Small Fish

Jul 23, 2025

I’ve heard this argument before, and I get why people make it.

It goes something like this:

Why should I worry about online security? I’m just a small fish in a giant ocean of people, and nobody special. Besides, I mind my own business and I’m not ashamed of anything I do. It’s the billionaires and shady people who need to be concerned.

What, me worry?

In the actual ocean, there are trillions of small fish. These mostly swim in schools, where there is a degree of safety in numbers. If a bigger fish (or any kind of predator) wants to eat some of the small fish, they’ll have a hard time locking onto any single target at any given time since the whole school moves together in tandem, and this is confusing to the predators.

The fish on the outside are the ones who are vulnerable, creating a sort of fish mosh pit to compete to stay toward the interior. These are easy picking, but from the perspective of—say—an anchovy, there is a very low chance that you’ll personally get eaten on any given day. There is, indeed, safety in numbers.

If only the digital world worked just like the ocean.

We don’t have to look very far throughout history to find con games.

Most famously in the 20th century, Charles Ponzi scammed some $210 million in today’s value from tens of thousands of people looking to mail letters overseas. The world was suddenly vastly more connected than it had been, and Ponzi saw a golden opportunity to trick a large amount of people all at once with his infamous scheme.

Today, the threat of a con doesn’t come from slow-moving ships carrying letters across oceans, but instead near-instantaneous satellite and undersea-cables carrying data at the speed of light.

Even still, the fish analogy isn’t all bad! There really is safety in herdlike behavior, like getting everyone in your group to upgrade to two-factor authentication, so everyone hates signing in for their email, but they are considerably less prone to attacks.

Still, if you conclude that you’re all set for the second quarter of the 21st century since you’ve been following most of the basic hygiene rules introduced during the first quarter of the 21st century, you might want to reconsider that point of view.

While it’s certainly true that higher net worth people are high value targets, the inescapable progress in automating everything makes cons easier, too. Instead of citing a bunch of things that have already happened to small fish in the world, I want to talk about what’s now possible with conning folks. Here, imagination and a lifetime love of science fiction comes in really handy.

Ever go to the bathroom or take a shower with your phone in the room? You’re thinking: sure, but who cares if someone sees me pooping? I’m nobody special, and besides, it takes so much to film someone and store the video, and it’s just all too much work.

Let’s unpack these assumptions.

Ever have a loved one go to the bathroom with their phone? If you don’t care about yourself, is there anyone else you actually do care about? If so, it’s really easy for a bad actor to threaten exposing information about that person in order to get you to do something.

This is something I’m placeholding in my mind as the fungibility of ransom, where people simply trade compromising information they hold about random individuals with people who are in a better position to exploit that info. Like dollars or Yen, this ransom unit can be spent and traded on the dark web, where it can be traded to the maximum extent the ransom can be used.

You might be thinking that nobody is going to surveil you 24/7, and you might be right: but it might not matter if hundreds of hackers are capturing tiny snippets of credit card purchases over here, browser data over there—over time, a full picture emerges, and information is the key to exploitation.

And about video storage being expensive? I remember uploading my first ten minute fight video (rare MMA footage from Japan, I think) back in the early 2000s, and it took a long time, but I was able to get a clip up and running on the web. Since then, I must have been a party to (including business) tens of thousands of videos, most of which ended up in the almighty cloud.

Surveillance footage is subject to many of the same scaling power-laws as computer chips, so you can expect this cost to continue to approach zero over time.

I’m going to stop here because I’m not an expert in cybersecurity, and there are folks far more knowledgeable than I am in this area who comment regularly here. Let’s see what they have to say today!