Moussouris to Leggio: It Bears Security Risk, and That’s That.
Posted by Joe Franscella, 10-21-2010:
I always enjoy reading Jenn Leggio’s Social Business column at ZDNet and am thoroughly enjoying 100 Brains. Today she interviews Microsoft Security Guru Katie Moussouris, focusing on some social media security specifics that I found particularly interesting.
Before writing about what I found specifically intriguing, I want to digress slightly to headlines of the past couple days related to Facebook’s third-party app privacy flaws (or I guess you would call flaws “features” if you were on the third-party app side 
). The headlines made it sound as if there was some profound revelation in that Facebook was — can you imagine — not protecting users’ privacy, gasp! When the headlines broke, the first thing I posted on my Facebook was that I could hardly believe by now that anyone using Facebook does not understand that virtually anything and everything they post is, in a word, accessible. Anyone who hasn’t figured out that Mark Zuckerberg is providing a place to “share” and not “hide” information really doesn’t get the whole point of the site.
Back to the Leggio column with Moussouris. The QA I found intriguing (because it backs my opinion) is this:
Q. There’s a lot written about security and social media and education. Do you think it is reaching the right people?
A. I think that it doesn’t matter who it reaches, as there will always be people who will flock to social media sites regardless of whether or not their info is secure. I personally assume and accept the elevated security risk in using social media. There was a time I tried to resist using graphical web browsers (I used lynx), due to my inherent paranoia, but the draw of The Onion online with hilarious photos drew me in and I began using another browser. Similarly, the convenience features, and lure of all your friends in social media will draw even some of the most paranoid security people to join in. I think the right education for everyone about current social media and security is to set the expectation that it bears security risk, and that’s that. Use at your own risk!
Facebook, and any online social community, “bears security risk, and that’s that.”
One final thought:
There are instances where security risks on Facebook and the like aren’t inherent in the purpose of the technology, which, again, is to share and not hide information. These instances include social engineers and other attackers who blatantly attempt to suck users in with malicious links and nefarious offers. Does Facebook have an obligation to keep the criminals out and its users protected? I don’t want to get into this philosophical argument but I will opine that we — users — are placing a rather unrealistic expectation on Zuckerberg if we thing that he alone can solve the problem of Internet crime and security.