security small talk

[i'm republishing this secmeme post here because, although the topic is more fitting for secmeme, the intended audience is better addressed here - and if you're like me, you probably hate being directed to some outside site when you're going through your RSS feed.]

pursuant to a brief discussion i had with @diami03 (aka michelle k.) on twitter earlier today, some thoughts popped into my head.

specifically, with regards to how well known the concept of the nigerian 419 scam is, i said

she was not happy with that. admittedly it was a rather crass way of expressing the principles i had in mind, but i stand by them (even if i also find them disappointing).

put differently there are two things in play. the first (and probably the one most are familiar with) is that people often prefer to be entertained rather than informed. if i'm being totally honest, i feel the same way sometimes.

the second is that (at least to my mind) a good indicator of how well our culture has assimilated a particular piece of information is how easily/frequently that information finds it's way into everyday chatter (i.e. small talk).

now normally my memetic ramblings are intended for the broadest audience i can manage, but this is a special case. injecting security into small talk logically must start with the people who are security aware. many security geeks probably already do this to a certain extent - after all, if people can talk about the weather or last night's game, why not security topics too?

now i'm not the best person to advise on how to engage in small talk (far from it in fact) but there are a few things i think are self-evident. first and foremost is that this is not an opportunity to give a lecture, or to talk like you're presenting at a conference. most people don't want to go back to school and if you start sounding like a teacher they're going to tune you out. so how can you shoot the breeze about security with non-security folks? here's a few strategies:
  1. everybody loves a spectacle so keep your eye out for them and use them opportunistically. database breaches aren't sexy or interesting, but sony's loss of over 100 million private records breaks the boredom barrier by sheer size alone. so much so, in fact that you may well find that people have already heard about it in the mainstream media. that's a bonus, it means you can talk about something they've already heard about.
  2. if they're really your friends then it stands to reason that they have at least a modicum of interest in how your day was. did you see a nigerian 419 scam in your email today? great, mention that in passing. did you see two or more of them in the same day? even better. after all, how many dead princes (or whatever) can there really be out there? if wealth and death are as strongly correlated as those scam emails suggest then i think i'd rather stay poor.
  3. when you mention things that you think might directly affect them, you're showing concern about them, you're showing an interest in their well-being. everyone wants their friends to be interested in them in some way so that display of interest should make them perk up their ears and take notice. i used this strategy myself with the epsilon breach, sending links to to the list of affected merchants to some of my friends so that they could look over the list and see if the breach was likely to affect them personally.
if you're concerned about the quality of information that is passing from person to person, it's up to you to help put better information into the mix. don't be afraid to throw in a few security topics when chatting with friends. they probably already know you're a security geek so they'll understand why you're interested in it, and if you can make it even a little bit interesting for them then they might pass it along.