Tuesday, October 6, 2015

What's filling the vacuum?

Anytime there's some sort of vacuum, something will appear to fill the gap. In this context we're going to look at what's filling the vacuum in security. There are a lot of smart people, but we're failing horribly at getting our message out.

The answer to this isn't simple. You have to look at what's getting attention that doesn't deserve to get attention. Just because we know a product, service, or idea is hogwash doesn't mean non security people know this. They have to attempt to find someone to trust, then listen to what they have to say. Unfortunately when you're talking about extremely complex and technical problems, they listen to whoever they can understand as there's no way they can determine who is technically more correct. They're going to follow whoever sounds the smartest.

If you've never seen the musical "The Music Man" you should. This is what we're dealing with.

Rather than dwell on it and try to call out the snake oil, we should put our effort into the messaging. We'll never have a better message than this group, but we really only need to be good enough, not perfect. We always strive for our messages to be perfect, but that's an impossible goal. The goal here is to sound smarter than the con men. This is harder than it sounds unfortunately.

We can use the crypto backdoor conversation as a good example. There are many groups claiming we should have backdoors in our crypto to keep ourselves safer. Security people know this is a bad idea, but here's what the conversation sounds like.


We need crypto backdoors to stop the bad guys, trust us, we're the good guys


<random nonsense>, backdoors don't work
We don't do a good job of telling people why backdoors dont' work. Why should they trust us, why don't backdoors work, who will keep us safe? Our first instinct would be to frame the discussion like this:

  1. Backdoors never work
  2. Look at the TSA key fiasco
  3. Encryption is hard, there's no way to get this right

This argument wont' work. The facts aren't what are important. You have to think about how you make people feel. We just confused them, so now they don't like us. Technical details are fine if you're talking to technical people, but any decent technical person probably doesn't need this explained.

We have to think about how can we make people feel bad about encryption backdoors? That's the argument we need. What can we say that gives them the feels?

I don't know if these work, they're just some ideas I have. I've yet to engage anyone on this topic.

What are things people worry about? They do value their privacy. The old "if you have nothing to fear you have nothing to hide" argument only works when it's not your neighbor who has access to your secrets.

Here's what I would ask
Are you OK with your neighbor/wife/parent having access to your secrets?
Then see where to conversation goes. You can't get technical, we have to focus on emotions, which is super hard for most security people. If you try this out, let me know how it goes.

Join the conversation, hit me up on twitter, I'm @joshbressers