Skip to content

2

This is part four in the series on personal codes of conduct. These are my maxims, my personal guiding philosophic code.

Part 1

Part 2

Part 3

Maxim 10: People aren't dumb. They are illogical.

Dumb users may be the foundational trope of IT. Doubly so in Infosec. I remember the early days of the Bastard Operator from Hell (reference point: go to theregister.com and search BOFH). There were other actual non-satirical blogs like this of admins having days ruined by inane stupid requests from users. If you are old enough, you remember the stories of the now extinct cd-rom drives' birth when there was always that one user who thought it was a coffee cup holder. To be fair, by modern definition, the coffee cup wizard is a hacker. They found an undesigned use for their hardware. We mocked them; we should have praised them for their ingenuity. Thus my maxim.

Users aren’t dumb. They are illogical.

End users are trained to do their processes. Most jobs in offices today are designed to be done in near assembly line style. A user has a very defined set of duties. They are trained on that set of duties. They practice those duties every time they do them. The procedure is logical for them. That logic exists within the bias of their experience. Most jobs do not require – nor do they want – people who think outside of the box. This is the complete antithesis of IT and Infosec – we follow processes but are constantly put into situations where the box doesn’t exist, and we must solve the problem // track the adversary // stop the malware // fix the issue RIGHT NOW. This requires us to be agile in thought while still following a logical progression. To be in the IT // Infosec space, you need to have the ability to be logical. Troubleshooting is applying logic to a problem. The nature of our jobs requires us to be able to logic any situation that comes up, as inevitably many have nothing to do with our systems.

In the modern day Everything as a Service society where most people outsource their needs to third parties, the need to be able to solve problems logically is no longer a necessity. It gets outsourced. Thus, when people need to be logical in an unfamiliar environment, they get frustrated.

Corollary:

subject inexperience x emotional escalation x attention at that moment = disproportionate response (Blowback)

You must understand the logical approach in dealing with an illogical person, then you can mitigate any unpleasant response. If you can minimize the attention on them at that moment, calm the situation down through the liberal use of patience, and use it as a teaching moment, you minimize all three factors leading to blowback. The biggest part of this is knowing that they will be illogical with their next tech and security issue, and the next, and the next. On a long enough timeline with enough interaction, they will start understanding the logic. And helping them get there gets you an ally.

 

Maxim 11: Words matter.

“If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”     -- Cardinal Richelieu, in The Three Musketeers.

Words change the path of the world. Look at what a tweet from the commander in chief can do. Words can be used to change a mood, challenge an assertion, even save a life or sentence a human being to death. Words can build allies or create enemies.

We live in a world where people want to be offended, forgiveness is conditional, and even (especially) the most mighty of Infosec heads look for reasons to crucify people based on their personal orthodoxy. For all the talk in helping people up, they also file away every printed work to use against those same people someday.

In the modern world, our words are eternal – every tweet a testament, every comment an epitaph. In this world, you must be skillful with your words as if they will be carved in stone forever. You need to respect the damage they can do to you as well as to others. Your words will be used against you by your adversaries and enemies.

Be direct. Use exacting language. Understand how to communicate for your medium. If you use twitter, reference an idea then link to a blog post expanding on it. Review written words before publishing. Think on any e-mail before hitting send. Think about the potential recipients (even ones not in the To field or among your twitter followers) as your message is shared and how they choose to interpret the words from within their bias bubble.

It sounds like a lot of work. It is. It doesn’t matter if we don’t like the world being that way, we deal with the world as it is (Maxim 2).

Corollary: Passive aggressive statements are a sign of weakness. Those who deliver such statements demonstrate a cowardice to take responsibility and challenge something directly, most likely because they know their challenge will not stand up to any logical scrutiny. These statements are most often used when logical truth is at odds with emotional (childish) desires.

Do Not Be Passive Aggressive.

Maxim 12: Take care of the people who take care of you.

I am fortunate. Not because I have slogged through the mud to an amazing job with the best benefits I have ever seen (not primarily). Having slogged through thankless jobs, I am very appreciative of those who enable me to spend more time doing what I need to be doing, rather than being forced to do little housekeeping day to day time sinks that whittle down my time availability in my day. I once thought the idea of the rich person with the butler was snooty. Having been support staff, I realize the value in the staff giving back time into my day. Lunch is provided, so I don’t have to spend time making it before work. People keep the office and restrooms clean, so I don’t. I have a HR department that is constantly challenging our benefit providers to do better so I don’t have to shop around myself. I have a bona fide excellent IT support team who makes sure I never have to engage with angry users.

I also realize these people get paid far, far less than I do.

It starts by acknowledging that they are not an invisible service provider. They have names. Most have families. They aspire. At times they have unpleasant jobs. I want them to feel valued; I want them to feel appreciated. I want them to achieve and do well in life. I want them to be part of a culture of success.

And to do that, I give my time. When they have questions of personal security, I will take the time to do a security review and let them know what options are available. Are they in a branch of IT and are looking at positions on the horizon? I work with them to know what they should train to build the skillset for pending internal positions that would be a promotion. I help them find the conferences and knowledge bases they don’t know exist. Sometimes, just having hallway talk about how bad the Buccaneers are doing this year (after a too promising 2-0 start with a backup) so the slightly better Packers could be in a worse position.

Taking the time is more than just being human, it’s pragmatic. Because that day will come when I need them to take the time for a reason I can’t imagine, when they wouldn’t have to. I won’t even have to ask.

Across seas of monsters and forests of demons we traveled. Praise be to Allah, the Merciful and Compassionate. May His blessing be upon pagan men who loved other Gods, who shared their food, and shed their blood. That His servant, Ahmed Ibn Fahdlan, might become a man, and a useful servant of God.

-- Ahmed Ibn Fahdlan Ibn Al Abbas Ibn Rashid Ibn Hamad, closing line to 13th Warrior.

Infosec_Samurai

 

1

I have a folder in my e-mail where I save the CFP rejection notices I have received, from the conferences that send those notices. When these rejection notices come in, they always come with platitudes such as 'thank you for submitting' and 'please submit next year'. They never say 'your submission was awful' or 'please don't contact us again.' They come with zero constructive feedback. If you talk to people on the selection committee, they will say some variation on the following lessons people can learn from the process:

  1. Try submitting the talk again at other conferences.
  2. Try again next year.

These are complete falsehoods.

Submitting at other conferences may be a waste. Selection committees are inbred. Selection committees are made of high profile Infosec people and conference insiders. There are not a lot of these in a region. Ergo, they get reused. If you are rejected from giving a talk in Indy and you submit to a conference in Chicago // Louisville // Grand Rapids, you may very well be rejected again by some of the the same people who told you to submit it elsewhere.

Why would you try again next year? In the world of Infosec, where things change daily, if the talk wasn't up to their snuff this year, when all the incremental changes happen in a year, how will your talk be even more relevant? Doing this is a waste of time.

As always Maxim #2 applies (We deal with the world as it is - we don't pretend it's the way we think it should be). In light of that, here are the real lessons I have learned from the CFP process, and my several rejections.

 

Make a decision - do you want to speak on this topic, or do you want to speak at this conference?

Understand this. You may have a topic you think is of value. You may have  conference where you'd like to speak. And they may not go together. Most every talk can fit into the base design of some conference - there are dozens, if not hundreds, in the US alone. But most conferences have a very specific template. Look at the webpages for that conference past, and see the talks and abstracts they publish. Does your topic line up with these? If your goal is to present at a conference versus give a talk on a specific topic, look at the past talks to find what they like to have presented at their conference (and it is THEIR conference, despite any claim about being part of or welcoming to the community - internalize that). Find something in that vein and present it. Do they take talks about threat hunting? Find a topic on hunting that hasn't been done, such as hunting with outlook registry artifacts or hunting through Mac system logs. Learn a topic that they'd like that no one has presented, become an expert, and submit that. That may mean waiting until next year, but if the goal is to present, put yourself in a position to do that. If you want to present on the topic, you may have to widen your search, and expect to travel.

 

Every conference has a clear template about what presentations they accept. They are the presentations from previous years.

This seems so common sense, but it is never really preached. People will mention it occasionally, but it is the ultimate Canon on what a conference wants. You have a library of what talks they want, how they should be titled, what the abstract should look like, and most importantly, what kind of people they want presenting (this last one is the unspoken dirty little secret - conferences are run by people with agendas, remember). Everything from the headshot to the name to the title to the bio is laid out in a nice order. Review these over a long enough timeline and you will see a pattern. Build to fit the pattern they want. This increases your chance at selection.

 

Don't punch above your weight.

Some conferences, through the patterns explained above, don't want new people or unknowns. They tie the prestige of the conference to the speakers who present. When a conference publishes a partial list of speakers before the stated date of selection, they are demonstrating their prestige. Each of these speakers will have some list of notable accomplishments or previous speaking engagements which give the conference weight, and explain what they are looking for.

Like every rule there is an exception. There is nearly always a magical little checkbox at these conferences that (when most politically correct) says 'check here if you are an underrepresented group.' Understand in modern parlance, that means not a white male. As a white male, I have very strong feelings about this, for reasons you wouldn't expect (and some you would). But the truth (maxim 2) is that if you are not a white male, use this to your advantage. Conferences want people who aren't white males (for reasons ranging from pure to sexist//racist, depending on the conference - not everyone is on the side of the angels). Use this to your advantage. Make use of the opportunity. Understand this doesn't mean (at most conferences) that you will be accepted because of a sub-par talk. What it means is you win tiebreakers. The conference will pick out the big names and the talks they clearly want. If yours is a talk they want, and you aren't up against an Infosec name, and you followed the submission guidelines (people don't - conference organizers whine about this every year), your competition is whittled down to any other similar talk being presented by either an unrepresented group or an insider who knows someone on the selection committee - and the checkbox can beat even that. Understand this, there is no shame in using the available advantages. It is your future, and your resume - don't hold yourself back.

 

Sometimes, the only winning move is not to play.

If you read this as a defeatist attitude, you already miss the point. As the old woman in The 13th Warrior told Buliwyf, perhaps you've been fighting in the wrong field. If your goal is to get information out there, but you don't think you can get past the selection committees for whatever reason, you have options. Write a blog. Do a podcast. Post a video on youtube. Create the content with your own personal spin, and use that to build your personal brand. Demonstrate value. Connect with like minded people. Share content. Do this, improve your skills at presenting information (in any format), build a history of useful content, and you become a name that the conferences want, you build bridges to people on the selection committees, or you may be brave enough to put in the time to start a conference covering those uncovered topics.

Here's the dirty little secret of meritocracy, and an example of where even the most beneficial and fair system breaks down. When you accomplish something that lets you connect with the people running these conferences, you are in a position to make better connections and have access to research others don't, making it easier to get the better jobs or access to information on topics you'd like to research, that you can then present, creating a continuous cycle. It takes a lot more effort to get into the eye of the storm than it does to stay there. And when others see people make that same journey, they will work to insulate that group. It's the nature of tribalism, which has existed since the dawn of mankind and will never go away. Understand it. Accept it. Make use of it.

Ultimately, decide what you want. Take the time to learn the real rules of engagement, then play to win.

Infosec_Samurai