There are two stages of a security career: Before you know the truth of what you read in the news on an incident, and after, when you know exactly what happened and can't say a single fucking thing.
There are compensating controls and defense complexities that delayed or simply didn't work in many cases, through even further complexity. A narrative of how the attacker made 1=1 is not the complete story but telling that is so full of minutia and NDA it's basically not worth trying.
With respect: skill issue.
Storytelling requires understanding the full dependency tree of how the thing came to be, absolutely. And some of those factors may well be NDA'd.
But conveying the narrative of what happened does not require a full prospectus of those NDA'd components - it's fine to elide it to "a library function was called that had this effect".
Not every detail is required for the narrative to make sense and to provide useful information. Nobody cares what color hat Jack the Giant Killer wore when he climbed the beanstalk; they care about the goose with the golden eggs and how he got hold of it.
Much like with other kinds of infosec engagements, discerning and communicating the scope of what is pertinent to be discussed is a significant - perhaps even deciding - factor in effective communication.
@munin you have a faith I do not.
It's not faith at all.
@munin I will re study the material
You'll get more out of closing the blinds, cranking up some tunes, and dancing with wild abandon.
Communication isn't about precision of words; it's about describing the shape you have in your mind in a way that allows others to create that shape for themselves -
because telling someone specific instructions means there's a right and a wrong, and they'll constantly be second-guessing that they're wrong whenever any friction comes up,
but allowing them to build a mold and pour their heartstuff into it means that it's something within them, of them, by them, and for them, and their confidence they've got it right will be instinctive and whole.
> Communication isn't about precision of words; it's about describing the shape you have in your mind in a way that allows others to create that shape for themselves -
Why would they believe this shape matches reality without precision (or at least ability to call up precision)?
It doesn't - nor can it.
The shape that is in my mind is unique to me, and will be different in many respects to the equivalent shape in yours -
I have, for instance, personal experience that "the red I see is not the red you see" - my umwelt, my experience of the world, changed noticeably during the course of transition such that objects which I had seen as a certain color beforehand were, to me, a different color later.
So any idea that exists within my head is going to be different than the idea that exists in your head, or Tay's, or anyone else's.
Precision is impossible.
But.
That's why metaphor exists. That's why imprecision exists. That's why we have a thousand thousand different words to describe things, so that the ideas we are trying to convey can be assembled in your head in a way that's meaningful to you.
I can give you the code, but you have to compile it - my binary won't run on your system, and if you try to run my binary it absolutely will not work at all for you.
All language is metaphor; all language is imprecise; all meaning is personal to the person perceiving it - so don't fight this; learn how to work with it - and you will learn how, in turn, to work with others more effectively so that they're able to understand your intent -close enough- that they'll work with you to achieve it.
Who cares if they're "exactly correct" in their understanding, so long as the work gets done and it's the way it needs to be?
> It doesn't - nor can it.
> The shape that is in my mind is unique to me, and will be different in many respects to the equivalent shape in yours -
I'm confused -- how is this related to how well the model (either the one you have or the one you managed to communicate to someone) matches _reality_?
When someone tries to describe a model they have and I don't fully trust it's correct, I desire more precision in what they're saying so that I can evaluate it better. I could try to understand it fully first and then evaluate it, but that might take a lot more time and effort than us both figuring out the model's wrong in some way by having me choose pieces to ask more precision about.
@robryk @SwiftOnSecurity
No model matches reality.
The map is not the territory.
What's useful is whether or not you can use your respective models to work together, and you find that out by negotiating this during the process of working together.