Charmsec

I skipped up an opportunity to do a "lightning talk" while at FIRST 2010 this year. I came up with the idea of talking about citysec, charmsec and how things have progressed. I backed out since I didn't have time to put my thoughts together in any sort of coherent talk. This post is instead a preemptive attack if I do have another opportunity and prevent me from backing out.

CitySec meetups. A simple concept of regular meetups at a bar by security geeks to talk about whatever they'd like. I'm not sure who came up with the idea or where they started. I know that Boston, Chicago, San Fransisco, and NYC all have been doing citysec meetups for several years now. There was a website and forum setup several years ago that appears to be completely stagnant.

In 2005ish @reyjar started Charmsec. After two or three months it faltered. I never attended. In 2008 a friend and I agreed we should revive the Baltimore meetup. We announced our first meetup on the DC security geeks mailing list. Charmsec 4 had three attendees, including my friend and me. Charmsec 5 had three attendees. This continued for some time. We changed bars, we had maybe 6-8 attendees. We changed bars again, time passed. We're now up to averaging two dozen folks attending each month.

If you live near a city look for a citysec. If none exists, think about setting one up. Here's some lessons we've learned:

• Think of citysec as using the Open Source model. That means a few things:
  
  • Low level of entry. It should be easy. Don't have RSVPs, don't have membership, don't have a steering commitee. Be informal and ask people to show up.
    It should be evident what citysec means to you. Charmsec is just charmsec and modeled on what we thought it should accomplish and look like. In another words: this is Baltimore's citysec. There may be many like it, but this one is ours.
    
  • Provide and recognize the value. charmsec provides value by offering a chance to get out of the house/office and drink beer and network with fellow like minded individuals. It's not on vendor presentations, job hunting, or gaining CPE points.
    
• Twitter is a multiplier. The level of participation you can gain by announcing and leveraging twitter royally trounces any mailing lists, forums, websites, and generates more word of mouth.
  
• Location, Location, Location. Be central and fairly easy to get to. The bar should not be loud. It should have a decent beer and food menu. It should have table service. It should take reservations. Bonus points if it takes reservations via tweet like @slaintepub.
  
• Consistency. Use the same location, and pick a day of the month and stick to it. Don't be afraid to experiment to find a better venue or time but it should be irregular and include lots of reminders of such a change.
  
• Expect low turnout for the first several. Charmsec didn't get any consistent level of participation past 5 attendees until at least charmsec 10.
  
• Expect to lead and direct the conversation until the meetup finds it's legs. Ask questions, introduce folks, and play host until you're not needed to. Then stop.
  
• Don't be harsh to vendors, hackers, govies, risk managers, auditors, college kids etc. Avoid geek wars.
  

Grant contributed to this post. This is appropriate since he built charmsec to what it is today while I was busy making a family. Did I mention that Charmsec 26 is tonight, Thursday the 24th at 7:00PM?