09.07.07

Spreading FUD over Social Networking

Posted in IT at 10:58 pm by Tyler Reguly

Early today I posted a comment on ITSecurityExpert.co.uk... now that the day is almost over, my comment has still not been approved... so I have little choice but to raise my issues with that post in a post of my own.

The blog post in question, 'Facebook: Welcome to the World of Google Hacking', is one of the biggest pieces of FUD I've ever read... and I've seen a lot of FUD. It's one of those things, that when you hear (especially from someone who labels themselves an IT Security Expert) you just sort of convulse in fear. It's taking a shot at something for no reason other than taking a shot... It's 'FUD-Spreading' in it's purest form and it's a shame to see happen.

By now it's fairly common knowledge (to those that use Facebook anyways) that they are making a public version of the user profile. The public version will contain less information than a "non-Friend profile" on Facebook. For you non-Facebookers, a full profile can include contact information, pictures, messages, status updates, and a plethora of other information. You can also make a limited profile (picking the information you want to share) available to select users. Users that don't qualify for either of those, can search for you by name / network and find: Profile Picture, Name, Network and occasionally Status Update. The Facebook Public Profile (indexed by search engines) will contain Profile Picutre, Name. That's all...

Yet Dave Whitelegg (CISSP [yes that's included at the bottom of every blog post]) spent 5 paragraphs telling us how horrible this is... how Facebook is making all sorts of private information available, including date of birth. This is somehow a huge security risk... Heaven forbid anyone know my date of birth. Dave feels that it's bad because of how many places require Date of Birth to reset your password... Is this 1995? I can't even add additional channels to my cable package without providing my full name, the name on the account, mailing address, date of birth and a pin number. Most places these days have "Secret Questions" that allow you to customize the question (or at least select from a variety of questions) and the answer.... 'Date of Birth' verification has primarily gone the way of the Dodo.

Here's the way I see it. If someone wants to access my cable account or my cell phone account and already knows the account number, associated phone number and mailing address... they probably already know my date of birth. Even if they don't, who cares because SURPRISE SURPRISE Facebook will NOT be publishing that information... they've said that since they announced the public profiles and their "searchability". I don't doubt that some people will choose to make this information available but Facebook isn't doing it, that individual is making their own choice.

Now I realize that Dave openly admits to being anti-Social Networking but really... a 5 paragraph FUD post to bash a company that is actually concerned over user privacy? I'm sure that there are better websites that could be attacked, more useful information that could be shared.

Social bookmark this page

5 Comments »

  1. LonerVamp said,

    September 10, 2007 at 5:33 pm

    Definitely need to pick one’s fights better. Worrying about something that is public information being, well, public information, is a losing battle. Kinda like saying usernames are hidden or sensitive information. Not really, in most cases.

    If nothing else, one could argue that one doesn’t need to flaunt that information everywhere. You’ll admittedly have an easier time forging my identity if you know my birthdate than if you didn’t… But I’m not sure that’s a compelling argument. There are people physically closer to one’s self that are more worrisome with fraud than the random pool of an Internet social network site.

  2. Bob Bingo said,

    September 14, 2007 at 3:49 am

    I have to completely disagree with your post on this one, as I had to reset my password for my online banking site a few weeks back, one of the security questions they asked was, the name of the school I first attended, the answer to this is available on my Facebook profile, WAS available to the entire internet.

    PS Also I am pretty sure hardly anyone used the internet in 1995.

  3. Tyler Reguly said,

    September 14, 2007 at 7:54 am

    @Bob

    You’re wrong. It’s as plain and simple as that… Facebook doesn’t make your school publicly available.

  4. Bob Bingo said,

    September 14, 2007 at 11:13 pm

    I beg to differ, the Facebook group name kind of gives the game away…

    Here are some of your very own facebook friends…BTW now I understand why you posted this, admit it, as judging by the pages of friends you have (all were public searchable) you are a proper Facebook fanboy!

    Amanda Leigh Arthurs
    University of Guelph Alum ‘06

    John Barber
    Sault College ‘09

    Kiley Thompson
    University of Toronto Alum
    Queen’s University Alum ‘07
    University of Calgary Alum

    Michaela Reguly
    Korah Collegiate And Vocational School ‘10

    Heather Kuiper
    McMaster Alum ‘06
    Queen’s University Alum ‘07

    Brad Howlett
    UWS Alum ‘06
    Fanshawe Alum ‘05
    Sun Microsystems

  5. Tyler Reguly said,

    September 15, 2007 at 8:03 am

    Wow… you just called me a Facebook fanboy??? hah… not even close.

    Now… if you’d actually read details on what’s going on… Group Name is not available on public searches… Group Name is available on Facebook internal searches, but it always has been…

Leave a Comment