This post is just a small collection of related thoughts, mostly pulled from Twitter posts. I don’t consider Twitter something to re-reference later on, and a poor choice to save thoughts. Much of this is inspired by recent media-whoring about Facebook and privacy issues. A recent XKCD comic illustrates an aspect of my feelings about the subject.

I have a long-standing distrust of people and corporations in general, especially public companies. This is pretty much wrapped up in one of the more dangerous of the seven deadly sins: Greed. I turned away from Yahoo when they went public and started focusing more on money than on users. The same goes for my feelings on Google. Social networking is pretty much in the same boat.

social networks are the leftovers from the dotcom boom; the ones that got users (the first step). But they’re no more successful, yet.

The dotcom boom came with lots of interesting ideas, but busted when they were exposed to not be very viable as a business, and in many cases simply didn’t get enough eyeballs on their ideas (grocery deliver service? awesome! but not scaled up enough). There is still a latent boom-bust situation going on for the past 10 years in the form of social networking. Social networks and other “social” playgrounds online have garnered enough eyeballs (or clicks, hits, attention, whathaveyou) to survive despite having business models that are as shaky as anything from the actual dotcom boom. Sure, some of them can probably make money, but they certainly have to be careful to do so without killing themselves by driving away their users. How many people think Hulu or YouTube will still be relevant if they charge subscriptions? Or news sites?

(Aside: It’s funny how important these services have become to the Internet masses; how deeply they will defend them, but how detested they become when money is requested. Some may call users fickle. Some may say this is the essence of competition, since someone will always host things for free. But does that mean large centralized social networks are inviable and only smaller, self-sustaining, splintered groups can thrive? I’m sure there are parallels to be drawn with music, movie, and software pirating…)

Z[uckerberg] is doing web startups wrong. You make it free, get popular, get money, then sellout b4 privacy and a biz plan blow [you] up.

This is my opinion. If you can’t be viable in the long-term without lots of soul-searching and probably stepping on your own users, you’re probably better off building up your value and getting out while its high. Kinda like how Kevin Rose probably should have unloaded Digg.com. Or MySpace unloaded, or YouTube. If you found a company or site, get your user base huge, get your value up…you’re probably better off cashing out before it cashes you out. Zuckerberg should have gotten out by now before the house of cards started wobbling.

yes, zuckerberg, there is a simpler way to control your info. stop trying to weasel it out of people to support your business model.

This is part of why I distrust public companies, or companies that are looking (maybe desparately) for profit: They will do whatever they can get away with. No Facebook user should be surprised about Facebook privacy issues, or how Facebook tries to weasel around the issues and keep their access into your life while trying to make it look like they’re helping your privacy. They’re not. How else do you think they’re making money? Same goes for Google with searches and everything else they try to do. Invading your privacy is their business model. This has always been a business model, only these days we have very automated and highly technical and highly hidden ways of being victimized by it (networked appliances reporting back to motherships, what programs you watch, sites that index and analyze your information, search logs, tracking cookies, spyware, and so on…)

I dislike someone who complains about privacy when they dig or have dug themselves deeper into something like Facebook (either it’s important enough for you to do something about it, or it’s not important enough for it to chew up your energy and time to worry about). Or complain about privacy when they’re the damned owner of the damned site. Privacy is not hard. The hard part is maintaining the illusion of privacy while trying to maximize your penetration of it. (Kinda like getting that bar slut drunk…)

I’m not sure why I’ve not seen this story before, but this is a downright fascinating diamond heist article over on Wired.

Chief Monkey has linked to an excellent case study in corporate banking fraud. The story takes a few pages to work into the juicier details, but it is worth the burn to get through it.

The network still has a perimeter, but the business and its users have less of a perimeter. If you can check email from any system, than your email password can be snarfed by any of those systems if they’ve been victimized by a drive-by trojan. This can often lead to further attacks, even up to logging into a VPN session from a remote location! People like to think of one-time attacks and siphoning of valuable data, but few think about an attacker looking over your shoulder and reading your emails and data continually.

I wonder if the VP in the story had any personal fraud attacks against her as well, or if the company account was the juicier target. In the end, yes, home users (and their systems and networks) elevate my nervousness considerably.

My only bit of caution would be to anyone who starts crucifying banks too much about their security. There is no measure that will magically protect against fraud. It is entirely a scale between security and usability. Some banks fall low on that scale and get burned (hopefully!) for it. Other banks may slide up the scale too far only to get burned because they’re slowing down, flagging, or outright blocking abnormal but legitimate transactions for important customers. What do you do in those cases? Given different perspectives, I think most people would opt for the least economically costly options from their respective perspectives. Just think about that for a while… People complain about bank security, only up to a point where it inconveniences them too much, then complain more when it still fails, and so on. That’s not a rhetorical game I like to play…(maybe I just like to play a few more moves ahead, I dunno…)

I’m not trying to defend lax, or even negligent, bank security so much as I want to attack overzealous sunday morning security quarterbacking that just perpetuates the problem of a wildly swinging security pendulum that can’t find any peaceful middle ground.

Mogull over at Securosis has posted, “Is Twitter Making Us Dumb? Bloggers Please Come Back.” He makes great points on the usefulness of blogging (the great PCI debates are a recent occurrence of “blog debates” spilling into real life), and some of the comments make great points as well, such as how Facebook steals away some of the energy.

Behind on my rss feeds

My own observations are slightly similar, although I admit I’ve had less time these days to keep up with my rss feeds and make interesting posts here. I still troll Twitter and other places, but typically those are not necesarily surrogates to a good blog or even cross-blog discussion, and I typically can participate in Twitter without much actual commitment time and attention-wise.

Maybe we’re all just reading blogs less often, which in turn reduces the emphasis on blogs and our own opportunities to start cross-blog discussions.

Conferences

One area I’ve seen grow considerably in the last couple years is discussion and participation in security conferences. Perhaps all those discussions and talks is tiring, but also serves the same purpose that blog discussions may otherwise have given. Why blog when you’re at a conference having the same discussions every 3 weeks?

Less new faces

I’ve also seen a drop-off on new blogs to follow in the security space. This may be a function of my lacking of time and energy put into reading my rss feeds, and I agree that I tend to gravitate to the same feeds over and over. This doesn’t mean security is dwindling, especially as I’ve talked to plenty of interesting people on Twitter that I didn’t know previously.

It is possible we ask a lot of new faces in security. Where, in the last 4 years, having any content on a “security” blog was enough to get you followers, today do you need to be dropping news, novel new ideas, or 0days every week? I’d hope not. We really need generic discussion as much as or more than the jaw-dropping stuff. But it’s that generic discussion that may be getting satisfied elsewhere.

Look at podcasts and conference roundtables or Twitter discussions or mailing list questions. We still have a huge capacity and energy to talking about the “generic” stuff; even stuff that has no real correct answer, but impassioned opinions on either side. It just seems to be taken to blogs less and less often.

Inherent broken records

“Cloud” notwithstanding, perhaps we just have less interesting topics to talk about. I myself am guilty of this, as I often have ideas tumbling around in my mind, but I’m well aware they’re ideas that not only have *I* had for a while now, but others have had and voiced as well. Security is not a game to win, and we’re going to have some of the same inherent deficiencies for years, decades, to come. You can really only bring them up so many times before you get sick of the obvious.

One other thing I’m guilty of: commenting vs blogging

Every time something like this comes up, I’ll have a minor discussion with myself. Do I make a long-winded comment on someone’s blog to join or initiate discussion (which maybe only he and I will see) or do I post on my blog here under the haughty assumption that my blog is worth their time to read for my viewpoint, or that they’ll even see it?) Or should I engage them more directly rather than wait for them to find my little slice of opinion? How will both of us remember to re-read the comments to see if an update has been made? (This is one reason I tend to have many web browser instances open, some are just open for me to refresh for comment responses!)

This is why I am still partial to being a forum and chat (or, in a sense, Twitter) regular. A forum is essentially a dynamic, central RSS feed of ongoing discussions and blog posts. Unlike blogs where only new topics percolate to the top, hot topics percolate to the top on a forum. And if you have one central place to go for participation, it becomes rather natural (which is also why I suggest less sub-forums).