BSidesWLG 2017 - Ben Hughes - Layer 2 person spoofing and imposter syndrome

Avram this is really cool I had no idea it was gonna be this big it seems the entire island is here and you're both came and it's really awesome to see the beside organizers here putting on so many talks about like health and well-being in the industry because we're really bad at it and that's never affected anyone's life so clay layer 2 person sweeping an imposter syndrome Who am I I'm a security engineer at stripe Ouija payments we named after mag stripes if you remember those because pay wave has been here for a while now and we still have mag stripes I used to be at EDC so I know a lot about knitting used to be a public lab so I'm probably

responsible for your infrastructure breaking and I'm a two-time sponsor of wrong island con if anyone's been to Rock Island calm exactly yeah by sponsoring me died paid and didn't go I know how to pronounce router because I've lived in this hemisphere so we can I'm enjoying the latency of every connection I'm in yeah and my Instagram has been stuck advertising New Zealand things for the past three or four months I think because I tried to VPN to New Zealand so I could try and get Google Navigation settings to be in New Zealand or Kiwi know if it's the same Australian or Kiwi and then Instagram went oh you live there let's do all your adverts on

this now so it's really useful to get everyone on board this is a fact and this is where I lose the crowd because that's actually better than both so it's like it's using a moments delicious it's too sweet and too toffee like for me you know but English Marmite is gross and just goes egg and I do buy them in there two and a half kilos tubs because I have a problem but currently that's in sorry but first before this train wreck of a ride goes it's a trigger warning kiss being responsible I don't know if this show made it here but that's still my favorite joke this talks about vulnerabilities and I don't know if anyone in the security

industry is heard of vulnerabilities I haven't seen any talks on them or anyone mentioning them but vulnerabilities are the core quality or state of being exposed to the possibility of being attacked or harmed either physically or emotionally and then some examples whatever emotionally emotional vulnerability is an emotional vulnerabilities is never talked about in the entire InfoSec world because you're not allowed to have them but other vulnerabilities you must talk about because that way you prove your call this talk is not about that if you are looking the zero day you need to be in a different room and finding an old picture of Rochelle was really fun and shows how old I am yeah I don't have any RFC 486 one O'Day

if anyone knows what the RFC is you should get out more so impostor syndrome Vincente adult Minh is the best character ever it's it's when high achieving individuals are marked by their in inability to internalize that they're good at anything like they did this thing but yeah anyone could do this thing or I'm gonna get found out that I actually didn't know as much as my teammates or somehow I've passed in an interview that has worked successfully in this company for the past six years but somehow I slipped through no issue what that would be like and like I'm not even qualified to give this talk and this happens a lot I've even turned down someone asked me

to go and speak about this in the conference and I turned it down because I didn't feel like I could talk about it and I've spent the last few months going I'm not sure I can talk about this anymore and yet you see how many roses builds and the theory that like everyone has this not everyone is the most confident outgoing sure of himself person in the world but there's a difference it's like when someone says they have OCD when actually they mean they like tidying putting all your pens in a jar is not OC to eat well like lining stuff on your desk is not OCD going back to your house ten times to

check you lock to the door and having the exact same routine every because otherwise you have a panic attack that's OCD so it's it's a the difference of scale not to upset anyone who has OCD you probably didn't make it because you're checking you didn't leave the gas on say an example I'm an example from my own very life so I started at EDC in 2013 this is the lowest resolution photo when I saw the size of this projection I'm like oh yeah that's gonna work great back in 2013 we didn't have digital cameras so this is scanned off of a flash bulb so everyone this photo has like spoken pretty much a blackout or DEFCON I just coming in back

into you security after being in operations for period most sleep well entirely because I read the book kingpin because my friend recommended it and I'm like oh yeah I know these mailing lists I know although like what Iraq needs mailing lists where everyone would post snort signatures and you'd apply them and get false positives apologies anyone running snort still and so we my first week there which is already weird because you're editing it's not a real place and we have a first team meeting and everyone's going in about all these projects they're working on I obviously don't have a project I've been working on because I've been there three days and people are talking like CSP and it's the only

one I remember and all these other things I'm like crap I don't know any JavaScript at all I've never like I think I made a blink tag once is that close like I have no idea any of this other stuff and I'm like well I've got so much to learn in my first few weeks before these people just throw me out the door and then like for the first at least six months I was living under this constant feeling that I was going to be discovered and fired which is extra-spicy if you're a migrant worker in the US because if you lose your job you lose your visa and you have to leave the country pretty much that day

sometimes there's a grace period so like being fired it's like oh I just have to give up all my friends country then return to another country and start again no pressure this is really horrible feeling I thought I'd make the talk more polite by saying ducking and a shout out to dark sake and this makes it really hard to do good work because you have this extra layer of anxiety and fear and not wanting to fail so you don't try anything risky and if you don't try anything risky then your work is kind of can become will feel really mediocre so you kind of get like the self-perpetuating loop feedback loop of making your own stuff worse so it gets

harder which makes it worse that gets harder which then leads to burnout which I think some people are beginning to acknowledge might happen in the security industry HD used to be used to be named the retirement home for burnt-out pen testers and consultants because we had so many like X AIESEC and other places people who would just say yeah I'm bored of going the same places doing the same things every time and living in a hotel for two weeks can I just get a regular job at a place yeah yeah come come along we have knitting and cookies so what to do about it it's just kind of why I'm talking and also I love this but that like in

hindsight this isn't the best slide because now like there's two CSO's two managers son yes fine fine but I didn't get fired from that place so by their own reckoning I was over level to not get fired so a lot of this is the reality of yourself and the perception of yourself you compare yourself against the best of everyone in your in your team and your peers to what you can do rather than the average of what they can do so like if you have some mind-blowing reverse engineers on your team and you'll never get a reverse engineering or even forward engineering even like they're much better reverse injure than me I'm useless like so clearly I'm

useless yeah cool do they know how to like do anything other than reverse engineer no not really right so you have all these other skills but you only compare yourself to what they do like which is just it's not fair in yourself and you wouldn't if a friend came to you with this problem you wouldn't tell them no no that's right yeah just compare yourself to the best of everyone in your team against you because that's a really clever thing to do but your brain doesn't like working like that so you have to have a much more kind of leveled response to it of okay so this person is good at this but I'm much better at this because this is

what I do or if like me you're a jack of all trades jack is probably a strong word master of absolutely nothing like I'm not better than anyone in my team in pretty much anything other than dyeing my hair because rich I was awful at it someone didn't get their deposit back on their last place but as a whole I can do a bunch of skills at once to various levels that other people cannot do to those levels hilariously due to being older than 35 and working for a company that does cloud I'm one of like four people in the company who knows how to rack things which is not the most groundbreaking skill but it is when you

buy some service and people like yeah there's a room there it's got fans and [ __ ] like yeah yeah they do yeah you know what a great skill to bring to the table and especially in this delightful hemisphere you have a tall poppy syndrome which is a great thing to Google image search for which I think can be as soon as anyone gets too elevated you kindly peg them down but that doesn't stop how you internalize it and I don't think info cycle is particularly good like bringing the egos of certain people down so now an exciting story with beautiful clipart so when I was back at the puppet labs in sunny Portland Oregon it's

working with the moon one of the developers there they were one of the first initial hires they've written books on puppet they've done a lot of the dev work and like dreaming up wild ideas that we should never make it in production but here it is for a demo then eventually gets old we were talking about OS provisioning and he was like so how do these machines get the IPS on them they just use DHCP what's DHCP wait nobody said I explained DHCP wow that's really cool I'm like wait so you have you know so much about those things you can program at a write like I can't read as quick as you can write code and that's in Ruby so like

Hulu that's illuminating holy [ __ ] we have different experiences we are good at different things and this is the best clipart on the Internet I could just leave this light up for the whole thing and it would be fine because it's so good but yeah having people from different backgrounds and different experiences and like how they were taught if you have someone who came comes from like a stranger a games development background their versions of what optimized are will be very different to yours if you have someone who comes from say the banking world their understanding of privacy will either be much or worse better than yours depending on anyway so imposter syndrome could actually be a

sign that you're about to learn awesome things and who doesn't like learning awesome things they're awesome and that's it could be a sign that you have a lot of knowledge to share too because if you have things it's like I very rarely found people who are a superset of all my knowledge and experience and have done everything I've done and I've only done some of it I think that would be creepy but also very unlikely and I would be sorry for them as so much drinking so now we have this audience participation time scary I know how many people have heard of someone getting fired due to knowing absolutely nothing I mean some hands but whatever how many

people have you heard of having impostor syndrome to any degree more than more than one hand right so using maths one of those is bigger than the other so using threat modeling and risk analysis and machine learning probably threat intelligence we can work out that like one of them is more common than the other Simpson maybe take that into account so why do our brains make this trade-off because human brains have survived quite a while and they've had bigger adversaries than the corporate workplace such as I was going to say dinosaurs but my education isn't that bad despite living in America so some of its ego I only know if you've heard of this in the InfoSec space I think it's a

new thing they're trying to bring in like new who he goes in InfoSec I'm just like google image search is my favorite thing of late this guy is a badass hacker because generally when you're using a computer holding a gun who's I'm contagious because then you can type with one hand and like use your nose to press return so in music actually has attackers coders have bugs which often they feel are attacking or project managers which they often feel are attacking but no but the same good operations people have the entire world and a limited live alcohol but these are not like actually attacking you despite how I don't know certain patch management seems but in fistic there are real

people trying to break your [ __ ] trying to break into stuff to steal things from you in a criminal way like other than like legal and risk ops and all those other things have actual adversaries in the traditional sense so it's actually quite high stress in that regard there's a very clear win lose stakes like if you're Equifax you have lost if you are a certain four-letter word ride-sharing company moving on just 100k bug bounty program brilliant so as attackers you win and lose and there's defenders you win and lose and like it is very clear of over which those are like if your site gets owned and all your information is now on the

public Internet that's probably viewed as losing and the attackers probably won but if you pay them off and get them sign an NDA it's good good especially in the conferencing there's lots of posturing because you have to like I could I really wanted to include the bit from Johnny mnemonic where he's like I could crash your [ __ ] from here but why give that film more credence and it has and DEF CON still exists but there's a lot of posturing at that of like being a badass hacker being a a black hat because wearing hats indoors like this it's a social faux pas but okay I just never understood that and the whole all

the talks they're like like adversarial talks get much more interest than defensive talks even though there's probably more people defending in the world then attacking one of them's better paid if you're good at it 100k bug bounty program

so it leads to people not showing the vulnerabilities not that kinds we've everyone can drop Oh day or why do people not call it one day or two day the day after like in reporting when they said they use Oh day you're like cool yeah but that was yesterday so now it's one day it doesn't say Oh day forever that's not how a day's work but and people not admitting they don't know anything out of fear out of worrying about looking unknowledgeable dumb like that like who you ask a question to some the previous gunner holding badass hacker like oh we don't know what that means are you going to get a really friendly answer or are you gonna get at

them laughing at you mm-hmm yeah probably probably people burning out and leaving the industry I know lots of security people who really want to just open a bar because it has to be less stressful than working in defense and it also leads to emphasize not being diverse or inclusive in any way and I'm really impressed at this conference for being really diverse and inclusive so good job New Zealand and carrying on being really nice what are you the Canada of the south yes my friend Scott Roberts github has written a much better blog post the mind on this which is where I stole this quote from and it's just about reframing how you view it if you can go maybe I'm

not an impostor maybe I'm just not a psychopath which as any therapist will tell you is step one on becoming a psychopath maybe I'm just not paying enough and this is a really nice thing to do which I imagine not a lot of people in the industry do but this is a really cool like trick you can do for when you're having those days where either your payload isn't popping a shell or you work for Equifax or you found another sort of github keys that led to some mystery crowd never much and another fun one like who enjoys passwords and pass phrases there we go but a friend of mine is like yeah I just

make them something that's really uplifting so every time I have to type in this really long passphrase I kind of feel a bit better about the horrible world like oh yeah that's like really easy and would be really nice so no feel terrible but like all this comes from brains and brains are just a very primitive set of ways of not being eaten by things that slowly Vaughn evolved in society into society so why why does this happen and cognitive dissonance that's really hard to say it's whether the brain kind of holds two thoughts that seemingly don't go together in this way so like I've been having impostor syndrome all my career that spanned two

decades then either there's really bad hiring in the world which there is but there's my point or like I'm able to do this enough that it's okay and the only other place I can actually think of this ever happening is if anyone knows who this is then this is albert hofmann the person who discovered acid with his cat he lived to 102 just by discovering acid than going I wonder what this does so the from accounts of which I've read when taking our sage in like four hours in you like that wool is melting your leg and I am being surrounded by aliens and it's not because of the acid it is just a coincidence that they happen to

show up at this time because even though I've taken acid it can be acid as this is real I'm like there's similar levels from what I've read of the cognitive dissonance of I have done this thing and here's the evidence but I am ignoring the evidence because it can't be the evidence or there are aliens every time you take acid so what computers an organization not microdose apparently hoffman was my grossing for the last 20 years of his life and he died at a hundred and two what a wonderful person you've all these Silicon Valley startups going yeah we're micro dosing you like flavor this guy was doing at 101 years old so as an organization or even as a

wonderful friendly conference acknowledging it exists it's actually like a reasonable first step telling you new hires that it's okay to be unsure and like as soon as you have someone on your team go yeah none of this will make sense I promise you eventually will make less on sense but as think we have complex systems that's why we are working in a knowledge-based industry that is very specialized because you can't understand all the things because there are so many things now on the interact in so many ways so the idea of knowing everything is just kind of redonkulous the GDS in the UK have this tiny list it's impossible to read even on this giant projector but it's linked

in the I can say show notes it's linked in the slides that all facts around afterwards and this is my live in America we still use facts what are you and this is saying what it's okay to say and it's okay to say I don't know and if that is ingrained in your work culture and that is welcome and that is on a wall so it's clear it's not like a thing said in back channels it's right there in front of you and acknowledged by everyone then that is a much easier way of going I don't know and that's okay rather than I don't know and I must pretend otherwise I would be fired in

moments it's a recur Center formerly hacker school but they changed the name so be harder to remember who they are they have a lot of social norms and social rules and a giant projector there no feigning surprise of like you don't know something you must be that like you're not allowed to do that well you're encouraged not to do that there because that doesn't actually help anyone learn it just like is just gonna say dick waving posturing unnecessarily Jake waving no well actually is which God if the impose psyche unique you do that that'd be great no backseat driving and know subtle isms like racism sexism all those kind of things if every security team in in tear

world could adopt these kind of social rules I think in beside will be in a far better place and they'll be much less unhappiness burnout we'd actually be able to work together occasionally might become a bit more inclusive [Music] DEFCON might burn to the ground guess I'm doing this talk at DEFCON next year I say you say what could I have to talk about blameless post-mortems that's in my contracts and the idea is like if something breaks you don't point your fingers at the person who did the change you talk to them go like what was your expectation of the change you obviously me their change going I think this will work or you wouldn't have done it like

no one goes into acting oh yeah let's see what I can [ __ ] break today unless you're a red teamer you are AFL select people go I actually wanted to good at work and like let's make a thing work push button flames come out ah I didn't expect that you use elasticsearch and that's like a much nicer way of just having a blame fool culture where like oh thing broke while doing something really hard and technical only they were working on in really high-stress situation rather than be supportive it and learn from this let's point our finger of them and maybe fire them like hmm I don't want to work in that place because you won't learn in

that environment if every time something breaks if every time a computer did something wrong you got fired who would boot their Mac who would install Linux praising others I didn't think I'd so many thing a thing we do in InfoSec all that much which is a shame stripe has a very strong culture of being as supportive to each other as we can across teams edge he had no Mis that's the sad times as he had a very positive culture towards each other and like chat BOTS with plussing everyone and being generally very supported to each other and that's actually something small but it actually makes a difference I think at Yelp the person who gets the

most pluses every week gets I think it's a unicorn for the week a little plushie unicorn for the week but that's just an acknowledgement that like everyone really enjoyed your work last week have a unicorn so we weren't in life tips for praising you like you can make it personal to the person but don't personalize it of same way you wouldn't call someone a dumbass for breaking something you didn't say you're a genius for making something work it's like you did something really good I'm like tell me about how that worked I'm really impressed by this rather than you were obviously the second incantation incarnation of Albert Einstein this is a contentious topic of the

concept of yak shaving my former coworker Seth Walker I just gonna say green the yak shaving is to season it's one-upmanship and it's like bro I totally shave this giant yak and there was lots of hair everywhere because it's like there's that viewpoint or we work in complex systems if we didn't we'd probably be earning minimum wage you understand how pay structure works they are complex systems and like they are intertwined yes that's why we have 3000 servers it isn't just we like getting AWS bills they all do something that they all interact together like rice unveiling one bit of code will reveal other bits of code because your computer doesn't run one bit of code anymore you

don't like to type 10 some stuff in basic 20 some stuff in basic if you're running that as a web service I'd love to know although if anyone has any like Atari basic code a that would be really good I mean I guess probably again not O'Dea like 3,000 day but where would they get you in the headlines another example was a bunch of years ago getting my security team was going once with another security team and two of their security team were arguing over this thing I'm being very vague in case they ever watch this and one of them said like well I I knew loads about this I basically run a conference that's about

this and then kind of sat back kind of quite what I've just won this round and then the other person retorted with yeah this is what I did my thesis on only ever seems lovely it's at that point I decided I never want to work with these people ever again would not that I work with him but I would never go and work with them anywhere and I think a whole team unilaterally agreed that while the lunch was lovely it's all about the people so don't be those people your culture can affect people in invisible ways there is no convenient graph for people who quit the industry because they were burnt out or people who went to quit

doing info ii started doing like just being in a developer or ops because they found it a much friendlier environment i think the the developments the developers space is generally really friendly you they're welcoming and they they just love talking about the code they've written or the language they're into or the java frame jaw the script framework of the week that is currently being rewritten whereas like ops people mostly Congaree talking about whiskey and JVMs whereas similar sake people would say well this group can talk to this group and there are lots more tiny islands and there seems to be much less people talking across to each other and that has implications just don't go too

far if you've heard of dunning-kruger it's the inverse of impostor syndrome and is never worried about by the right people the people who are like no no I totally know what I'm doing and I'm brilliant at everything and I won't let you do anything like yeah I'm just gonna go and look at whatever local job hunting website people use I I can't remember I think anyone who's attending a talkin impostor syndrome probably doesn't need to worry about dunning-kruger and if you do I'm more than happy for that mistake to have be made on the off chance I realized lunches after this so I will be rapid because everyone wants to eat being just understand be be understands to people

firing my editor stand under people like a B this is hard be kind to yourself even if you're drugged like me so self-care is not really a thing this industry is famed for like hope high-profile deaths due to opioids is not self-care attending Vegas in summer is not self-care doing the Vegas and seek help there are super friendly people in the industry they're probably quite busy being friendly to people like therapy is a real thing I'm English and I talk to a therapist this isn't like not an anomaly it can happen even like yeah uptight English people occasionally can realize maybe I could talk to other people about things rather than just bottling it all up and

becoming in u.s. postal worker too soon really in America's history and this like affects people differently confidence or having a narrow competence often comes with having privilege if you like if you're a migrant worker you you lose your job and get fired you are not quite gonna be quite as confident as oh if I lose my job I can just go back to my large trust funds that my parents gave me like oh yeah no you're gonna be more confident because you have a lot less to lose why are you even having a job I hate you Nathaniel etc arrogance also comes with privilege for the above kind of reasons so you know just don't work with those people

simple as I said yeah I'm just gonna tweet the link to speaker deck which I keep spelling wrong there's a bunch of actual resources on this the Scots blog post which is better than my blog post I would say that and then blue hackers which is an organization on mental health in the tech community which is very tied into the delightful effects of impostor syndrome if that sounds like an environment you'd like to work in come talk to me about jobs at stripe isn't and thank you [Applause]