Storms in a Teacup

14 July 2019

This is a flat version of something I originally posted on Twitter early in 2019. I kept meaning to convert it to blog format but never really got around to it until a friend of mine dug it up in response to something recently. This was originally posted in January, when the VideoLAN HTTP storm happened.

I feel like a number of people interested in infosec spend their time looking for things that they can yell loudly about, perhaps afraid that without something to tell others they’re annoyed with they will lose what makes them special, or makes them interesting.

I like this tweet, by VideoLAN (the creators of VLC Media Player), on how they - as developers - view the information security industry. I like it a lot. I largely try not to engage “infosec Twitter” because every time I drop in it feels like the louder parts of the community are gravitating from one storm in a teacup to the next. It feels like they are dedicating themselves to be perpetually outraged by something that - when viewed through the correct contextual lens - is probably really Not Really A Big Deal™.

Every ‘fix’ comes with a cost, and very often - especially with systems that are older than the average JS framework - they aren’t anywhere near as simple as someone who has just sauntered in on infosec Twitter™ would like to believe. From my perspective, being a sound consultant involves understanding that cost and knowing what battles you put aside to win the overall war.

That’s a bad metaphor, though, because it’s not a “war”. You’re not “fighting” against the blue team. You’re meant to be helping. Sitting from your position of 20-20 hindsight / no sunk cost / no effort expended and telling the developers they are Doing It Wrong™ isn’t helping. It just makes them unlikely to want to work with you. Yes, you may have the expertise. Sure, you might be right in a perfect world. Hey, you might be right in this very world. However, what fronts are the developers working on right now? I guarantee it’s more than just this one. Have you seen the average medium-sized software project’s bug tracker? I assure you it’s not sitting empty waiting for “it doesn’t use HTTPS” to fly in so they can smash that “wontfix” button.

Truth is, being outraged all the time doesn’t make you special or interesting. It just makes you upset all the time.