Shostack + Friends Blog Archive


In the Spirit of Feynman

Did you notice exactly how much of my post on Cloudflare was confirmation bias?

Here, let me walk you through it.

In our continuing series of disclosure doesn’t hurt,

Continuing series are always dangerous, doubly so on blogs.

I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself.”

See, I even own up to the bias here. I wanted to point out. Not here’s my analysis, not here’s a list of facts that we can gather, but here’s what I want to do.

So some takeaway actions:

Why these actions? Just because I’m an expert who’s been arrested by stormtroopers? That’s not a reason to listen to someone. (On the other hand, you should apply great skepticism to anyone who hasn’t been arrested by stormtroopers. Not because that arrest matters, but because you’ll end up a lot more skeptical, which is a good idea in general.)

Your takeaway from this post should not be to unsubscribe, but rather to apply the spirit of skepticism, to ask why, and to read a little bit more critically. Those techniques serve us well in every field we apply them to. We’ve tested them over and over, and found that they move fields forward. We can’t blindly expect the same in infosec. But we can reasonably think that a more scientific approach to our problems, including disclosing them and discussing them, will move us forward.

Thanks to Phil Venables for giving me a perfect Richard Feynman essay on which to talk about my own confirmation bias.

I invite you to look for such biases in your own work, and to talk about it. Admitting mistakes helps us learn from them.