How can we describe a buffer overflow in common terms?

We can’t.

You think you can, but you can’t. This reminds of the Feynman video where he’s asked how magnets work and he doesn’t explain it, he explains why he can’t explain it.

Our problem is we’re generally too clever to know when to stop. There are limits to our cleverness unfortunately.

I’m picking on buffer overflows in this case because they’re something that’s pretty universal throughout the security universe. Most everyone knows what they are, how they work, and we all think we could explain it to our grandma.

There are two problems here.

1) You can’t explain away some of the fundamental principals behind computing.

Even if we want to take away as much technical detail as possible, there are some basic ideas that regular people don’t know. Computers are magic to most people. When I say most people I mean probably 90% or more of the people. When I say magic, I mean actual magic, not the joking sort of “I really know this isn’t magic but I’m being funny”. All they know is they push this button and they can pay their bills. They have zero idea what’s going on. If someone doesn’t understand the difference between a CPU, RAM, and a potato, how on earth will you explain the instruction register to them?

2) They don’t care.

Most people just don’t genuinely care. Some will pretend to be nice, but a lot won’t even do that. Even if we found a nice way to explain this stuff (which we can’t), We can’t make people care what we’re saying. If we’re dealing with the likes of a CIO or CEO, they don’t care what a buffer overflow is, they don’t care how Heartbleed works. They have their goals and while security is important, it’s not why they wake up each morning. Some people think they care, but then when we start to talk, they figure out they really don’t. Most are nice enough they will let us talk while they’re thinking about eating cookies.

So what do we do about it?

The answer is to drive the discussion around the problems. Rather than trying to explain technical details to someone, we have to build trust with them. They need to be able to trust us on some level. If there’s a buffer overflow in something, we need to be able to say “here is the patch” or “here is how we can fix this” for example. Then if we’ve built up trust, we don’t have to try to explain exactly what’s going on, just that it’s something we should care about.

We’ll cover how to build trust in the next post.

Join the conversation, hit me up on twitter, I’m @joshbressers

Being a nice security person

Sometimes it’s really hard to be nice to someone. This is especially true if you think they’re not very smart. Respect is a two way street though. If you think someone’s an idiot, they probably think you’re an idiot. You’re both going to end up right once it’s all over though.

As an industry we overestimate how much people know about security, which I think is the root of our problem.

I was talking to a peer of mine one day and was complaining about someone not understanding what I thought was an obvious security concept (I don’t recall the details anymore, but it’s irrelevant). She then said to me words I will never forget “I think you overestimate how much everyone else knows about security”.

That statement changed my life. It’s why I’m writing this blog now.

I’ve been paying attention to security for longer than I can remember. It’s been at least 20 years, probably more. I was a teenager back when I started this journey. It’s easy sometimes to think someone should just know something, it’s all so obvious! When they don’t, we of course decide they’re dumb and we stop respecting them. I remember in my younger days being just brutal to people who didn’t know something I did. It was all quite silly really.

The next time there’s a clear misunderstanding, here’s what you need to do. Stop talking and listen first. See what they’re saying. Do they sort of get it? Do they not get it at all? Are they making up nonsense? Listening is easy and you can always start to think about donuts if you get bored. I won’t lie, some people are just giant bags of gas, most aren’t though.

Now, once you start to understand the other person, try to speak their language. Use words they understand. Terms like buffer overflow, XSS, remote code execution, DoS, APT, these don’t matter to most people. They’re all “security bugs”. We’ll talk about language in the future, but for now, just be patient. Your patience will be worth more than anything else you do. Remember that everyone knows something you don’t, so while they need your help for security, you need their help for something else, even if you don’t know what that is yet.

Some people won’t deserve your respect, I’m not suggesting we become whipping posts, but the majority of people you should probably pay attention to. Just slow down long enough to talk to them properly. You’ll be amazed what you’ll learn.

Join the conversation, hit me up on twitter, I’m @joshbressers

Everyone is afraid of us

How many times have you been afraid to say something about security because you knew if you’re wrong, you’re going to be destroyed in public about it by your peers?

How many times did you try really hard to completely discredit someone who said something wrong about security?

How many times have you been wrong but still argued because you didn’t want to admit it?

How many good ideas never saw the light of day because of this?

I think one of the bigger problems the security industry tends to have is a trait for being overly pedantic. This is true of technical people in general, but in security we turn it up to 11. Now don’t get me wrong, sometimes you need this, there’s no such thing as crypto that’s half right. When we work with normal people though, we can’t be so pedantic.

This of course isn’t a hard and fast rule. Sometimes we need the details to be correct, sometimes we don’t. You have to use your best judgement, but if you’re not sure I suggest you lean toward being understanding (rather than overly critical).

Let’s go through some examples, just for fun.

Question“Hey guys, I’m trying to understand if this patch is correct for a buffer overflow, could someone give it a review?”
Answer“Actually that bug was a buffer overflow caused by an integer overflow.”

We just ensured this person will never ask us for help again. This is a detail they probably don’t really care about. Is the patch right? If not, help them understand what’s going on. Use small words. If they ask questions, be patient. The right way to answer this would have been to look at the patch and ack it if it works, or offer advice on how to fix it if it’s still not done.

Question“Hi everybody, I’m working on adding SSL support to my application. The documentation isn’t great though, are there any examples I could look at?”
Answer“SSL is dead, use TLS!”

While that answer is technically correct (which is the best kind of correct), it’s still not helpful. When you give someone an answer, we have to try and be helpful. If you’re dealing with another security person you can probably be borderline unhelpful as they should know better, but remember, normal people think we’re all crazy, don’t support this theory.

Most people call TLS SSL because they don’t know the difference, honestly to most people there is no difference. The differences between TLS and SSL are huge of course, but if someone is looking for help to enable TLS in their application and they decide to call it SSL, it’s an opportunity to educate them. They don’t need to be experts, but if you’re using a crypto library, you need to sort of know what’s gong on.

And finally.

Question“Hey, I need help with a new XOR encryption algorithm I’m building.”
Answer“You’re an idiot”

This one is probably OK 😉

If you have any examples to share, I’d love to collect them to use in the future.

By being patient and understanding is how we build trust. You don’t build trust by being harsh. We’ll never make a difference with most people without trust, so this is important. Now when you’re dealing with some technical people, this is the exact opposite, it’s the old show me the code argument, it doesn’t matter how nice you are, if your code is trash you’re not trusted or respected. This doesn’t work with regular people though. They don’t get warm fuzzies form reading code, they like to talk to people in a civilized manner using words they understand.

It’s not easy, but we should all be smart enough to figure it out. Good luck.

Join the conversation, hit me up on twitter, I’m @joshbressers

You are bad at talking to people

You’re probably bad at talking to people. I don’t mean your friends you play D&D or Halo or whatever hip game people play now, I mean humans, like the guy who serves you coffee in the morning.
We’ve all had more than once instance where we said something and ended up with a room full of people staring at us because it wasn’t terribly nice or thoughtful. At the time you had no idea anything was wrong, you still might not.
This is the single biggest thing you have to learn not to do. Normal people have extremely thin skin. You can’t call them horrible things, they don’t like it. If you do it too often, they’ll just never talk to you again. We’ll get to this at a future date though.
Security people are mostly the sort of introverts who make other introverts look like party animals. When was the last time you talked to someone who when asked what a buffer overflow is first asks “heap or stack”? Who wasn’t your Mom?
But it’s not all bad. I’m going to pick on security people relentlessly on this blog. I’m going to make us look over the top silly sometimes, but that’s because the target audience isn’t the muggles, it’s to help us all get better at doing the things that have to happen to secure the world. If we don’t do this, nobody will and things will just keep getting worse. There are problems like none we’ve ever seen before, so we need solutions like we’ve never seen before. Our single biggest threat is a suit with swagger pretending to be a security person. We know they can’t be trusted, but who will listen to us?
Some of you don’t care and are probably going to disagree with everything I say. Some of you have to do this. You know you have to, you don’t want to, but that’s too bad.
So here’s how we’re going to look at this. Working with the regular people, we’re not trying to be like them, we’re going to pull off the greatest social engineering feat of our lives. We’re a smart group, nobody will disagree with that, so we’re going to use our extreme cleverness to fit in. We’ll still go home, put on an old t-shirt, make origami wookies, and drink Mountain Dew. While we’re at work though, we’re going to be business people. We’re going to dress nice, speak nice, and act nice. The only real difference than the actual business folks is we know we’re putting on a show, they don’t.
So for now, when you’re talking to someone, be mindful of what you say. Listen more than you speak. Be kind. If they get something wrong, don’t destroy them, politely suggest the right answer and if they don’t agree, move on, you won’t convince them any different. Ask questions, good questions. Don’t just talk at people, talk with them.
And most importantly remember the person you’re talking with is almost certainly a reasonable human trying to do what they think is right. It’s when you insult or try to belittle them that they turn into someone out to get you, so don’t treat them poorly.
We’ll talk about all this stuff more in the future, but for now just try to keep a cool head when you talk to someone, especially if they’re wrong.
Join the conversation, hit me up on twitter, I’m @joshbressers