Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Adam Shostack
Adam Shostack
Connect Directly
E-Mail vvv

Security Lessons From My Car Mechanic

What an unlocked oil pan taught me about me about the power of two-way communication between security pros and the organizations they serve.

I was in the shop the other day because my car was making strange noises, and the mechanic told me that the oil pan had come unlocked. It was going to be an easy fix, once they removed the engine to get at the clamp that needed replacing.

When I tried to get an understanding of how severe the issue was, he told me that it could bounce around and break other bits of engine. I think he thought I was some sort of drooling idiot, and thought about taking away my keys. He probably also looked down his nose a bit because I was behind on my oil change. (It’s probably a good thing that oil changes are less enforced than password changes.)

Four hours and more money than I care to count later, I came to a realization. I had no idea what any of that meant. More importantly, I had no idea if I was being taken for a ride. But far more significantly, I realized that my conversation with the car mechanic was typical of how we security professional sound to the people who come to us with their problems.

No, actually, that’s a lie: We sound far, far, less understandable. On a good day: “There was a drive-by download from a malware site and then some pass the hash…” And on a bad one: “There’s a highly critical XSRF vuln in the WAF and we decided to take your site offline immediately while we patch.”

Let me start by ranting about the term “drive by downloads.” Are these exploits? If so, why don’t we simply talk about “browser vulnerabilities” and the exploit kits that select a payload that works on your browser? If so, maybe we should banish the term “drive by download” and say “browser vulnerabilities” and -- more importantly -- the fix is to keep your browser up to date? Similarly, “pass the hash” has come to mean a set of credential theft attacks, some of which no longer even involve hashes.

The second sentence is hard to understand for a different reason. First, it is acronym-heavy. But more important, the judgment calls are overwhelming. First, seriously, “highly critical?” I don’t even know what that is supposed to mean.

No, I do: It’s all about who comes up with these schemes. The answer, of course, is product managers trying to make their product’s report seem more serious. But no one is really served by a scale that starts from “very critical” and goes to “extremely critical.” Reality includes moderate and low severity findings. This problem has gotten so bad that there are now companies whose entire business advantage is providing a better scale. 

Or how about the statement: “We decided to take your site offline immediately.” Really? Did you think a little notification might be a good idea, first? Let me put you in touch with our marketing department about the promotion that we are running.

But I digress. What’s important here is that I worry when talking to car mechanics, and, similarly, those seeking help from us worry in the same way.

The car mechanic has studied and developed a set of skills. He cares deeply about the problem in front of him, and wants my car to run safely and efficiently. He knows that a bad set of brakes, a failure in the steering, or a host of other issues could literally kill me or others. There’s an analogy here. Like my mechanic, security professionals have worked hard to develop a set of skills. We tend to care deeply about the problems. We want systems to run safely (and sometimes we even care about efficiency.)

Then, someone comes in for what they think is a minor issue, feeling virtuous about trying to get ahead of a problem, and they leave wondering how the explosion of issues that they “must” fix came at them.

So what’s the takeaway? It’s not simply more clear communication, although that’s a big help.  It’s also about understanding people’s budget, in terms of time, energy, or competing work. It’s about understanding what their competing priorities are. Perhaps my mechanic can understand that my pending tax bill makes it hard to fix something right now, and can advise that it needs fixing on some other time frame. 

That understanding needs to be a two-way communication, and not just between me and my mechanic, but between security professionals and the organizations they serve.

Related content:

Security Lessons From My Doctor


Interop 2016 Las VegasFind out more about security threats and strategies  at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Adam is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
2/22/2016 | 8:15:27 PM
Re: Don't know what kind of car you drive
Further compounding the issue is the lack of agreement on what some of the acronyms and other terminology should be.  (Is it XSRF or CSRF?  Depends whom you ask.)
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
2/22/2016 | 8:13:05 PM
oil change
If it makes you feel any better, mechanics know that the "3,000" miles or "5,000" miles recommended for oil change intervals is largely hooey.  ;)
User Rank: Apprentice
2/22/2016 | 9:08:27 AM
Re: Don't know what kind of car you drive

Thanks for a great article and analogy. I'm sharing it with my ITSEC department. I am very strong on explainng the TLA's and FLA's and have made it my mission in life to check and make sure everyone understands the Three Letter Acronyms and Four Letter Acronyms and even more importantly what they mean and what we are discussing. I get a lot of respect and appreciation for that.

On a personal note, why an engine had to come out for a pump, I don't know, and I don't know what you drive, but pulling an engine out of any car and replacing an oil pump can't be cheap and I'm sorry that happened to you. It's pretty unusual. I'm into classic cars as a hobby. Be safe and thanks again for a great article.

Hal Elujah
Hal Elujah,
User Rank: Apprentice
2/19/2016 | 1:03:20 PM
Re: Don't know what kind of car you drive
I bet your mechanic told you the oil pump, not the pan, was the problem. The pan bolts on to the bottom of the engine; the pump is inside. This kind of reinforces your point about being precise and understandable in the use of terminology.
User Rank: Apprentice
2/19/2016 | 11:46:59 AM
Re: Don't know what kind of car you drive
Thanks Randy!  True story!  And to extend the idea a bit: how do I go about finding a new mechanic?  It takes a lot of time and energy, and at least my car runs welll after he drains my wallet. 
User Rank: Apprentice
2/19/2016 | 9:33:48 AM
Don't know what kind of car you drive
-but if your story is true, it may be time to get another car mechanic. But the analogy is right on target.

"Eschew Obfuscation"
User Rank: Apprentice
2/19/2016 | 9:23:46 AM
Great Article
Appreciate your approach and understanding of how the "user" sees security and tech.  Your allegory is excellent.  Anything you can do to simplfy and clarify security exchanges between tech and client is appreciated.  I'm no dummy, but I left business eight years ago and keeping up is difficult.  Thanks for a great article.
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
2/18/2016 | 3:59:52 PM
From oil pan to buffer overflow
Adrian makes a nice, down to earth analogy between car repair and system repair, and how each is preceived by the customer.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the b...
PUBLISHED: 2020-11-26
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest...