Are you an infosec troll?

This post requires a soundtrack. Cue the music.

It's a tricky thing to be critical of a practice that means different things to different people. Take infosec tolling, for instance.

You could even say I'm being a troll with this post. I'm not trying to be, but let's look at what the word means. First, this definition from Wikipedia:

In Internet slang, a troll is someone who posts inflammatory, extraneous, or off-topic messages in an online community, such as an online discussion forum, chat room, or blog, with the primary intent of provoking readers into an emotional response or of otherwise disrupting normal on-topic discussion.

Actually, I prefer this definition from Urban Dictionary:

Being a (expletive deleted) on the internet because you can. Typically unleashing one or more cynical or sarcastic remarks on an innocent by-stander, because it's the internet and, hey, you can.

Guy: "I just found the coolest ninja pencil in existence."

Other Guy: "I just found the most retarded thread in existence."

This stuff goes on all the time in the security community. But I haven't made up my mind on whether it's a good or bad thing. That's why I'm writing this. I want feedback.

When is it useful to be a troll and when is it not? Here's how I see it right now:

Going on a tirade about a particular company or individual isn't bad in itself. Some entities won't do a thing to improve their security practices unless they become the focus of negative torrents of tweets. It's sad, but that's the reality.

But trolling gets ugly when it involves name-calling and attacking a person's character. There's a lot of that on Twitter and in the blogosphere these days.

I thought about showing specific tweets and posts as examples, but changed my mind when it occurred to me that I'd be doing the very thing I've just been critical of.

The poisonous trolling is like porn: You know it when you see it.

Some would call Anonymous and LulzSec trolls. They wind up followers for a little while about "something big" they have going on and whip people into a frenzy, then they drop the news of who they've managed to hack and what kinds of embarrassing information they've found.

Some might call that useful, because they are exposing the ineptitude of organizations we trust with our personal information. I see a dark side to what they're doing, but instead of getting back into that, I'll just refer you to this post.

Some might classify my posts on booth babes last week as trolling, though that's not how I felt about it. From my perspective, I was making note of what I see as a vendor practice that's in bad taste. Some suggested I was making a big deal out of nothing simply to get a reaction. To each their own.

I went looking for examples of good trolling vs. bad trolling, with the hope that we all might learn something.

I spent a long time going in and out of different forums where people opined about good trolling vs. bad trolling, but found all the usual responses. A good troll puts things out there to make us think about how to do things better. A bad troll is just someone who tears people down to get a reaction.

Those examples probably oversimplify the two sides, though.

The best "good troll vs. bad troll list" came from a site I had never heard of before. It has absolutely nothing to do with security and, as far as I can tell, is about body building.

Since that's a different topic and culture than what we cover here, I was reluctant to use their example. But despite the ridicule I'm probably opening myself up to, I like this list quite a bit, so here you have it -- some of the examples from a website called Testosterone Nation:

(1) A good troll causes readers to think, or to laugh.

(2) A bad troll makes people mad for no reason.

(3) A good troll makes people mad for a good reason, usually by challenging their cherished beliefs.

(4) A bad troll never works out.

(5) A bad troll uses personal insults instead of wit.

(6) A good troll is very subtle, so that people are not quite sure if the thread/post is genuine or trolling.

There must be a good infosec-specific list that's escaping my Googling skills. If so, flag it and I'll run it here.

If my use of "Testosterone Nation" compels you to use me in your next act of trolling, go ahead. I just might deserve it. ;-)Whether I do or not, I can take it.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Copyright © 2011 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline