What happens when you leave your work laptop unlocked in a public space? Perhaps some unknown person accesses it, copying source code or reveling company secrets in some way. Security teams the world over have implemented policies to auto lock screens and such, but at early Twitter we made a game out of this in order to help raise awareness. The game was simple, if somebody left a laptop open with email access we would simply send an email to the whole company declaring the sender “A pretty little flower.”
This game had been going on long before I worked there and started as just a simple email. Overtime it slowly developed into a bit of a challenge to do better and more interesting emails as time went on. At one point an email was sent to the whole company that appeared to be an accidentally addressed notice of an unpaid bill. (A copy of this was posted on the alumni slack at one point so I have the actual text)
We regret that we are unable to fulfill your request for a promoted flower at this time because your account is seriously past due.
On December 11, 2010 we called your attention to your account balance in the amount of $80,000 for services rendered in the delivery of promoted flowers. According to our records we have not received either a reply to our letter or a remittance to clear this account.
We extended credit to you on your account in good faith and expected payment under our normal thirty day terms which we feel are most reasonable. So that no further action on our part will be necessary, we shall expect a remittance by return mail or the courtesy of reply to our letter as to why payment is being withheld.
Of course this got the attention of everybody and the responses and kudos were immediate. This also upped the game a bit, no longer was “I’m a pretty little flower” enough.
My contribution to the craft came when the whole Operations Engineer team arrived for a meeting in one of the biggest conference rooms in the office. A single laptop had been left behind, unlocked and it just so happened that the brand new VP of Operations had sat down in front of it. He hesitated to do anything so I jumped and quickly sent a flower email and returned the laptop to its position and within a minute or two the owner had come back, grabbed the laptop and returned to his desk. The email was simple:
I brought in brownies for everybody, please stop by my desk and ask if you want some.
The intention was simple, I just wanted him to be annoyed by people stopping by looking for brownies. The whole team waited with baited breath for a reply to the email admitting that no brownies existing and people should stop coming by, but nothing came. The team was disappointed to not have some kind of feedback on the successful flowering.
The next day however we got an email from the victim declaring that he had received so many replies to his (my) email that he decided to bring in brownies for real, and even better he thought that the VP had flowered him and not me. So not only did I manage to teach a security lesson, and do so without getting the blame, but I also managed to manifest brownies for the office by doing so!
The take away for an SRE is that gamifying security practices can actually help improve your overall security posture and raise awareness of otherwise boring best practices, and in some rare instances it can even give you access to snacks.