Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

on Unfair Judgement

Recently I was leaving a store after doing some Christmas shopping, as I entered my car someone recognized me and waved – this is the story of what went through my mind in that moment, the mistakes it revealed, and the regret that went with it.

For those that are here in hopes of an article on information security or development, please pardon the interruption; this is about human nature. I know the value of your time so I try to diverge from my normal topics as little as possible, but this incident was striking enough that I thought it worthy of publication. In the days since this event, it’s bothered me deeply.


Christmas approaching, the sound of bells in the air, stores crowded and parking lots jammed – a typical late December scene. I walk to my car, large white bags in hand, more relieved to be away from the mob of people who now inhabit every retail outlet than excited for the festivities ahead. A few feet away from my car, I reach into my pocket and press the button to open the trunk; once the bags are secured, I press the button to unlock the door as I withdraw them from my pocket. Although I have nothing else pressing to do, I don’t waste a second of a step. I want out of the circus.

The door open, stepping in, I see a wave through the windshield. Standing next to the car across from mine, a man stands, a smile on his face – he’s clearly recognized me. I’ve seen his face, but I can’t place it. I’m sure I’ve met him, but I couldn’t say where or when. I smile and nod.

He hesitates for a moment before getting into his car, he’s waiting for something. He’s waiting for a further acknowledgement, he’s waiting to see if I’ll speak to him.

Who is this man? Where do I know him from?

I take a closer look at his face – I’m sure I’ve met him, but where? I look at his clothes, no hints there. I look at his car, and here I make the mistake. It’s older, red, a cheap asian import, a bit beat up, cracked windshield.

In that instant, I put him in a box – lower-income, non-technical, not in my immediate social circles. Maybe a barista at one of the coffee shops I frequent, or a member of my company’s helpdesk – there’s enough turnover that I don’t recognize many of them. Or maybe he’s that new cook at a restaurant I visit often.

I didn’t consider that he could have attended one of my talks, or that we went to the same user groups, or that we met at a conference, or any of a thousand other possible ways that I met him. Why? Because the box I put him in didn’t allow that.

I closed the door without further acknowledgement. I wanted to leave, I couldn’t remember where I knew him from, there was no point in staying.

He stepped into his car and left.

In the moments that followed I realized that I did, in fact, know who he was, and that I had judged him in an entirely unfair way. He’s a developer that I met at a conference earlier this year. He’s funny, insightful, extremely knowledgeable. I avoided a conversation with him because I put him in a box, I avoided a conversation with him because I judged him wrong, I avoided a conversation with him because of his car.

I had just criticized people for placing things into boxes, rigidly defined, potentially incorrect, likely oversimplified, boxes – and I found I did the same thing. How unfair. Had he been getting into a nicer car, I’ve no doubt that I would have known who he was.

Moments later, sitting in my freshly waxed BMW, lost in thought, guilt began to set in – not only did I judge him for the car he was driving, I presumed he would have similar priorities to mine, that he would make good money, that he had good opportunities, that he didn’t have more important ways to spend his money.

Maybe he donated his money, maybe he was stuck in a low paying job, maybe his family had medical issues, maybe he just wanted to keep his life as simple as possible. There are a thousand reasons that this person wouldn’t be driving the kind of car I expected, the kind of car that I expected a good developer to drive.

I still feel guilty – guilty that I misjudged him, guilty that I avoided a conversation because I didn’t know who he was, guilty that I put people into boxes based on something so silly as the car they drive.

My friend, I am deeply sorry.

Adam Caudill


Related Posts

  • Win by Building for Failure

    Systems fail; it doesn’t matter what the system is. Something will fail sooner or later. When you design a system, are you focused on the happy path, or are you building with the possibility of failure in mind? If you suffered a data breach tomorrow, what would the impact be? Does the system prevent loss by design, or does it just fall apart? Can you easily minimize loss and damage, or would an attacker have free rein once they get in?

  • Utilitarian Nightmare: Offensive Security Tools

    Or: Ethical Decision Making for Security Researchers. There has been much discussion recently on the appropriateness of releasing offensive security tools to the world – while this storm has largely come and gone on Twitter, it’s something I still find myself thinking about. It boils down to a simple question, is it ethical to release tools that make it easy for attackers to leverage vulnerabilities that they wouldn’t otherwise be able to?

  • “New Atheism” & The Philosophy of Atheism

    A recent (very) public fracas between Richard Dawkins and Glenn Greenwald (both people who I respect, though for rather different reasons) left me thinking about the direction that the “New Atheism” movement is taking, and where atheism itself should be going. Religion is a difficult topic to discuss, as it evokes such passion that you often move past logic into purely emotional discussions. Some atheists, unfortunately, are just as zealous that they too lose sight of logical discourse.

  • On The Ethics of BadUSB

    Last Friday, Brandon Wilson and I gave a talk on BadUSB at DerbyCon – I wrote some about it yesterday. Yesterday, Wired published an article on the talk, kicking off several others – only the authors of the Wired and Threatpost articles contacted us for input. There has been some questions raised as to the responsibility of releasing the code – so I want to take a few minutes to talk about what we released, why, and what the risks actually are.