Software, technology, sysadmin war stories, and more. Feed
Friday, November 11, 2011

He complained about the prose and missed the point entirely

It should be obvious that I like to write. Sometimes, this leads to trouble when dealing with people who really need to find themselves a clue. Here's an example.

Not too long ago, I stumbled across a ridiculously big security hole in something I was working on. Considering that someone could have exploited it to basically throw the entire company into the wood chipper, I had to keep it super-secret until we had it fixed. This sucked, but I survived.

Once on the other side of the embargo, I wrote up an internal web log-ish post about what had happened. It included a bunch of details and was intended as a cautionary tale for anyone else who might have created a similar sort of hole. They should be wary of future RPC interfaces and also go back to audit the ones they have now.

Shortly after this point, one of the security folks saw my post and asked if I would be interested in making it into a piece for their internal security periodical. I obviously jumped at the idea and asked about restrictions or guidelines or whatever might apply. They basically left it open-ended, so I went to work, writing in my usual style (what you're seeing right here).

Not too long after that, I had a much bigger piece to submit. It had a bunch of code snippets, a whole walkthrough of how it happened in the first place, and also details about what we did to manage it. That is, the part where I freaked out, grabbed one other person for verification, then escalated to corporate security folks, and all of that. The idea was to show people how it works, that it can be managed, and you can get out the other side without boiling the ocean.

I sent it off and expected a quick "thanks!" and some space in their next publication. What I got was anything but.

Someone else on the security team came back and started raising issues with my prose. Apparently it was "too wordy" or "too talky" or something like that. Basically, this guy had his own ideas of what a post should look like, even though the first person who had initially contacted me had not given me any limitations or expectations for length, voice, or anything else like that.

At this point, I wasn't particularly thrilled with the environment inside the company anyway, so I told them they could take it or leave it. Naturally, they wanted to know what this meant. What, exactly, does "leave it" mean in this context?

I said, forget it. Just forget the whole thing. Leave me alone.

Then I published the entire article on the same internal system which I had used for my initial web log-ish post. I didn't need their help to get things out there. A bunch of people started reading it, and they had comments.

Here's where it gets surprising.

The comments they had were all about the security content and some of the code examples I put forth. I think I inverted some piece of logic somewhere, making it "allow all but deny some" instead of "allow none but allow some", or something like that. They caught it, we figured it out, and I updated my story and thanked them for their attentiveness.

That's right. The actual "security" guy was complaining about my writing style and totally missed a problem with the actual security content. Meanwhile, just random assorted non-security-focused engineers who read my post dealt with the content for what it was, found a bug, and we fixed it together.

This really happened with my document, but it's also a lesson about sexism. Some people get hung up on the "wrapping" and miss the fact there's actual technical information inside which is the whole point of the conversation.

For those of you who focused on the tech, thanks. You rock.

For that security weenie out there, get bent.