a case of digitally spilled milk

A security researcher presenting at BSides-Australia demonstrated Facebook privacy issues by targeting the wife of a fellow security researcher without permission. Sounds exciting, yes?

1. What he did was in bad taste, and maybe even unethical. Let’s get beyond that…

2. We all know in security that you don’t get shit done unless someone gets slapped in the face, hacked, or embarassed/shamed. This is human and group psychology. So, in a way, this guy probably made more impression on people who might read this than would otherwise have happened. Sad, but true. Will it get out beyond the security ranks? Probably not, unfortunately.

3. It doesn’t sound like anything embarassing or harmful was actually found. I mean, seriously, are people uploading kinky or extremely embarassing photos to Flickr/Facebook and truly not wanting them seen by anyone else? If so, you’ve already failed. (People who upload such content for public consumption and leave them up for future employers to harvest are a different sort of dumb.)

4. Intent does count for a lot in the perpetrator of a crime as well as the negligence of the victim, but Heinrich does have an interesting point, “‘I have no ethical qualms about publishing the photos,’ he said. ‘They are in the public domain.'” Facebook may intend to not make them in the public domain, but they may not be doing enough. Honestly, I’d consider the end result of this to be public domain, yes. Sorry, fix your shit. Wishing and hoping and saying it doesn’t matter. (Yes, I know if I leave my door open and someone breaks in, it wasn’t enticement, but still, shame on me…)

5. In addition, I’m not sure how pissed I’d be if it were my wife and/or kids. I mean, I’ve opted to put my photos up. As security aware as I am, I have the opportunity to know the risks. A real attacker is going to do much worse if they have it out for me, such as photoshopping images into even worse content, and so on. I’d rather have someone helpfully hack me and expose issues than a real attacker do so with vengeance, especially in something that doesn’t harm me any more than a little public ribbing and feeling a little used, like being the brunt of a non-harmful joke. In another way of thinking, don’t spend effort getting pissed over little things; know what’s important in life.

At some point in security, the “kid gloves” do have to come off, if you want to get shit done. And we’re all a little “grey hat” every now and then…or at least Bob is…

(Snagged off the InfosecNews wire via article.)