Since I've been writing about IT security for more than half a decade, one would think this stuff would come naturally to me by now. It used to be easier when all one had to do was stay away from e-mail attachments and links sent by strangers and let the IT guys deal with the rest.
Then social networking came along.
Facebook. Twitter. LinkedIn. Foursquare. I use all but the latter, and I'm finding it harder all the time to adopt the very best practices I've been writing about.
It's not that I don't try. I'm careful not to put information like my house address on there. I shun Facebook applications like Farmville and Mafia Wars because while they don't interest me anyway, more than a few security practitioners have told me they are easily exploitable by the dregs of online society.
I change my passwords regularly because I'm always worried that someone has figured it out, even though some smart people have argued that passwords are useless no matter what you do.
I can't for the life of me understand why anyone would use the fairly new Twitter feature that tells your followers the exact geographical location you are tweeting from, or why anyone would want to tell the world they're eating lunch at their local Olive Garden or shopping at Home Depot via the Foursquare application.
In both cases I'm reminded of a comment Bill Boni, VP of information security at T-mobile USA, made to me last year when I brought up Twitter: "Twitter's a great thing to use if you want to get your butt kidnapped." (Editor's note: We've tried to illustrate the point—see The Final 5 Tweets of Harold Wigginbottom, Tech-Savvy CEO.) Boni repeated the comment onstage during a panel discussion I was moderating, warning his audience, "Don't be a twit."
This morning I was flipping through the slides security researchers Tom Eston, Kevin Johnson and Robin Wood cooked up for the "Social Zombies: Your Friends Want to Eat Your Brains" presentations they gave at DEFCON 17 and ShmooCon.
The further in I got, the more I was hit with an uncomfortable realization. As careful as I am on these platforms, I still put my privacy at risk all the time. (For more on this, see "Six ways we gave up our privacy".)
When I go on a business trip I post about it, like when I traveled to New York City last week for a presentation, or when I went to San Francisco for RSA in March or Washington D.C. for ShmooCon in February.
One of the great things about social networking is that you can share nuggets of information from these events with security pros who wanted to make the trip but couldn't. The down side is that while you are not giving out your precise address, it's not hard for someone to figure out where you are if they really want to know.
I've also used the Facebook chat feature before, figuring it was safe enough. Then we hear about a flaw someone could exploit to spy on your Facebook chats.
On Twitter, I'm followed by many people I don't know personally. Nothing is unusual about that. I post a lot of content from CSO on there and most followers are there for the content, not for me personally. Looking through the list of followers, it's often hard to tell if any of them are imposter profiles, spam bots or the like. I'm sure some of them are, but I don't go through there every day to cull the herd. I don't have time. I'm not alone.
So in the big picture, I appear to have some difficulty practicing what security pros preach through the articles I write. I'll bet the security pros themselves struggle to swallow their own prescriptions for things like this.
You've heard it a million times over: Security is a game of trade-offs. When it comes to social networking, the lines separating those tradeoffs are increasingly hard to see.
Use these platforms in a way that's reveals as little as possible and you risk cutting yourself off from the audience you're trying to grow, especially in my industry. Reveal too much detail for the sake of gaining new followers and friends and you risk identity theft, computer infections or even physical harm. The same muggers who wait in dark alleys in your typical big city are lying in wait in the online alleys as well. Online, it can be much harder to spot them in time.
I'm searching hard for the right balance in all of this. If I ever find it, I'll let you know.