0ph3lia wrote an excellent post against the "ignore them and they'll go away" approach to combating charlatans, which got me thinking about things we could be doing better to educate and spread awareness. We as a community need to move past the silly notion of ignoring fraud and instead focus on the more valuable and righteous thing to do.
To summarize, here is a short list of reasons why ignoring charlatans doesn.t work, and why I felt compelled to write this lengthy tome:
So, given the problems with doing nothing (or not enough,) and because I enjoy bossing people around, here is my not so easy guide on how to combat frauds besides incessantly bitching on twitter:
Being vocal is important, but an uproar on twitter is too ephemeral and diffuse to properly educate the public. You may get the word out to your followers; if you're lucky you might even get a bit of wider exposure via retweets. This helps to spread the word around to the infosec community, but we.re already a community pretty rigorous in doing our research and calling each other out on bullshit. All our tweets and re-tweets, even when tagged or directed to the media, simply do not receive much attention outside of the community.
Got beef? Write about it, and use more than 140 characters. Back up your assertions, show proof, and be as intelligent and articulate as possible in doing so. I know the urge to full-force rage is powerful, and doing so is immensely satisfying, but remember your audience. The harder you make it for a reader to dismiss you as an adolescent with a chip on his shoulder (and sadly, many will,) the more likely your message will stick.
Reward the rare few who are willing to do the very minimum of a cursory Google search with a slew of information. Suspect the fraud of manipulating stock prices? Crunch the numbers. Think that security tool or book not be all it's cracked up to be? Analyze it. Go into technical details and produce verifiable results. It's incredibly easy to say "I read his article and it is full of lies," or "that book was a complete joke," but unless you show why, it's just more noise. Perhaps a more curious person will see peoples. rants and dive deeper into the "why" themselves, but remember that most people being duped probably aren't in the habit of digging so deep.
Again, keep your audience in mind; you're not writing for the infosec industry, but rather those we hope to influence. Everything you write, from blog posts to emails, must have concise and easy to read summaries preceding all of the techno babble.
While doing all of the above is great, keep in mind that many people we are trying to reach do not research a person.s qualifications and reputation. This makes it incredibly important to take an active role in making sure the information you and others have produced gets read by those who most need to see it.
Is the incompetent infosec darling du jour presenting at a otherwise respectable conference? Appearing on CNN? Showing up at a local community college to corrupt impressionable young minds? Don't fall into the armchair activist role of firing off snarky @-replies and thinking you.ll change the world. The reality is that most people don.t like to be told they're wrong, especially not in the form of "WOW YOU GUYS SUCK DO SOME FACT CHECKING NEXT TIME, IDIOTS". Is it the truth? Perhaps. Is that sort of unsolicited brutal honesty going to get your point across? No.
The point is to seek out and inform people who are being duped. Remember, it's the fraud who.s the bad actor; those duped may be ignorant, but they are still victims. Write them an email and politely point out (with links) why so-and-so may not be the best choice for the job. No email? Construct a polite open letter and link to it in your @-reply, or at the very least, provide a few inline links. Also remember low-tech; not all institutions have embraced digital mediums. Don't be scared to send a written letter, fax or pick up the phone.
A note on links: While it is infinitely easy to just paste a link to the charlatan's attrition.org page, a diversity of sources is important. A link from one source can be easily dismissed as a grudge; using a variety demonstrates how widespread criticism has become. Many institutions are very protective of their reputation and public image and showing that their prospective client is universally reviled may persuade them to reconsider.
It is my hope that this list will encourage people to become more proactive about outing and criticizing frauds. While I can't convince anyone to become passionate about such issues, I do hope that those who are already concerned and frustrated will find some of this useful. Unfortunately, this is not one of those causes where one can simply send in a check and be done with it. We're going to need to get off our asses for this one.