Taking no for an answer*
Open source (like many fields) rewards people who are confident and even a bit pushy. So we give talks encouraging folk to get over imposter syndrome, lean in, say yes to more things. But self-improvement shouldn't focus only on our most vulnerable members, but also our most powerful. So let's talk not about saying yes, but about hearing no. Learning to take no for an answer can transform efforts such as security, diversity and mentoring where we have few experts or volunteers and great need. Let's talk about accepting "defeat" with grace, and how to take "no" for an answer while still moving forwards.
Open source (like many fields) rewards people who are confident and even a bit pushy. Those of us who go far are the ones who offered to fix bugs and followed through, who were ready to explain and promote our architectural visions, and who were ready to argue with people who disagreed with us. It can sometimes be a do-ocracy, where those with the time and the confidence to do things become leaders.
This confidence requirement is such a part of our culture that you’ll notice that we have many talks encouraging folk to be more confident, to conquer imposter syndrome, and to be just that little bit pushy. And that’s good, but I’ve often wondered why we don’t encourage our pushiest members to work on some self improvement too. So this talk is aimed not at our most vulnerable but at some of our more powerful, as well as those who want to become more powerful and effective community members.
So let’s talk about “no.”
In my day job of open source security, I like to joke that the biggest part of my job is saying no to people. No, you can’t skip testing because a deadline is approaching. No, you can’t merge that code without fixing the glaring security issue. No, no, no. I also say it a lot in my role running the Python Software Foundation’s summer mentoring program as part of Google Summer of Code. No, you can’t have an extension. No, you can’t participate without at least 3 mentors. No, no, no. And I say it a lot with respect to diversity efforts. No, I can’t take days off work to give a talk about being a woman in tech. No, I don’t have time to help you refine your latest diversity idea for free. No, no, no.
All those nos can upset people, and I’ve found that some of our most confident community members can be the worst at taking no for an answer.
Why is learning to take no for an answer so important? For security, I hope the answer is obvious: denying the existence of vulnerabilities does little to improve security. We have few experts in security, and if we work with more people who are collaborative instead of combative, we can improve more software. But for diversity work and even for Summer of Code, why is it dangerous to be pushy? It’s a similar problem to security: few experts, lots of work to be done. The number of requests I get for diversity work sometimes represents a denial-of-service attempt on my time. And it can be worse in the case of diversity because many people have been socialized to ignore or push boundaries on nos from those less like them, which can lead to even more anger and frustration. I appreciate that people genuinely care about improving our community, so that’s why I want us all to think about No.
No doesn’t have to mean the end of an idea; if you do your homework right and accept “defeat” with grace, you may find yourselves doing and learning things you never imagined.
In this talk, I will discuss the ways that people fail at taking no from an answer, giving examples in the familiar format of Denial, Anger, Bargaining, Depression and Acceptance. From there, I can talk about graceful nos, listening, and changing your assumptions. Finally, I’ll talk about improving your ask: how to do research, examine what you really need and how to make it line up with other people’s goals, and how to use no to build better ideas going forwards.
I've given talks as a teacher, as an academic researcher, as an industry security expert, as a human being, to all manner of audiences. In the past year, I've talked at Grace Hopper (a panel entitled "Securing Open Source Software"), twice at Open Source Bridge ("Bringing Security to Your Open Source Project" and "Internet of Things Militia: Paramilitary Training for your IoT devices") and at a private conference ("Skynet is Open Source: How automated software repair can use mutations to fix your bugs and possibly destroy mankind")
Links to slides, videos, and a longer lists of my talks can be found here: http://terri.toybox.ca/speaking/
This is a new talk that has not been given before.
Terri has a PhD in horribleness, assuming we agree that web security is kind of horrible. She stopped working on skynet (err, automated program repair and artificial intelligence) before robots from the future came to kill her and then she got a job in open source, which at least sounds safer. Now, she gets paid to break things and tell people they’re wrong while working towards more secure open source and open web standards. She doesn’t get paid for her work on GNU Mailman or running Google Summer of Code for the Python Software Foundation, but she does those things too.
- Title: Taking no for an answer
- Track: Culture
- Room: B202/203
- Time: 1:30 – 2:15pm
Open source (like many fields) rewards people who are confident and even a bit pushy. So we give talks encouraging folk to get over imposter syndrome, lean in, say yes to more things. But self-improvement shouldn’t focus only on our most vulnerable members, but also our most powerful. So let’s talk not about saying yes, but about hearing no. Learning to take no for an answer can transform efforts such as security, diversity and mentoring where we have few experts or volunteers and great need. Let’s talk about accepting “defeat” with grace, and how to take “no” for an answer while still moving forwards.
- Speakers: Terri Oda
- Title: Sparkle security
- Track: Practice
- Room: B201
- Time: 10:00 – 11:45am
“Agent Sparkle, you have been recruited as a security expert to use your skills to protect the kingdom of Project Rainbow. You might not feel qualified yet, but Project Rainbow has great faith in your ability to learn.” Web security is perhaps one of most fun types of computer security to master: exploits can be constructed quickly and without many tools. But sadly, while there are many tutorials, they simply don’t have enough rainbows and sparkles and the practice exploits tend to focus on the basics without flourishes. Project Sparkle is a set of “training missions” designed to make learning web security more kid-friendly, but we think the audience of Open Source Bridge will also enjoy exploiting the web to add more rainbows and sparkles!
- Speakers: Terri Oda