I am talking about the coverage of that story, where the reporting has largely been horrible, gullible, naive crap. Sorry folks, but yes, that includes coverage from people I like. If you believe a lot of what you read, you would think that a lot of people were “duped” into following/friending/linking/whatevering Ms. Sage. This shows a gross lack of understanding of both social networking and the security community- both on the part of the journalists, and to a lesser extent, the researcher.
The people who “over-shared” really are a problem, and it may be interesting to see what Thomas Ryan (the person behind Robin Sage) presents at DefCon. It looks like s/he got a lot of sensitive information from people who should know better- three letter agencies, military, and more. Interesting, but “people are stupid and gullible” is not really ground-breaking, nor is mining/abusing social networking to prove this point a new idea either. It does sound like the scope and scale may be noteworthy. But not new, and being a skeptic, I’m not sure it is newsworthy.
Where things fall apart is the nonsense over stories which pretty much proclaim that MILLIONS OF SECURITY PROS DUPED, and point to the number of friends/links/etc. the virtually perky Ms. Sage gathered. I would like to point out four things:
- Different people use social networks in different ways. Just because someone accepts your connection request does not mean they are fooled by you. They may not even care if you are real or fake.
- Maybe they (sadly common) think that more connections means they are more important.
- Maybe they are public figures of some kind, and accept most requests as a matter of policy. If people are careful with what information they share, there is nothing wrong with this. Nothing. It is voluntary, get over it. It is how Social Media and Social Networking work for many people. If you don’t like this approach- don’t use it.
- The decision to accept may be based on connections offered (via friend-of-a-friend linking) instead of being based on the person making the request. Again, if you are cautious about what you share, there isn’t a risk here- even if it is a pretty shallow move. Robin certainly had some interesting friends/links to entice people. Put another way: Some days, the wingman scores.
- Once Robin Sage became fairly visible, the drama got interesting and a lot of people began following/linking to the myriad of Robin Sages (yes, there were clones and evil twins, too) just to watch the train wreck. I was one of these, and like many others I had my suspicions- but didn’t care if she was real, fake, or just another troll, there was entertainment. People were not duped, they grabbed a beer and some popcorn and watched the show.
- Robin Sage was called out. Spotted. Thoroughly outed. Many thought “something was fishy”. Some people did actual research and provided real details. People had to connect/accept to do the research and confirm their suspicions. The press almost completely missed this critical point. They also missed the fact that once this was widely known, even more people connected to and followed Robin to watch the evolving train wreck mentioned in point 2.
- Mr.. Ryan apparently convinced (socially engineered) much of the media into thinking this was something it wasn’t, then and the result was not journalism, it was an embarrassment.
Jack
[Note: since posting, the question of linking to specific examples has come up. I debated it while writing this post, but in the end I decided that the issue was so pervasive that calling out specific writers or articles would not have been productive.]
6 comments:
I couldn't agree more, Jack. When I read the article, I chuckled and immediately thought "they don't get it". A truly uneventful event. I guess there just isn't enough else going on to report...
Nice take Jack. When s/he requested the connection with me, I fell for the extended trust thing and made the connection, but I certainly didn't share anything with him/her other than the list of friends which is already public on FB. Still, it made me rethink my strategy on how I personally use facebook, what I want from it and what I want it for.
I know Tom well, and I'm not surprised he pulled this off. I connected to "Robin" on LinkedIn, seeing "she" was connected to people I knew and trusted, etc. I actually thought she was one of my SANS students, who I link to often. you make a great point, though - connecting isn't really the issue here. Oversharing is. I share NOTHING sensitive on LinkedIn, it's basically a big address book for me.
As for the media circus, I think it's cyclical. We were due a new round of "security bullshit" for everyone to get freaked out about. This has to be the most drama-laden field outside of professional sports.
Perhaps it's true that there's nothing new or novel about this research. But then there's certainly nothing new or novel about this press coverage, either.
All good points. I specifically agree that the media coverage over the last week is much of the problem in that the "hype" of the now several articles does not match the reality of the situation back in late December/early January. Tom responded to a post I made last week, and I specifically asked him to include among his results the data that wasn't shared in the press, specifically regarding "Robin Sage" being called out by numerous people.
Wasn't this done a while ago more successfully with an actual "name" in the security community (I can't, remember) someone like Bruce Schneier or Dan Kaminsky. Yet due to the lack of social engineering on the media it wasn't widely reported.
Post a Comment