I’m sitting here on a lazy Sunday afternoon contemplating this question. Hi, my name’s Mike and I’m a security geek. =)

Yes, Myspace is evil when my wife blows a whole week by designing some really cool pictures just so she can put them on MySpace, so I have a little bit of bias (I mean, my $diety, how many times does your profile name need to be changed per day). =)

But it’s interesting if you go poke around on $favorite_search_engine for something like “myspace spam spyware connection”, you start to find some interesting articles.

• Security Protocols just linked to an expose on Myspace and its origins in spammers and spyware pushers. (This is what originally got me started down this tangent)
• Then there’s this article, it’s the text of the YouTube Videos plus a little bit more.
• Myspace Censorship Continues hmmm, seeing a trend here.
• And then, Combing the Shadows of MySpace and Part 2: Deeper into the Shadows of MySpace.

Looking around, it should be a little bit of an eye-opener if you’re naive and living in the backwoods of Idaho. I’m willing to bet that at the heart of most social networking sites there is a little PII-gathering daemon that threatens to share our innermost secrets for $5 per thousand. I’m pretty sure that my old boss in startup land had a history of playing with Herbalife, pr0n, and spam^wopt-out marketing, and we were building shopping cart software. Makes me cringe to think that the endgame was selling information, only they didn’t tell me about it. =)

But then again, I don’t think we’ve figured out yet what to do with the massive amounts of data aggregation that google does on the average web user.

But anyway, I’ve been thinking about a social networking attack over the past couple of years that works like this:

• Build social networking site (let’s call it MikeSpace for the purpose of simplicity, shall we?)
• Harvest email addresses and names from MikeSpace registrations
• Sell email addresses and names
• Make a seed file using MikeSpace account names and passwords
• Probe email accounts using the seed file
• Auto-forward email accounts to your Big Data Hoover (TM)
• Spider other social networking sites using the seed file
• Point the Big Data Hoover at the accounts you’ve compromised
• Agressively pursue password recovery on other sites using captured email accounts
• Data warehousing and some bayesian analysis to determine each user’s preferences
• Sell the aggregated information on people for mucho dinero
• ????
• Profit!

About now, all of you are checking the Interweb to see if I’m behind any social networking sites. Rest assured, I’m not, but the scary thing is that when I’m stepping through this process, I can visualize the database backend and the core code for each step of the ‘sploit.

Nor is this a new idea. My friend Lempi always wanted to create her own cult along the same lines, but she was beaten to the punch by some people who will not be named because they actively sue. =)

• Business Leadership Training
• I’m Big and Open
• Even Better Spam
• Federal CIO Council’s Guidelines on Security and Social Media
• My Lunchtime Hobby: Collecting Badges

I keep track of what the blogosphere is saying about government security, FISMA, C&A, etc. Some days I get the feeling that I’m the only person who writes about these core subjects, leading me to several theories:

• Nobody knows enough on these themes to blog about it
• Those who know enough to blog can’t write about their job experiences
• Those who know work for the government and are forbidden to blog because they publicly cannot endorse one solution over another
• I’m venturing into uncharted waters of some sort
• I need to be hospitalized for my enthusiasm
• The first rule of FISMA blog club is that you do not talk about FISMA blog club

Anyway, I’m open to comments.

• Do You Know What FISMA Is?
• Once Again, I’m not a Bank!
• It’s All Friggin’ Magic, Mkay?
• C&A Seminar, October 15th and 16th
• In Other News, I’m Saying “Nyet” on S.3474

OK, this stuff wipes me out because it’s a little bit too much on the “touchy-feelie” side for me, but I’m once again in leadership training this week.  It’s 2 days every 2 months, so it’s not high-volume.

However, it is interesting to see how the non-technical people get along in life.  It’s all about building consensus and telling people they are doing a great job–tasks that I’m not overly good at doing. =)

• Being a PR Wonk is Hard
• Cult Crossovers Into Information Security
• Business Leadership Training
• Where Have I Been?
• Backhanded Compliments

My blog server went down.  Don’t know how it happened, but a brief power outage happened and the server didn’t come up.  I went to it today after lunch and gave it a reboot.  It came right up.  I didn’t even have to boot off CD to do some lilo surgery or anything extraordinary.  I have that effect on computers–they fear me for some reason and just work when I’m around.  I guess it’s the fact that I’m holding their little brother for ransom that does the trick.

And just so you know, dear blog readers, you get the same level of service that you pay for. =)   This server is nowhere near anything that would resemble a need for high-availability.

• Meerkats and Risk Management
• Omigod, I’m Part of a Botnet?!?!?!
• An Informal Study on the Literacy Level of Security Blogs–We All Get Pwned by Amrit
• Internet in the Remote Desert
• Tie Down the Livestock, Twister’s a Comin’!

Nice posting at Emergent Chaos on Social Security Number Purges.  Imagine that.  I see people who collect SSNs around DC like they’re candy.

Need to get into a building, we collect your SSN, like terrorists don’t have them, and like you can’t lie about what yours is.  Come to think of it, I did that for 6 months at one site and nobody caught on. =)

• What’s Happening at Wired?
• Backhanded Compliments
• An Informal Study on the Literacy Level of Security Blogs–We All Get Pwned by Amrit
• Meerkats Join the Big 4
• Federal CIO Council’s Guidelines on Security and Social Media

Hey, makes sense to me. If you’re a sovereign nation, you have a right to manage the radio spectrum above your territory, no matter how large or small the territory is.

The BOFH in me thinks it’s a perfect unintended consequence of the white man’s greed hundreds of years ago. =)

Manitoba Chiefs Want Cellphone Revenue

• Jeff Jones and Flameproof Underwear
• It’s Time for an Exit Strategy
• An Open Letter to the Next President of the United States
• Google’s New DC Office
• Radio Nigel