I’m sitting here on a lazy Sunday afternoon contemplating this question. Hi, my name’s Mike and I’m a security geek. =)

Yes, Myspace is evil when my wife blows a whole week by designing some really cool pictures just so she can put them on MySpace, so I have a little bit of bias (I mean, my $diety, how many times does your profile name need to be changed per day). =)

But it’s interesting if you go poke around on $favorite_search_engine for something like “myspace spam spyware connection”, you start to find some interesting articles.

• Security Protocols just linked to an expose on Myspace and its origins in spammers and spyware pushers. (This is what originally got me started down this tangent)
• Then there’s this article, it’s the text of the YouTube Videos plus a little bit more.
• Myspace Censorship Continues hmmm, seeing a trend here.
• And then, Combing the Shadows of MySpace and Part 2: Deeper into the Shadows of MySpace.

Looking around, it should be a little bit of an eye-opener if you’re naive and living in the backwoods of Idaho. I’m willing to bet that at the heart of most social networking sites there is a little PII-gathering daemon that threatens to share our innermost secrets for $5 per thousand. I’m pretty sure that my old boss in startup land had a history of playing with Herbalife, pr0n, and spam^wopt-out marketing, and we were building shopping cart software. Makes me cringe to think that the endgame was selling information, only they didn’t tell me about it. =)

But then again, I don’t think we’ve figured out yet what to do with the massive amounts of data aggregation that google does on the average web user.

But anyway, I’ve been thinking about a social networking attack over the past couple of years that works like this:

• Build social networking site (let’s call it MikeSpace for the purpose of simplicity, shall we?)
• Harvest email addresses and names from MikeSpace registrations
• Sell email addresses and names
• Make a seed file using MikeSpace account names and passwords
• Probe email accounts using the seed file
• Auto-forward email accounts to your Big Data Hoover (TM)
• Spider other social networking sites using the seed file
• Point the Big Data Hoover at the accounts you’ve compromised
• Agressively pursue password recovery on other sites using captured email accounts
• Data warehousing and some bayesian analysis to determine each user’s preferences
• Sell the aggregated information on people for mucho dinero
• ????
• Profit!

About now, all of you are checking the Interweb to see if I’m behind any social networking sites. Rest assured, I’m not, but the scary thing is that when I’m stepping through this process, I can visualize the database backend and the core code for each step of the ‘sploit.

Nor is this a new idea. My friend Lempi always wanted to create her own cult along the same lines, but she was beaten to the punch by some people who will not be named because they actively sue. =)

• Business Leadership Training
• I’m Big and Open
• Even Better Spam
• Federal CIO Council’s Guidelines on Security and Social Media
• My Lunchtime Hobby: Collecting Badges

Well, I’m shocked.  I thought maybe people would trickle into ISM-Community and that it would be a gradual growth of users, chapters, and forum posts.  For the first 2 days, I have to say it’s been an overwhelming response, more than I was expecting.  To be honest, I didn’t know what to expect, and if it was just hyperbole.

I’m still trying to land on my feet, so to say, and things just keep coming.  Things are still fun, I guess we’re in the NPO honeymoon stage.  If this pace keeps up, though, I’m going to need to clone myself into a random array of redundant Mikes just to be able to sleep.

This is what I miss about the dotcom era.  Even though I ended up broke, divorced, and homeless by the time it was over, by God it sure was a fun ride at times. =)

The lesson of the ISM-Community launch is that there is a need for what we want to accomplish, and there are people who realize that there are things in a NPO that you can’t do elsewhere.  For example, create joint intellectual property where normally it would be a proprietary process, tool, etc.

• ISM-Community DC Chapter Meeting Announcement
• Can I at Least Get My Shoes?
• ISM-Community DC Chapter
• Making Press Releases
• Busy Days

So during the fading light of Web 1.0 known as “The DotCom Crash”, I was working for a little (4 of us total) startup on the West coast.  We subleased some office space from another company who had a search engine product.

This company’s operation was staffed by some grad students (more about them later), and the company president, Mark, was in the process of selling the business.  I think he made 10 million out of the deal, much less than he wanted, but not bad for a mostly one-man operation.

Our residency in the building started innocuous enough.  We were looking at space elsewhere in the same building, and Mark offered to let us sublease for a reduced price.  It seemed like a good deal at the time.  I probably would still entertain an offer like this even today.

So moving-in day arrives.  We show up with our computers and other equipment and start picking out offices.  Naturally, I got the one with the demarcation for the T1.

One hitch:  the personal effects of the grad students (who Mark said had been layed off) were still in their offices, complete with family pictures, track and field awards, you name it.  Under my breath, I asked if they knew that they didn’t have jobs anymore.  A shrug from Mark, and he was off packing up their stuff into boxes.

So we worked out of the office for 6 months or so.  Then things started to get curiouser and curiouser.  People came around asking for Mark, nicely at first, they a little bit more adamant.  Mark didn’t come into the office as much–he was in the process of selling off his empire.  Of course, I didn’t see much of this because I was in the back room furiously coding away, like all good code monkeys should.

Finally, in the winter, Mark announced that his lease was expiring in a week and that we couldn’t stay there anymore.  No problem, we could move back into a home office until we found someplace better.  We arranged everything that we could and took a couple of days to pack.

Mark had an office furniture sale while we were packing.  He was literally selling everything that wasn’t nailed down–chairs, desks, the overstuffed leather couch, organizers, you name it.

Thursday evening, I was beat.  I hitched a ride home and left my bag and my bike shoes at the office.  I’ll come back on Friday and pick up the last of my stuff.

I show up Friday morning at 8:30.  I noticed a note on the door, I didn’t bother to read it, I was just there to pick up a couple boxes of stuff.  My key didn’t work.  Uh-oh, I guess I’ll read the note.  Paraphrased, it said something like “All your stuff are belong to landlord.”

Apparently, while we had been paying Mark the rent for 6 months, he had not been paying his rent.  The landlord was trying to hold the company’s servers as ransom for the rent he owed, and since his only server (remember, this is startup land, logic doesn’t really apply) was residing off the T1 line in the office, he couldn’t really claim to have sold the company if he couldn’t deliver the software.

It took me 3 hours of phone calls to the landlord and lawyers before someone arrived to let me take my gear out of the office.

As far as I know, Mark stuck the back-due rent with the buyers of his company, which is unethical (and probably illegal in some way), but what else would you expect from the guy?  He’s an accountant who started a tech company as an investment, not because he loved the tech.  I think he went back to being a stock broker and got a nice house out of the deal.

• The BSOFH On Dorky, Auditor-Friendly Policies
• A Funnier Thing Happened on the WAY to Capitol Hill
• Once Again, I’m not a Bank!
• The “Off The Record” Track
• A Little Advice From Mike and Lee