May 26, 2008

Information Security enters deadly embrace with Social Networking

It is often remarked that Information Security specialists are so good at their work that they lock out all threats, including the users. Meanwhile the rest of the world has moved on and done things like insecure browsing, insecure email, google datawarehousing of every of your clicks, and Facebook. These ideas are worth billions in the right hands!

What happens when Information Security people wake up and smell the future?

I recently was invited to join a social network of Information Security people and got a chance to find out. I entered some few brief details in their browser interface. Let's be clear here, just because I was invited to a social network doesn't mean I am going to expose myself to phishing, mindlessly misdirected employment advertising, and other failures of the information age. So I entered some brief words such as the stuff that you already know from reading the blog.

Unfortunately this wasn't open enough for the newly-socialised IS people:

Could you please provide a more complete biography and photo? We have been trying hard to encourage the social part of the network and that is difficult when people are reluctant to provide information. I'm sure you will appreciate there needs to be a certain amount of disclosure in order to encourage mutual trust.

Just to be clear, *I totally agree with that sentiment!* I've worked all my life in the old meatspace equivalent of social networks - teams - and building trust is something that is done with disclosure. (In an appropriate setting.) So let's just sweep away all the Internet heebie jeebies of Identity theft, win-win negotiation, rule of threes, and so forth, and let me in.

I wanna disclose, guys, I wanna do it like I saw on those Hollywood movies where we all tell our story to a circle of tearful audience! Problem is, I can't:

From: Some nice guy <>
To: Iang <iang@i.o>
Subject: Some nice guy has sent you a message on Information Security...

[big snip]

Once you have provided this information we will be pleased to grant you access and look forward to you taking an active part in contributing to, and promoting, the network.

To reply to this message, click here:

To control which e-mails you receive on Information Security, go to:

I can't reply to the message, or more precisely, all replies to public email addresses are binned. Because of Information Security, as we know -- spamming, etc. OK, so I click on all the links, and it says:

Your Profile is Pending Approval

Hello, Iang (Sign Out)

Your profile details must be approved by the Administrator before you can become a member of Information Security. You will receive an e-mail once your profile is approved.

Clunk. This happened a few weeks ago and I'm now stuck with receiving a stream of well-meaning messages asking me to communicate with them, but they aren't listening. It's like being married; information security has now entered into a deadly embrace with social networking, and the result is enough to make one shave ones head and become a monk.

Posted by iang at May 26, 2008 07:06 AM | TrackBack

Why would you need another social network beyond PGP WoT? I have my photo and my contact details there. And also my relations.

Posted by: Daniel Nagy at May 27, 2008 05:08 AM

In my daily life, I try to minimize the amount of unnecessary exposure to risk. Most security professionals do that. I avoid giving out personal details unless absolutely necessary. When asked for ID to enter a building, I give out my British driver's license, not my New York license. I started doing this after a few instances where I handed over my N.Y. ID only to have it scanned into a database without my permission. Once dipped into the scanner, my ID number and a whole host of other information were in a database of unknown security. Both British and N.Y. ID establish identity, but only the N.Y. ID number is used by U.S. banks as a unique individual identifier. Also, I doubt the British ID can be scanned in the same scanners.

I sometimes get asked for a Social Security number by someone who clearly has no valid reason to ask. The most ridiculous example of this was a neighborhood dry cleaner that used the SSN as a convenient "customer number" in its database. In cases like those, I provide a fake SSN (my phone number, minus one digit) -- easy to remember, useless if compromised. Less information about me floating around equals more security for my identity.

Posted by: "Less is more (secure)" by Andreas M. Antonopoulos at May 28, 2008 09:20 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.