? I bet in almost every instance they double down and never will listen to you again. This is how bad ideas become bad projects.

How do I be more patient?

Being more patient isn't all that hard in theory, but it's really hard if you're used to proving everyone wrong all the time. You just have to learn to listen. It sounds simple but for most security people it's going to be really hard, one of the hardest things you'll ever do. Let's cover some examples.

A new way to classify security flaws is proposed, you think it's dumb. Do you
  1. Tell them why they're wrong
  2. Argue over why your way is better (even though you don't really have a way)
  3. Sit there and listen, even though it feels like your insides want to jump out and start yelling
The correct answer is #3. It's really hard to listen to someone else speak if you think they're wrong. There are few feeling of satisfaction like completely destroying someone's idea because it wasn't thought all the way through. This is why nobody likes you.

You find a remote execution flaw in some code a coworker wrote. Do you
  1. Make sure everyone knows they did this and push to revoke their git access
  2. Tell them how stupid they are and demand they fix the problem without any help
  3. Teach them how to fix the problem, listening to what they say while they're trying to learn
#1 and #2 are pretty much the way things work today. It's sort of sad when you really think about it.

If you just sit and listen, people will talk. Most people don't like silence. If you say nothing, they will say something. In the above example, the person you listen to will start to talk about why they did what they did. That will give you what you need to teach them what they need to know. This is how you gain wisdom. We are smart, we are not wise.

Listening is powerful. Patience is listening. Next time you're talking to someone, no matter what the topic is, just sit and listen. Make a point not to speak. You'll learn things you never dreamt of, and you'll build trust. Listening is more powerful than talking, every time.

Join the conversation, hit me up on twitter, I'm @joshbressers

Monday, November 30, 2015

Where is the physical trust boundary?

There's a story of a toothbrush security advisory making the rounds.

This advisory is pretty funny but it matters. The actual issue with the toothbrush isn't a huge deal, an attacker isn't going to do anything exciting with the problems. The interesting issue here is we're at the start of many problems like this we're going to see.

Today some engineers built a clever toothbrush. Tomorrow they're going to build new things, different things. Security will matter for some of them. It won't matter for most of them.

Boundaries of trust


Today when we try to decide if something is a security issue we like to ask the question "Does this cross a trust boundary?" If it does, it's probably a security issue. If no trust boundary is crossed, it's probably not an issue. There are of course lots of corner cases and nuance, but we can generally apply the rule.

Think of it this way. If a user can delete their own files, that's not crossing a trust boundary, that's just doing something silly. If a user can delete someone else's files, that's not good.

This starts to get weird when we think about real things though.

Boundaries of physical trust?


What happens in the physical world? What counts as a trust boundary? In the toothbrush example above an attacker could gain knowledge of how someone is using a toothbrush. That's technically a trust boundary (an attacker can gain data they're not supposed to have), but let's face it, it's not a big deal. If your credit card number was also included in the data, sure no question there.

But as such, we're talking about data that isn't exciting. You can make the argument about tracking data from a user over the course of time and across devices, let's not go there right now. Let's just keep the thinking small and contained.

Where do we draw the line?


If we think about physical devices, what are our lines? A concept of just a trust boundary doesn't really work here. I can think of three lines, all of which are important, but not equally important.
  1. Safety
  2. Harm
  3. Annoyance

Safety

When I say safety I'm thinking about a device that could literally kill a person. This could be something like disabling the brakes on a car. Making a toaster start a fire. Catastrophic events. I don't think anyone would ever claim this class of issues isn't a problem. They are serious, I would expect any vendor to take these very seriously.

Harm

Harm would be where someone or something can be hurt. Nothing catastrophic. Think maybe a small burn, or a scrape. Perhaps making someone fall down when using a scooter, or burn themselves with a device. We could argue this category for a while. Things will get fuzzy between if the problem is catastrophic. Some vendors will be less willing to deal with these but I bet most get fixed quickly.

Annoyance

Annoyance is where things are going to get out of hand. This is where the toothbrush advisory lives. In the case of a toothbrush it's not going to be a huge deal. Should the vendor fix it? Probably. Should you get a new toothbrush over it? Probably not.

The nuance will be which annoying problems deserve fixes and which ones don't? Some of these problems could cost you money. What if an attacker can turn up your thermostat so your furnace runs constantly? Now we have an issue that can cost real money. What if we have a problem where your 3D printer ruins a spool of filament? What if the oven burns the Christmas goose?

Where is our trust boundary in the world of annoying problems? You can't just draw the line at money and goods. What happens if you can ring a person's door bell and they have to keep getting up to check the door? Things start to get really weird.

Do you think a consumer will be willing to spend an extra $10 for "better security"? I doubt it. In the event a device will harm or kill a person there are government agencies to step in and stop such products. There are no agencies for leaking data and even if there were they would have limited resources. Compare "annoyance security" to all the products sold today that don't actually work, who is policing those?

As of right now our future is going to be one where everything is connected to the Internet, none of it is secure, and nobody cares.

Join the conversation, hit me up on twitter, I'm @joshbressers

Friday, November 20, 2015

If your outcome is perfect or nothing, nothing always wins

This tweet
https://twitter.com/RichFelker/status/666325066838339584

Led to this thread
http://marc.info/?t=144778171800001&r=1&w=2

The short version is there are some developers from Red Hat working on gcc attempting to prevent ROP style attacks. More than one person has accused this work of being pointless and a waste of time. It's not, the waste of time is arguing about why trying new things is dumb.

Here's the important thing security people always screw up.

The only waste of time is if you do nothing and complain about the people who are doing something.

It is possible the ROP work that's being done won't end up preventing anything. If that's true the absolute worst thing that will result is learning a lesson. It's all too easy in the security space to act like this. If it's not perfect you can make the argument it's bad. It's a common trait of a dysfunctional group.

This is however true in crypto, never invent your own crypto algorithm.

But in the context of humanity, this is how progress happens. First someone has an idea, it might be a terrible idea, but they work on it, then they get help, the people helping expand and change the idea, eventually, after people work together, the end is greater than the means. Or if it's a bad idea, it goes nowhere. Failure only exists if you learn nothing.

This isn't how security has worked, it's probably why everything seems so broken. The problem isn't the normal people, it's the security people. Here's how a normal security idea happens:
  1. Idea
  2. YOUR IDEA IS STUPID YOU'RE WASTING YOUR TIME AND YOU'RE STUPID!!!
  3. Give up
That's madness.

From now on, if someone has an idea and you think it's silly, say nothing. Just sit and watch. If you're right it will light on fire and you can run around giving hi5s. It probably won't though. If someone starts something, and others come to help, it's going to grow into something, or they'll fail and learn something. This is how humans learn and get better. It's how open source works, it's why open source won. It's why security is losing.

The current happy ending to the ROP thread is it's going to continue, the naysayers seem to have calmed down for now. I was a bit worried for a while I'll admit. I have no doubt they'll be back though.

Help or shut up. That is all.

Join the conversation, hit me up on twitter, I'm @joshbressers

Monday, November 16, 2015

Your containers were built in some guy's barn!

Today containers are a bit like how cars used to work a long long long time ago. You couldn't really buy a car, you had to build it yourself or find someone who could build one for you in their barn. The parts were terrible and things would break all the time. It probably ran on steam or was pulled by a horse.

Containers aren't magic. Well they are for most people. Almost all technology is basically magic for almost everyone. There are some who understand it but generally speaking, it's complicated. People know enough to get by which is fine, but that also means you have to trust your supplier. Your car is probably magic to you. You put gas in a hole in the back, then you can press buttons, push peddles, and turn wheels to transport you places. I'm sure a lot of people at this point are running through the basics of how cars work in their heads to reassure themselves its' not magic and they know what's going on!

They're magic, unless you own an engine hoist (and know how to use it).

Now let's think about containers in this context. For the vast majority of container users, they get a file from somewhere, it's full of stuff that doesn't make a lot of sense. Then they run some commands they found on the internet, then some magic happens, then they repeat this twiddling things here and there until on try 47 they have a working container.

It's easy to say it doesn't matter where the container content came from, or who wrote the dockerfile, or what happens at build time. It's easy because we're still very early in the life of this technology. Most things are still fresh enough that security can squeak by. Most technology is fresh enough you don't have to worry about API or ABI issues. Most technology is new enough it mostly works.

Except even with as new as this technology is, we are starting to see reports of how many security flaws exist in docker images. This will only get worse, not better, if nothing changes. Almost nobody is paying attention, containers mean we don't have to care about this stuff, right!? We're at a point where we have guys building cars in their barns. Would you trust your family in a car built in some guy's barn? No, you want a car built with good parts and has been safety tested. Your containers are being built in some guy's barn.

If nothing changes, imagine what the future will look like. What if we had containers in 1995. There would still be people deploying Windows 95 in a container and putting it on the Internet. In 20 years, there are still going to be containers we use today being deployed. Imagine still seeing Heartbleed in 20 years if nothing changes, the thought is horrifying.

Of course I'm a bit over dramatic about all this, but the basic premise is sound. You have to understand what your container bits are. Make sure your supplier can support them. Make sure your supplier knows what they're shipping. Demand containers built with high quality parts, not pieces of old tractors found in some barn. We need secure software supply chains, there are only a few places doing it today, start asking questions and paying attention.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, November 10, 2015

Is the Linux ransomware the first of many?

If you pay any attention to the news, no doubt the story of the Linux ransomware that's making the rounds. There has been much said about the technical merits of this, but there are two things I keep wondering.

Is this a singular incident, or the first of many?

You could argue this either way. It might be a one off blip, it might be the first of more to come. We shouldn't start to get worked up just yet. If there's another one of these before the year ends I'm going to stock up on coffee for the impending long nights.

Why now?

Why are we seeing this now? Linux and Apache have been running a lot of web servers for a very long time. Is there something different now that wasn't there before? Unpatched software isn't new. Ransomware is sort of new. Drive-by attacks aren't new. What is new is the amount of attention this thing is getting.

It is helpful that the author made a mistake so the technical analysis is more interesting that it would be otherwise. I wonder if this wouldn't have been nearly as exciting without that.

If this is the first of many, 2016 could be a long year. Let's hope it's an anomaly.

Join the conversation, hit me up on twitter, I'm @joshbressers

You don't have Nixon to kick around any more!

There has been a bit of noise lately around some groups not taking security as seriously as they should. Or maybe it's the security folks don't think they take it as seriously as they should. Someday there is going to be a security mushroom cloud! When there is, you won't have Nixon Security to kick around anymore!

Does it matter?

I keep thinking about people who predict the end of the world, there hasn't been one of these in a while now. The joke is always "someday they'll be right".

We're a bit like this when it comes to computer security. The security guys have been saying for a very long time "someday you'll wish you listened to us!" I'm not sure this will even happen though. There will be localized events of course, but I doubt there will be one singular thing, it'll likely be a long slow burn.

The future won't be packetized.

The world is different now, I don't think there will be some huge changing event, but it's for the exact reason we think it will. Open source won, but it doesn't mean security wins next, it means security wins never.

Will there be a major security event that makes everyone start paying attention? I don't think so. If you look at history, a singular major event can cause a group to quickly change direction and unite them all. This happened to Microsoft, their SDL program got created, things like Nimda and Code Red gave them purpose and direction. But Microsoft was a single entity, one person could demand they change direction and everyone had to listen. If you didn't listen, you got a new job.

Imagine what would happen if anyone inside an open source project did this, even if they are viewed as the "leader"? It would be a circus. You would have one group claiming this is great (that's us), one claiming this is dumb (those are the armchair security goofs) and a large group who wouldn't care or change their behavior because there's no incentive.

You can't "hack" open source. A single project can be attacked or have a terrible security record. Individual projects may change how they work, but fundamentally the whole ecosystem won't drastically change. Nobody can attack everything, they can only attack small bits. Now don't think this is necessarily bad. It's how open source works and it is what it is. Open source won I dare not question the methodology.

At the end of the day the way we start to get security to where we want it will be with a few important ideas. Once we have containers that can be secured, some bugs go away for example. I always say there is no security silver bullet. There isn't one, there will be many. It's the only way any of this will work out. Expecting everyone to be a security expert doesn't work, expecting volunteers to care about security doesn't work.

The future of open source security lies with the integrators. The people who take lots of random projects and put them together. That's where the accountability lives, it's where it belongs. I don't' know what that means yet, but I suspect we'll find out in the near future as security continues to be a hot topic.

It's a shame I'm not musical. Security Mushroom Cloud would be a great band name.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, November 3, 2015

Hack your meetings

I don't think I've ever sat down to a discussion about security that doesn't end with a plan to fix every problem ever, which of course means we have a rather impressive plan where failure is the only possible outcome.

Security people are terrible at scoping
I'm not entirely sure why this is, but almost every security discussions spirals out of control and topics that are totally unrelated seem to always come up, and sometime dominate the conversation. Part of me suspects it's because there is so much to do, it's hard to know where to start.

I've recently dealt with a few meetings that had drastically different outcomes. The first got stuck on details, oceans will need to be boiled. The second meeting was fast and insanely productive. The reason why this meeting was fantastic took me a while to figure out. We were all social engineered and it was glorious.

Meeting #1
The first meeting was a pretty typical security meeting. We have a bunch of problems, no idea where to even start, so we kept getting deeper and deeper, never solving anything. It wasn't a bad group, I don't think less of anyone. I was without a doubt acting just like everyone else. In fact I had more than one of these this week. I'm sure I'll have more next week.

Meeting #2
The meeting I'm calling meeting 2 was a crazy event unlike one I've ever had. We ended with a ton of actions and everyone happy with the results. It took me an hour of reflection to figure out what happened. One of the people on the call managed to social engineered everyone else. I have no idea if he knows this, it doesn't matter because it was awesome and I'm totally stealing the technique.

A topic would come up, it would get some discussion, know basically what we had to do, then we would hear "We should do X, I'll own the task". After the first ten minutes one person owned almost everything. After a while the other meeting attendees started taking tasks away because one person had too many.

This was brilliant.

Of course I could see this backfire if you have a meeting full of people happy to let you take all the actions, but most groups don't work like this. In almost every setting everyone wants to be an important contributing member.

I'm now eager to try this technique out. I'm sure there is nuance I'm not aware of yet, but that's half the fun in making any new idea your own.

Give it a try, let me know how it goes.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, October 27, 2015

The Third Group

Anytime you do anything, no matter how small or big, there will always be three groups of people involved. How we interact with these groups can affect the outcome of our decisions and projects. If you don't know they exist it can be detrimental to what you're working on. If you know who they are and how to deal with them, a great deal of pain can be avoided, and you will put yourself in a better position to succeed.

The first group are those who agree with whatever is it you're doing. This group is easy to deal with as they are already in agreement. You don't have to do anything special with this group. We're not going to spend any time talking about them.

The second group is reasonable people who will listen to what you have to say. Some will come to agree with you, some won't. The ones who don't agree with you possibly won't even tell you they disagree with you. If what you're doing is a good idea you'll get almost everyone in the second group to support you, if you don't ignore them. This is the group you ignore the most, but it's where you should put most of your energy.

The third group is filled with unreasonable people. These are people that you can prove your point beyond a reasonable doubt and they still won't believe you. There is absolutely nothing you can say to this group that will make a difference. These are the people who deny evidence, you can't understand why they deny the facts, and you will spend most of your time trying to bring them to your side. This group is not only disagreeable, its' dangerous to your cause. You waste your time with the third group while you alienate the second group. This is where most people incorrectly invest almost all their time and energy.

The second group will view the conversations between the first group and the third group and decide they're both insane. Members of the first and third group are generally there for some emotional reason. They're not always using facts or reality to justify their position. You cannot convince someone if they believe they have the moral high ground. So don't try.

Time spent trying to convince the third group is time not spend engaging the second group. Nobody wants to be ignored.

The Example

As always, these concepts are easier to understand with an example. Let's use climate change because the third group is really loud, but not very large.

The first group are the climate scientists. Pretty much all of them. They agree that climate change is real.

The second group is most people. Some have heard about climate change, a lot will believe it's real. Some could be a bit skeptical but with a little coddling they'll come around.

The third group are the deniers. These people are claiming that CO2 is a vegetable. They will never change their minds. No really never. I bet you just thought about how you could convince them just now. See how easy this trap is?

The first group spends huge amounts of time trying to talk to the third group. How often do you hear of debates, or rebuttals, or "conversations" between the first and third group here. How often do you hear about the scientists trying to target the second group? Even if it is happening it's not interesting so only first-third interactions get the attention.

The second group will start to think the scientists are just as looney as the third group. Most conversations between group one and three will end in shouting. A reasonable person won't know who to believe. The only way around this is to ignore the third group completely. Any time you spend talking to the third group hurts your relationship with the second group.

What now?

Start to think about the places you see this in your own dealings. Password debates. Closed vs open source. Which language is best. The list could go on forever. How do you usually approach these? Do you focus on the people who disagree with you instead of the people who are in the middle?

The trick with security is we have no idea how to even talk to the second group. And we rather enjoy arguing with the third. While talking to the second group can be tricky, the biggest thing at this point is to just know when you're burning time and good will by engaging with the third group. Walk away, you can't win, failure is the only option if you keep arguing.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, October 20, 2015

How do we talk to normal people?

How do we talk to the regular people? What's going to motivate them? What matters to them?

You can easily make the case that business is driven by financial rewards, but what can we say or do to get normal people to understand us, to care? Money? Privacy? Donuts?

I'm not saying we're going to turn people into experts, I'm not even suggesting they will reach a point of being slightly competent. Most people can't fix their car, or wire their house, or fix their pipes. Some can, but most can't. People don't need to really know anything about security, they don't want to, so there's no point in us even trying. When we do try, they get confused and scared. So really this comes down to:

Don't talk to normal people

Talking to them really only makes things worse. What we really need is them to trust the security people. Trust that we'll do our jobs (which we're not currently). Trust that the products they buy will be reasonably secure (which they're not currently). Trust that the industry has their best interest in mind (which they don't currently). So in summary, we are failing in every way.

Luckily for us most people don't seem to be noticing yet.

It's also important to clarify that some people will never trust us. Look at climate change denial. Ignore these people. Every denier you talk to who is convinced Google sneaks into their house at night and steals one sock is wasted time and effort. Focus on people who will listen. As humans we like to get caught up with this "third" group, thinking we can convince them. We can't, don't try. (The first group is us, the second is reasonable people, we will talk about this some other day)

So back to expectations of normal people.

I'm not sure how to even describe this. I try to think of analogies, or to compare it to existing industries. Nothing fits. Any analogy we use, ever existing industry, generally has relatively understood models surrounding them. Safes have a physical proximity requirement, the safety of cars doesn't account for malicious actors, doors really only keep out honest people. None of these work.

We know what some of the problems are, but we don't really have a way to tell people about them. We can't use terms that are even moderately complex. Every time I work through this I keep coming back to trust. We need people to trust us. I hate saying that, blind trust is never a good thing. We have to earn it.

Trust me, I'm an expert!

So let's assume our only solution for the masses at this point is "trust". How will anyone know who to trust? Should I trust the guy in the suit? What about the guy who looks homeless? That person over there uses really big words!

Let's think about some groups that demand a certain amount of trust. You trust your bank enough to hold your money. You have to trust doctors and nurses. You probably trust engineers who build your buildings and roads. You trust your teachers.

The commonality there seems to be education and certification. You're not going to visit a doctor who has no education, nor an engineer who failed his certification exam. Would that work for us? We have some certifications, but the situation is bleak at best, and the brightest folks have zero formal qualifications.

Additionally, who is honestly going to make certifications a big deal, everything we need know changes ever 6 months.

As I write this post I find myself getting more and more confused. I wonder if there's any way to fix anything. Let's just start simple. What's important? Building trust, so here's how we're going to do it.
  1. Do not talk, only answer questions (and don't be a pedantic jerk when you do)
  2. Understand your message, know it like the back of your hand
  3. Be able to describe the issue without using any lingo (NONE)
  4. Once you think you understand their challenges, needs, and asks; GOTO 1
I'm not saying this will work, I'm hopeful though that if we start practicing some level of professionalism we can build trust. Nobody ever built real trust by talking, you build trust by listening. Maybe we've spent so much time being right we never noticed we were wrong.


Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, October 13, 2015

How do we talk to business?

How many times have you tried to get buyin for a security idea at work, or with a client, only to have them say "no". Even though you knew it was really important, they still made the wrong decision.

We've all seen this more times than we can count. We usually walk away grumbling about how sorry they'll be someday. Some of them will be, some won't. The reason is always the same though:

You're bad at talking to the business world

You can easily make the argument that money is a big motivator for a business. For some it's the only motivator. Businesses want save money, prevent problems, be competitive, and stay off the front page for bad news. The business folks don't care about technical details as much as they worry about running their business. They don't worry about which TLS library is the best. They want to know how something is going to make their lives easier (or harder).

If we can't frame our arguments in this context, we have no argument we're really just wasting time.


Making their lives easier


We need to answer the question, how can security make lives easier? Don't answer too quickly, it's complicated.

Everything has tradeoffs. If we add a security product or process, what's going to be neglected? If we purchase a security solution, what aren't we purchasing with those funds? Some businesses would compare these choices to buying food or tires. If you're hungry, you can't eat tires.

We actually have two problems to solve.
  1. Is this problem actually important
  2. How can I show the value
Is something important is always tricky. When you're a security person, lots of things seem important but aren't really. Let's say inside your corporate network someone wants to disable their firewall. Is that important? It could be. Is missing payroll because of the firewall more important? Yes.

First you have to decide how important is the thing you have in mind. I generally ponder if I'd be willing to get fired over this. If the answer is "no", it's probably not very important. We'll talk about how to determine what's important in the future (it's really hard to do).

Let's assume we have something that is important.

Now how do we bring this to the people in charge?

Historically I would write extremely long emails or talk to people at length about how smart I am and how great my idea is. This never works.

You should write up a business proposal. Lay out the costs, benefits, requirements, features, all of it. This is the sort of thing business people like to see. It's possible you may even figure out what you're proposing is a terrible idea before you even get it in front of someone who can write a check. Think for a minute what happens when you develop a reputation for only showing up with good well documented ideas? Right.

Here's how this usually works. Someone has an idea, then it gets debated for days or weeks. It's not uncommon to spend more time actually discussing an idea than it is to implement the thing. By writing down what's going on, there is no ambiguity, there's no misunderstanding, there's no pointless discussion about ketchup.

I actually did this a while back. There was discussion about a feature, it had lasted for weeks, nobody had a good answer and the general idea kept going back and forth. I wrote up a proper business proposal and it actually changed my mind, it was a HORRIBLE idea (I was in favor of it before that). I spent literally less than a single work day and cast in stone our decision. In about 6 hours I managed to negate hundreds of hours of debate. It was awesome.

The language of the business is one of requirements, costs, and benefits. It's not about outsmarting anyone or seeing who knows the biggest word. There's still plenty of nuance here, but for now if you're looking to make the most splash, you need to learn how to write a business plan. I'll leave how you do this as an exercise to the reader, there are plenty of examples.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, October 6, 2015

What's filling the vacuum?

Anytime there's some sort of vacuum, something will appear to fill the gap. In this context we're going to look at what's filling the vacuum in security. There are a lot of smart people, but we're failing horribly at getting our message out.

The answer to this isn't simple. You have to look at what's getting attention that doesn't deserve to get attention. Just because we know a product, service, or idea is hogwash doesn't mean non security people know this. They have to attempt to find someone to trust, then listen to what they have to say. Unfortunately when you're talking about extremely complex and technical problems, they listen to whoever they can understand as there's no way they can determine who is technically more correct. They're going to follow whoever sounds the smartest.

If you've never seen the musical "The Music Man" you should. This is what we're dealing with.

Rather than dwell on it and try to call out the snake oil, we should put our effort into the messaging. We'll never have a better message than this group, but we really only need to be good enough, not perfect. We always strive for our messages to be perfect, but that's an impossible goal. The goal here is to sound smarter than the con men. This is harder than it sounds unfortunately.

We can use the crypto backdoor conversation as a good example. There are many groups claiming we should have backdoors in our crypto to keep ourselves safer. Security people know this is a bad idea, but here's what the conversation sounds like.

Them

We need crypto backdoors to stop the bad guys, trust us, we're the good guys

Us

<random nonsense>, backdoors don't work
We don't do a good job of telling people why backdoors dont' work. Why should they trust us, why don't backdoors work, who will keep us safe? Our first instinct would be to frame the discussion like this:


  1. Backdoors never work
  2. Look at the TSA key fiasco
  3. Encryption is hard, there's no way to get this right

This argument wont' work. The facts aren't what are important. You have to think about how you make people feel. We just confused them, so now they don't like us. Technical details are fine if you're talking to technical people, but any decent technical person probably doesn't need this explained.

We have to think about how can we make people feel bad about encryption backdoors? That's the argument we need. What can we say that gives them the feels?

I don't know if these work, they're just some ideas I have. I've yet to engage anyone on this topic.

What are things people worry about? They do value their privacy. The old "if you have nothing to fear you have nothing to hide" argument only works when it's not your neighbor who has access to your secrets.

Here's what I would ask
Are you OK with your neighbor/wife/parent having access to your secrets?
Then see where to conversation goes. You can't get technical, we have to focus on emotions, which is super hard for most security people. If you try this out, let me know how it goes.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, September 29, 2015

We're losing the battle for security

The security people are currently losing the battle to win the hearts and minds of the people. The war is far from over but it's not currently looking good for our team.

As with all problems, if there is a vacuum, something or someone end up filling it. This is happening right now in security. There are a lot of really smart security people out there. We generally know what's wrong, and sometimes even know how to fix it, but the people we need to listen aren't. I don't blame them either, we're not telling them what they need to know.

On the other side though, we also think we understand the problems, but we don't really. Everything we know comes from an echo chamber inside a vacuum. We understand our problems, not their problems.

We have to move our conversations into the streets, the board rooms, and the CIO offices. Today all these people think we're just a bunch of nuts ranting about crazy things. The problem isn't that we're all crazy, it's that we're not talking to people correctly, which also means we're not listening either.

We have to stop talking about how nobody knows anything and start talking about how we're going to help people. Security isn't important to them, they have something they want to do, so we have to help them understand how what we do is important and will help them. We have to figure out how to talk about what we do in words they understand and will motivate them.

How many times have you tried to explain to someone why they should use a firewall and even though it should have been completely obvious, they didn't use it?

How many times have you tried to get a security bug fixed but nobody cared?

How many times have you tried to get a security feature, like stack protector, enabled by developers but nobody wanted to listen?

There are literally thousands of examples we could cover. In virtually every example we failed because we weren't telling the right story. We might have thought we were talking about security, but we really were saying "I'm going to cost more money and make your life harder".

It's time we figure out how to tell these stories. I don't have all the answers, but I'm starting to notice some patterns now that I've escaped from the institution.

There are three important things we're going to discuss in the next few posts:

  1. What's filling the vacuum?
  2. How do we talk to the business world?
  3. How do we talk to normal people?
The vacuum is currently being filled by a lot of snake oil. I'm not interested in calling specific people out, you know who they are. We'll talk about what we can learn from this group. They know how to interact with people, they're successfully getting people to buy their broken toys. This group will go away if we learn how to talk about what we do.

Then we'll talk about what motivates a business. They don't really care about security, they care about making their business successful. So how can we ensure security is part of the solution? We know what's going to happen if there's no security involved.

Lastly we'll talk about the normal people. Folks like your neighbors or parents. Who don't have a clue what's going on, and never will. This group is going to be the hardest of all to talk to. I sort of covered this group in a previous post: How can we describe a buffer overflow in common terms? These are people who have to be forced to wear seat belts, it's not going to be pleasant.

If you have any good stories or examples that would make these stories better, be sure to let me know.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, September 22, 2015

How to build trust

One the hardest things we have to do is to build trust.

It's not hard for everyone, just us specifically. It's not in our nature.

Security people tend not to trust anyone. Everything we do is based on not trusting anyone, it's literally our job. Trust is a two way street. If you expect someone to trust you, you have to trust them to a certain degree. This is our first problem. We don't trust anybody, for good reason often, but it's a problem. We have to learn how to trust others so we can get them to trust us. This is of course easier said than done. Would you trust someone with your password? I wouldn't, but a lot of people do. This is a place where they won't understand why we don't trust them. Of course sharing a password isn't a great idea, but that's not the point.

I have a recent example that sort of explains the problem. It's not related to security, but the idea is there. A friend does graphic design work and was tasked to create a logo. This is easy enough, he made a few rather nice logos for the client to choose from, but then things went crazy. None were good enough, so they just kept bikeshedding the logos. The designer was of course very upset as this isn't productive and honestly, the end result always ends up looking almost exactly like one of the first few logos. Furthermore, the people commenting aren't graphics people, so many of the suggestions were just silly. Because they didn't trust the designer, now the designer doesn't trust them.

So how could this scenario have gone down? Ideally you look at what the designer gives you, you can give some feedback along what you think, things like "It has too many colors" or "It's not bright enough", not "The second letter A should be 3 piexels to the left". You have to trust your designer will give you something that does what you need it to do. It won't be perfect, it just has to be good enough. And in time as trust is built between you and the designer, the results will just keep getting better.

How many times have you sent back a presentation or whitepaper because it wasn't perfect? Or decided to just do something yourself because the writer wasn't doing a good enough job? Those people no longer like you. They think you're a rude inconsiderate jerk. They're probably right.

You can't just show up and demand trust, that never works. You can't demand perfection. Everyone is good at their own things, you have to trust that if you're working with a writer, or designer, or developer, they're going to do a job that's good enough, possibly better than you could ever do, if you let them.

Join the conversation, hit me up on twitter, I'm @joshbressers

Sunday, September 13, 2015

How can we describe a buffer overflow in common terms?

We can't.

You think you can, but you can't. This reminds of the Feynman video where he's asked how magnets work and he doesn't explain it, he explains why he can't explain it.

Our problem is we're generally too clever to know when to stop. There are limits to our cleverness unfortunately.

I'm picking on buffer overflows in this case because they're something that's pretty universal throughout the security universe. Most everyone knows what they are, how they work, and we all think we could explain it to our grandma.

There are two problems here.

1) You can't explain away some of the fundamental principals behind computing.

Even if we want to take away as much technical detail as possible, there are some basic ideas that regular people don't know. Computers are magic to most people. When I say most people I mean probably 90% or more of the people. When I say magic, I mean actual magic, not the joking sort of "I really know this isn't magic but I'm being funny". All they know is they push this button and they can pay their bills. They have zero idea what's going on. If someone doesn't understand the difference between a CPU, RAM, and a potato, how on earth will you explain the instruction register to them?

2) They don't care.

Most people just don't genuinely care. Some will pretend to be nice, but a lot won't even do that. Even if we found a nice way to explain this stuff (which we can't), We can't make people care what we're saying. If we're dealing with the likes of a CIO or CEO, they don't care what a buffer overflow is, they don't care how Heartbleed works. They have their goals and while security is important, it's not why they wake up each morning. Some people think they care, but then when we start to talk, they figure out they really don't. Most are nice enough they will let us talk while they're thinking about eating cookies.

So what do we do about it?

The answer is to drive the discussion around the problems. Rather than trying to explain technical details to someone, we have to build trust with them. They need to be able to trust us on some level. If there's a buffer overflow in something, we need to be able to say "here is the patch" or "here is how we can fix this" for example. Then if we've built up trust, we don't have to try to explain exactly what's going on, just that it's something we should care about.

We'll cover how to build trust in the next post.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, September 8, 2015

Being a nice security person

Sometimes it's really hard to be nice to someone. This is especially true if you think they're not very smart. Respect is a two way street though. If you think someone's an idiot, they probably think you're an idiot. You're both going to end up right once it's all over though.

As an industry we overestimate how much people know about security, which I think is the root of our problem.

I was talking to a peer of mine one day and was complaining about someone not understanding what I thought was an obvious security concept (I don't recall the details anymore, but it's irrelevant). She then said to me words I will never forget "I think you overestimate how much everyone else knows about security".

That statement changed my life. It's why I'm writing this blog now.

I've been paying attention to security for longer than I can remember. It's been at least 20 years, probably more. I was a teenager back when I started this journey. It's easy sometimes to think someone should just know something, it's all so obvious! When they don't, we of course decide they're dumb and we stop respecting them. I remember in my younger days being just brutal to people who didn't know something I did. It was all quite silly really.

The next time there's a clear misunderstanding, here's what you need to do. Stop talking and listen first. See what they're saying. Do they sort of get it? Do they not get it at all? Are they making up nonsense? Listening is easy and you can always start to think about donuts if you get bored. I won't lie, some people are just giant bags of gas, most aren't though.

Now, once you start to understand the other person, try to speak their language. Use words they understand. Terms like buffer overflow, XSS, remote code execution, DoS, APT, these don't matter to most people. They're all "security bugs". We'll talk about language in the future, but for now, just be patient. Your patience will be worth more than anything else you do. Remember that everyone knows something you don't, so while they need your help for security, you need their help for something else, even if you don't know what that is yet.

Some people won't deserve your respect, I'm not suggesting we become whipping posts, but the majority of people you should probably pay attention to. Just slow down long enough to talk to them properly. You'll be amazed what you'll learn.

Join the conversation, hit me up on twitter, I'm @joshbressers

Thursday, September 3, 2015

Everyone is afraid of us

How many times have you been afraid to say something about security because you knew if you're wrong, you're going to be destroyed in public about it by your peers?

How many times did you try really hard to completely discredit someone who said something wrong about security?

How many times have you been wrong but still argued because you didn't want to admit it?

How many good ideas never saw the light of day because of this?

I think one of the bigger problems the security industry tends to have is a trait for being overly pedantic. This is true of technical people in general, but in security we turn it up to 11. Now don't get me wrong, sometimes you need this, there's no such thing as crypto that's half right. When we work with normal people though, we can't be so pedantic.

This of course isn't a hard and fast rule. Sometimes we need the details to be correct, sometimes we don't. You have to use your best judgement, but if you're not sure I suggest you lean toward being understanding (rather than overly critical).

Let's go through some examples, just for fun.

Question"Hey guys, I'm trying to understand if this patch is correct for a buffer overflow, could someone give it a review?"
Answer"Actually that bug was a buffer overflow caused by an integer overflow."

We just ensured this person will never ask us for help again. This is a detail they probably don't really care about. Is the patch right? If not, help them understand what's going on. Use small words. If they ask questions, be patient. The right way to answer this would have been to look at the patch and ack it if it works, or offer advice on how to fix it if it's still not done.

Question"Hi everybody, I'm working on adding SSL support to my application. The documentation isn't great though, are there any examples I could look at?"
Answer"SSL is dead, use TLS!"

While that answer is technically correct (which is the best kind of correct), it's still not helpful. When you give someone an answer, we have to try and be helpful. If you're dealing with another security person you can probably be borderline unhelpful as they should know better, but remember, normal people think we're all crazy, don't support this theory.

Most people call TLS SSL because they don't know the difference, honestly to most people there is no difference. The differences between TLS and SSL are huge of course, but if someone is looking for help to enable TLS in their application and they decide to call it SSL, it's an opportunity to educate them. They don't need to be experts, but if you're using a crypto library, you need to sort of know what's gong on.

And finally.

Question"Hey, I need help with a new XOR encryption algorithm I'm building."
Answer"You're an idiot"

This one is probably OK ;)

If you have any examples to share, I'd love to collect them to use in the future.

By being patient and understanding is how we build trust. You don't build trust by being harsh. We'll never make a difference with most people without trust, so this is important. Now when you're dealing with some technical people, this is the exact opposite, it's the old show me the code argument, it doesn't matter how nice you are, if your code is trash you're not trusted or respected. This doesn't work with regular people though. They don't get warm fuzzies form reading code, they like to talk to people in a civilized manner using words they understand.

It's not easy, but we should all be smart enough to figure it out. Good luck.

Join the conversation, hit me up on twitter, I'm @joshbressers

Wednesday, September 2, 2015

You are bad at talking to people

You're probably bad at talking to people. I don't mean your friends you play D&D or Halo or whatever hip game people play now, I mean humans, like the guy who serves you coffee in the morning.

We've all had more than once instance where we said something and ended up with a room full of people staring at us because it wasn't terribly nice or thoughtful. At the time you had no idea anything was wrong, you still might not.

This is the single biggest thing you have to learn not to do. Normal people have extremely thin skin. You can't call them horrible things, they don't like it. If you do it too often, they'll just never talk to you again. We'll get to this at a future date though.

Security people are mostly the sort of introverts who make other introverts look like party animals. When was the last time you talked to someone who when asked what a buffer overflow is first asks "heap or stack"? Who wasn't your Mom?

But it's not all bad. I'm going to pick on security people relentlessly on this blog. I'm going to make us look over the top silly sometimes, but that's because the target audience isn't the muggles, it's to help us all get better at doing the things that have to happen to secure the world. If we don't do this, nobody will and things will just keep getting worse. There are problems like none we've ever seen before, so we need solutions like we've never seen before. Our single biggest threat is a suit with swagger pretending to be a security person. We know they can't be trusted, but who will listen to us?

Some of you don't care and are probably going to disagree with everything I say. Some of you have to do this. You know you have to, you don't want to, but that's too bad.

So here's how we're going to look at this. Working with the regular people, we're not trying to be like them, we're going to pull off the greatest social engineering feat of our lives. We're a smart group, nobody will disagree with that, so we're going to use our extreme cleverness to fit in. We'll still go home, put on an old t-shirt, make origami wookies, and drink Mountain Dew. While we're at work though, we're going to be business people. We're going to dress nice, speak nice, and act nice. The only real difference than the actual business folks is we know we're putting on a show, they don't.

So for now, when you're talking to someone, be mindful of what you say. Listen more than you speak. Be kind. If they get something wrong, don't destroy them, politely suggest the right answer and if they don't agree, move on, you won't convince them any different. Ask questions, good questions. Don't just talk at people, talk with them.

And most importantly remember the person you're talking with is almost certainly a reasonable human trying to do what they think is right. It's when you insult or try to belittle them that they turn into someone out to get you, so don't treat them poorly.

We'll talk about all this stuff more in the future, but for now just try to keep a cool head when you talk to someone, especially if they're wrong.

Join the conversation, hit me up on twitter, I'm @joshbressers

Monday, August 31, 2015

What is Sober Security?

As an industry, security professionals are really bad at speaking to people. I don't just mean speaking to normal humans, I even mean each other even. We're a group of pedantic grumpy people. We don't understand how someone can't understand what we do. We're impatient, we don't like to have to explain ourselves, and we hate being wrong (any many of us are right quite a lot).

I work at Red Hat, I used to be part of the group that did all the security updates, but now I've moved on to be a security strategist. That means I mostly speak with non security people both inside and outside the company. I've already apologized to a bunch of them, I now see how bad we can treat others. By "defeating" normal people we don't win, they decide we're crazy horrible people and they don't talk to us anymore, we end up losing but we don't even know it. The only reason anyone is paying attention at all right now is because security just can't be ignored anymore, they don't want to talk to us, they just don't have anywhere else to go ... yet. If the security professionals don't step up and start working with everyone else, we're going to end up with a lot of weasels pretending to be security people. If you have a fast talking fraud up against a grouchy security dude, I'll let you guess who everyone is going to listen to.

I've not tried very hard in the past to explain things to anyone really, but that's changed. I now have to explain extremely technical concepts to people who don't know what a buffer overflow is. I can't use acronyms or jargon, it doesn't mean anything to my audience. I'm probably learning more than they are, for our lot talking to people is hard, really hard, the hardest thing many of us will ever do, but it's something that has to be done. The whole industry needs to think about this. Part of why everything is so broken is because nobody has any idea what's going on and that's our fault, not theirs.

How do we fix it?

I won't lie, I don't have any answers. I do however have some great people to work with, a solid background in the industry, and top notch security peers. I'm going to use this blog to talk about what I learn about talking to people. Hopefully there will be some others out there who can benefit from what I learn, and if you have something to share, by all means let me know.

The pioneers get the arrows as they say. Let's hope I don't get too many. Stay tuned for what I expect to be a most interesting adventure.

Join the conversation, hit me up on twitter, I'm @joshbressers