Information Literacy Makes for Better Information Security

okay good afternoon and welcome i'm tracy maylief this i'm also known as infosec sherpa on twitter in case you know me this talk information secure information literacy makes for better information security now if you turn to your hymnal page 23 uh you'll be able to read the american library association's definition of information literacy so what i want to talk about today is i just want to help you all with my library science background to be better consumers and better disseminators of information i'm going to be using that that phrase a lot because i want to burn it into your brain okay so a couple notes here this is going to be very philly centric talk sorry not sorry

we will have some opportunities along the way i hope to give out prizes so i have goldenberg's peanut shoes if you know you know these are awesome and um yeah i just really want to give this talk today because i i feel passionate about this this topic you know again um you probably already know people are probably here sick of hearing me saying it but i was a librarian for 15 years i have a master's degree of library and information science so this is something that i care very much about and i also just wanted to share that again in case people are like well who does she think she is well i'm a librarian dammit who

who now works in cyber security oh and yes i am a security researcher for the krebs thomas group and i actually utilize a lot of my information security and library science skills there and i worked in i don't know if i'm allowed to call it a sock anymore after the last sean's talk i'm not sure but i actually had two sock experiences prior to this so i do have technical experience along with my library science and along with the other work that i do now so that is my street cred for you all right let's first cover some ground here what this talk isn't first it is not a debate okay so i'm not going to be

taking any questions from the audience unless i ask you so speak when spoken to people okay um um and then what this also isn't is i'm really not trying to make any political commentary or make any statements or anything you may roll your eyes at some things that i say but that's your problem not mine i'm really just trying to share good tactics and mindsets of how to consume and give information so what this talk is uh it's a guide to again i told you i'm going to be repeating it um i should i was going to make bingo cards for this talk but i realized that was a little bit too much extra even for me so um

again i want you to be better consumers of information and better disseminators of information that's all this talk is so don't try to look in and think that i'm pushing an agenda or anything i'm just pushing common sense and then this talk is also a nice place to sit for 30 minutes so if you really don't care what i have to say just welcome you might get a piece of candy out of it all right so of course the obligatory uh my thoughts and comments are mine my own and not those of my employer nor are they my thought the thoughts of any organizations with which i am affiliated that's a fancy way of saying if you

don't like something that i say in my talk bring it up with me later afterwards and the price to talk to me about this is a gin and tonic so be prepared that is how i will engage with you okay so what are we talking about here so pick your poison information can be poison right information can be helpful and it can be hurtful so you got your misinformation you got your disinformation you got your mail information so quick show of hands who's heard of the term misinformation before excellent all right who's heard of disinformation excellent how about mal information less hands okay awesome um so i'm going to explain what all of those are

so these are your standard definitions of of that oh and the good folks at sisa have now abbreviated this to mdm because believe me if you try to say misinformation disinformation mal information three times fast it's impossible and if you say it a lot you jumble your words so from now on mdm is this and that's not a club drug and it's not anything can key so it's misinformation disinformation mal information so what i'm going to do is so i'm not going to read the slides you all can read i presume if not please see me and i'll get you help um these are the definitions you think you might understand but i'm going to show you some examples of what

this really means here's an example of misinformation that that i'm gritty chase breaking news tracy is gritty she reveals it me i wish that were true but that's misinformation right that's it's not real it's false but it's also not necessarily harmful right i could laugh this off like haha yeah right i'm i'm gritty so that's just that's an example of misinformation and you know this could go a couple ways right this could just be fun and not be a big deal or it could go down a slippery slope right and turn into something more disastrous as we'll see here disinformation tracy is gritty burns down the world she's out of control save yourselves breaking news

uh how quickly did that get out of hand right that escalated quickly so yeah things can then be turned into disinformation you may already be familiar with the cut that meme of gritty and the flames you know what could that mean that could mean something fun or that could mean that i'm inside a gritty suit trying to burn down the world that's just disinformation that's harmful right that's harmful to my reputation to my well-being and then we look at mal information tracy's not gritty at all she's really a basketball fan hates gritty hates hockey hates you so let's talk about male information mal information is based on fact but it's used out of context yes it is true i like the sixers i am a

basketball fan but i still like hockey and i still like gritty they're not mutually exclusive but look how this true information that seems innocuous can be turned around into something bad so now what are they trying to do someone is trying the cbc sports is trying to turn all the gritty lovers against me look how easy that happened it went from ha ha oh my god that's so funny too whoa tracy's is unhinged she's burning stuff down and then oh my god that tracy she hates gritty she hates us oh my god you get it misinformation disinformation mail information it can get out of hand really quickly all right so you're like okay great lady you like

sports big deal okay so here are my talking points here so information can help but it can also hurt so my wish for all of you is to leave this talk as more savvy critical thinking consumers of information and responsible disseminators of information now i know that there's a lot in our community who take pride in pardon my language posting um but kind of like the ads for casinos you know the you know when big jackpots gamble responsibly um you know you know fine i'm not telling you not to post but please post responsibly you know that's really all i'm asking but to kind of turn this into more of of our you know milia here think of it as opsec you

wouldn't share true information that could compromise someone or something would you don't share false or ambiguous information that could also jeopardize someone or something to me it's as simple as that if you're still having trouble connecting the dots between information literacy and information security let me break it down this way you don't want to be making important security decisions on bad data or flawed intelligence that could mean in the heat of the moment of incident response or a status report that goes to upper management once your decisions or reports leave your hands you don't necessarily know where that information goes and what decisions it's being used to make being information literate means that you can confidently stand by your work

whether that information product is used to make c-suite-level decisions or just a playbook for your team and that's why i'm so passionate about this information matters and information illiteracy impacts all of us so what are my tips on this i promise some tools and tips so we're going to practice some ice cube sec you're going to check yourself before you wreck yourself okay i want everybody to keep that in mind when you're reading and disseminating information check yourself before you wreck yourself if you're not going to listen to ice cube then a we can't be friends and b it's just smart it's just absolutely smart so what are some tips okay so first of all provenance while this is a gorgeous

photo of france that's provence provolone is a creamy italian cheese that is delicious on a hoagie but i'm talking about provenance that means the origin of information where is this information coming from so i'll give you a good example a lot of times a local news service tv or newspaper will republish an associated press or a reuters wire story i've seen this too many times where the local news is now editing the the wire story they're leaving things out they're adding things in so you're really not getting the full story anymore but you don't know that because they're citing the attribution of the ap wire so it's understandable that you would take it oh okay they're

just copy and pasting the ap wire not necessarily if you look at them side by side so what i want you to do if you're click on an article if you're reading something and you see that it's by whatever source it's from and they they tell you very clearly that it's a wire article stop what you're doing go just google the title of the article or go to the associated press wire website look at it from the source that's what i ask is because that way now again i i this is why there's some slippery slopes here i'm not going to say that the information is is right as far as like you know left or right or politics i'm

just saying go to the source because i believe the associated press wire over some other site that i may never even heard of or some local news that may be editing it to get their own agenda across so go to the source think provenance and also look at it if you're looking at some some weird blogs well where are they getting their information from are they citing sources and that's important so think provenance and think lovely fields of lavender so another thing that's very important to me so one i really wanted to use this flavor flav photo but i also want to talk about the importance of time and date when looking at articles now

obviously date is important right because you want to know when it was written and time is important because especially for instances like a data breach or a war or something other breaking news you could have a story that was published 15 minutes ago that's already outdated that's already bad information and what i really love and i get i give extra points to the organizations that will show you when they originally published it and then the time of when they updated it it's like yes so that's really important think about that when you're you're reading information of when was this posted and how long ago was it because things move fast right thing you know if

you're looking at an article at the end of the day that was from 9 a.m so much could have happened during the day and keep that in mind so you might be looking at old information now that information might be good for historical contents context and notice seven hours is historical anymore right because how quick does information move so i'm not saying that you shouldn't read it at all because that might be a good base right but don't write a report or don't give advice based on something that's seven hours old because you know like milk sit now on the counter all day that's just that news is spoiled that is just not good news

all right everybody get a little bit of your ocean on this photo was making the rounds on twitter maybe about four weeks ago i think and yes it's you know people want to show their support for ukraine which i'm i'm not objecting to but they're using an old photo to do it so they're kind of emotionally manipulating you so if the photo here is two young kids one of them is saluting its tanks presumably filled with because again i don't really even know much more about this photo so i'm going to say presumably filled with ukrainian soldiers on a ukrainian tank and yeah it's it's cute and sweet and sentimental but it's from 2016 people it has nothing

to do with the current situation and i you know i got a little bit too philly and i decided to take on uh replying to people who were posting this saying this is from 2016. um so yeah that's not really the great way to do that so then i put my oh my own post up here of like look everyone this is from 2016. i just did a simple reverse image search it took me two seconds and there were so many different sources that posted it from 2016. and so of course the backlash i got was you're ruining fun there's no harm in it it's a slippery slope come on i showed you i went from tracy's gritty

to tracy hates all of you in you know in three slides so like i said i i think that people always think themselves well there's no harm in this girl there is harm in everything okay so this is what i want you to be mindful of be mindful of when things were posted date time who posted it was it reposted was it reshared so i'm going to leave it to allen iverson we're talking about citations we're not talking about practice we're talking about citations quick show of hands who knows this reference come get a piece of candy from me later this is later not later i know it's good candy but just wait wait um so we're talking about citations

here now i know some of you might be having some flashbacks from school of like oh my gosh i don't you know i don't want to put this information in in the proper i don't know which way to properly list the author and all that stuff i'm just asking you to be mindful of the contents of a citation and there's the different kinds here i don't did you know that different disciplines have their different ways of citing information so you know literature foreign languages they use mla i double e engineering so it's not that i want you to memorize this and memorize the formats i just want you to think about the ingredients you know what what goes into this so as

you're reading something does this have a date does this have a time do i know where it's coming from so and then when you're you're sharing information honestly now past me would cringe at this but honestly right now me i really don't care if it's in the price the right citation format if you just have the information of where you got something from you know what you're cool in my book okay i get really aggravated when i see people presenting things without citations now you're probably looking at my slides going okay hypocrite these are all hyperlinked with my citations when i post them for public consumption i will make it clearer but i just wanted to look pretty

my citations are there but for the purposes of this demonstration they are embedded so i just want you to think about citations and another way to think about it is real easy you want your who what who what where when why how you know this this is just a simple thing to keep in mind as you're reading or as you're sending information are you hitting all these points are all these points necessary is there anything you're leaving out um you know i give a talk called empathy as a service to create a culture of security and one of the tips i always give is listen to what the end users are not saying so here

when you read an article what's not being presented is the why not being presented is the why being being speculated or is it being cited to another source so that again this really isn't a heavy lift it's just something like you get you get used to with as allen iverson said previously in a slide practice you get used to it with practice and this makes you a better consumer of information and makes you information literate so i want to give a kudos to the register so not only do i know where it's coming from it's coming from the register and it was written by ann thompson he's a great dude by the way my twitter

friend ian you can follow me he's at ian thompson there um and then they the register always puts the date and time and the time zone this is i hate when i i hate when when stories post the time but they don't say what time zone okay well that's great is it sydney time is it you know istanbul time what time zone was it because again this matters now this also lists ian as being in san francisco now depending on what you're looking into this could matter so for example this is a tech article so you might ration in your mind of okay well he's in san francisco he's adjacent to silicon valley he's probably in tune with all

this stuff you know maybe and that's not to say that somebody in topeka wouldn't be tuned in to tech stuff but think about it more like geopolitical if somebody's writing an article and they show that they're based somewhere that's going to affect their point of view and their bias right so it's just something to consider where is this person writing the article from uh and just keep that in mind so now we're going to transition into some of the the tools that i think will help you um better kind of get to the bottom of wiping out disinformation and misinformation i said tools sorry i had to do that all right um also so quick show of hands

who's old like me and knows what that that logo is with the cat all right old people get your other candy from me um yellnins google it i'm not going to spend time explaining that so um the first resource i wanted to to broadcast is our friends at sisa they have created and i you know want to make sure everybody knows sisa.gov mdm all kinds of resources they have this great one here disinformation stops with you they have this two-page pdf with all kinds of tips you could even laminate it if you wish and you know when's the next gift-giving holiday give it out to your friends and family you know this is a very user-friendly

resource that's easy for everyone to understand and also a reminder for you so their whole site is really wonderful please check it out i'm really just a big fan of csun general and has nothing to do with where i currently work um thank you for those of you who got that um but yeah this is my number one go-to tool that i want to share with you is go to cesa.gov mdm there's a lot of tools there and i just wanted to show this one they have so much more so another one this only came out like the other day so honestly i don't have much more information to share about this but uh president biden has develo

has stated that he wants this disinformation government's board to be created under homeland security that is pretty much all i have to say and talk on the show about that um i know that some people are are are voicing their opposition to this um all i'm going to say about that is ask why why are they so afraid of of of information literacy becoming part of the government um and that's kind of that's the most i'll get into politics in this talk but um um keep an eye out for this you know coming soon to just into disinformation near you this governance board that is going to help you navigate these choppy waters all right so um yes i am going to post

these slides uh but just to let you know i have some tools here so yes of course i have the american library association why wouldn't i but yes libraries are a great source and librarians are a great source to get help with this so if you want to talk to someone one-on-one hit up your local library don't even get me started i have a whole hour talk that i could give about the value of public libraries um you know maybe hit up your your local library and just ask you know what do you recommend or do you have tools you maybe don't put them on the spot of like tell me what to do maybe

say do you have any sources you can recommend that i could look into about recognizing disinformation and oh i want something for my kids is there a children's librarian here who can help with that because also you need to start your kids young right we were talking earlier about starting kids yum with cyber security skills we'll start to teach them yum about recognizing bad information um just quick true story when i was a kid in the 80s um and please like raise your hand if you also heard this too the rumor going around was that you could get aids from mosquitoes i absolutely remember does anybody else remember that yeah like so you're outside at night as

a kid trying to have fun catching lightning bugs and it's like oh watch out there's mosquitoes you're going to get aids like you need to be able to teach the kids to understand and like and step and stand up for themselves you know like i don't think you're what you're saying is true i think you're spreading some fibs and because that's how kids talk these days but no empower empower your kids to be critical of information because again then they're going to grow up and that's stuck with me that stuck with you know all this time it's not i didn't forget it because it was so traumatizing uh so so anyway so i don't need to read

through all of these um but i just want to point out there's a lot of great resources out there so and the other one i just wanted to point out real quick is you see the pointer institutes media wise and media wise on espanol one of the problems is a lot of non-english speakers are being targeted specifically for disinformation you can just easily look up stories about the latino community there's a lot of covid vaccine disinformation purposely being being spread to them i know in india there's a lot of issues with disinformation going on so as bad as you might think it'd be in an it might be in english there's also groups of non-english speakers that are

being targeted and that's not fair i mean people especially when it comes to covet people die people have died from believing this disinformation that was targeted to them and that's that's criminal so again if any of you have uh people who would would better understand this information in their native language look for it online and that's another point that i i share just with security talks too if you have a user base that's that's in latin america or in south america are you giving them your security protocols as a company to follow in english and expecting them to fully understand it are you translating those materials into spanish and portuguese same thing with this all these warnings need to also

come in their own languages because expecting someone whose fourth language is english to fully understand these nuances of this complicated topic is just really unfair and a disservice to them so be mindful that there there should be and we need more translators to help with this to get more information out in other non-english languages so long farewell avidas so i want to give you a couple parting thoughts here i hope i hope this was was useful and helpful uh we have about five minutes left so i think i will have time for some questions and some candy distribution um or just candy distribution if nobody has questions so two things i want you to think about i

have these two slides here i want you to think about so first you better think think think about what you're trying to put out into the world when it comes to information so i want you to think now this doesn't apply to every situation but it could if you think about it is what you're reading or what you're putting out there is it true is it helpful are you adding to noise you might think that you're helping well i'm going to help save the world if i retweet this article about ukraine are you just adding to the noise like really are you really helping and also putting out information oh my hot hot take on this is going to save

the world is it is it really so think are you being helpful is it inspiring now some of the news that we share isn't particularly uplifting so maybe you can think about inspiring in a different way is this providing a call to action to change something because that could be inspiring right because a lot of times i think people see inspiring and they think warm fuzzies inspiring can also get somebody off their butt to do something like stop spreading disinformation is it necessary again are you adding to the problem i don't know about you but i want to be part of the solution not part of the problem so is it really necessary to share your hot take on the johnny depp

trial i don't think so i really don't think so and is it kind and again you can think of kind different ways you know are you slandering someone or you know is it you know again this is all kind of tied together so i want you to think true helpful inspiring necessary kind and then the last thing i want you to think about is do we have any rupaul drag race fans here woohoo if you'll remember rupaul's drag race season two episode one the lovely tatiana gave a spoken word presentation um called all the same parts and one of the best lines was because what you see isn't always the truth so please heed to

our lord and savior tatiana and remember that everything you see online isn't always the truth so thanks han i'm involved bulmer thank you [Applause] looks like i have two minutes and 25 seconds for questions or candy distribution any questions yes sir [Music]

yeah i'm just putting it out there because i want people to be mindful of the date and time and yes if something is developing then yes go back and see something updated i just don't i i understand your question but i'm just saying i just threw that out there because i don't know that people particularly pay attention to the time that things were posted and put that in context of the event oh and what i was going to say too is i forgot to mention this earlier i hate it um i wasn't going to call anybody out tech target but um some publications do not put a date or time on at all i've actually had to look at source code

which is that like a felony in missouri now i don't know where did that land i've actually had to look at source code for an article that i really wanted to use because i really wanted to get to the point of well when was this posted if i have to look at your source code you are doing a terrible job as a news disseminator so like i'm looking i'm not going to jail for looking at a date you know i mean that's just ridiculous so anyway yeah i just want to say this i just want to put i'm sorry i just want to give the context of if there is a good reason to pay attention to the the

date and time but thank you for your question anyone else you all just want candy hi hon yes uh why don't you come up so he's going to give a tip and i want everyone to hear it so why don't you come up here and i'll give you a piece of paper uh some of the things i usually do are look for earlier sources and then cooperating multiple sources and then also looking at uh who funded i forgot i'm sorry i'm glad you mentioned that sorry um this is my first time speaking in person over two years and i've been completely stressed out about this and i completely forgot thank oh here you that get your own damn candy um

um oh my god i forgot my kobe bryant story okay so the the day of the kobe bryant thank you helicopter accident i was on a train to new york and i started seeing uh in my twitter feed oh that's me telling me to shut up sorry let me just finish the story real quick the other guy in front of me ran over to so um so i i was on the train looking at my twitter feed and i started seeing people mentioning kobe but i was like i don't know like that scene this easily seems like it could be a rumor and whatnot so i remember i remembered that tmz really is a actually is a really good

resource when it comes to celebrity and la based news so i went to tmz's website and i saw that they were reporting it but i checked other places and they weren't reporting it yet and i wanted to say something because i grew up in the same county that kobe was from he went to lower marion high school and i went to a rival high school so of course i wanted to share my thoughts with the world because i think we passed in high school at some point or something like that anywho um but also i want to know whether or not it was true so i kept checking these other stories kept checking kept checking so what i normally do is and

some of you might be thinking ain't nobody got time for that okay but listen it really doesn't take that long i triangulate so i already had tmz and i kept checking kept checking and then cnn came through and then they were referencing tmz like what the gentleman was just talking about and then cbs finally reported and then they were citing tmz and other sources and then citing the the sheriff and and all this stuff that's when i was like okay this is true so damn sorry you know r.i.p kobe but then i felt comfortable proceeding to then tell people i texted my husband like did you see this kobe news so this is just what i do

personally about triangulation which i believe is what you were you're getting that sir um you also got into another level which is a little bit too deep for this talk was like who funds things um that's a talk for another time but thank you for bringing it up and reminding people so i will hush now um thank you all for coming i really appreciate it i hope this was worth your time thanks [Applause]