A recent judgement in the UK courts has forced a former employee of Hays to hand over details of the business contacts build up through LinkedIn.com whilst he was employed by them. The decision is one of the first in the UK to show the tension between businesses encouraging their employees to use social networking websites whilst trying to claim that the contacts should remain confidential at the end of their employment.[From Bombay Crow: Who owns your online networking contacts?]
I have a slightly old-fashioned policy towards LinkedIn. When I get a connection request, I won’t accept unless it is someone that I’ve spoken to (or, preferably, met in person). The validity of this policy was demonstrated during the week, when I read the story of the security consultant who set up a fake LinkedIn site for an imaginary woman called “Robin Sage” who supposedly worked in cybersecurity for the US Navy. In less than a month, she amassed nearly 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors.
Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose weaknesses in the nation’s defense and intelligence communities – what Mr. Ryan calls “an independent ‘red team’ exercise.” It is not the first time “white-hat” hackers have carried out such a social-engineering experiment, but military and intelligence security specialists told The Washington Times that the exercise reveals important vulnerabilities in the use of social networking by people in the national security field.[From Fictitious femme fatale fooled cybersecurity – Washington Times]
The story also revealed another sad truth, a reflection on human nature. Men will do anything for an attractive woman, without even bothering to check whether she’s real or not.
Ms. Sage’s connections invited her to speak at a private-sector security conference in Miami, and to review an important technical paper by a NASA researcher. Several invited her to dinner. And there were many invitations to apply for jobs[From Fictitious femme fatale fooled cybersecurity – Washington Times]
Jobs! You’d think one of the first, basic checks that someone might make is that their employment target is real! Yet we’re told that social networking means that employers know all about us all the time.
“We’re hearing stories of employers increasingly asking candidates to open up Facebook pages in front of them during job interviews,”[From The Web Means the End of Forgetting – NYTimes.com]
This would be fantastic, if it were true. I would love to work for someone so dumb that they think that what’s on a Facebook page has any reputational capital value at all. In half-an-hour my kids could easily make up a Facebook page that would present them as the best candidate ever for whatever job. If employers are hiring people this way, they deserve what they get.
As I’ve said before, one of the most valuable credentials in the future online economy will be “IS_A_PERSON”. There seem to be more and more problems arising in spaces where it is not possible to determine whether a virtual identity is “controlled” by a real person or by a computer. In some cases it doesn’t matter,
ArenaNet has made another move against botters and other cheaters by banning 3700 accounts… Gold farmers are a target, of course, but Player vs. Player bots are a real issue as competition is a major part of the Guild Wars online experience.[From Guild Wars bans more than 3700 for botting and cheating – PlayNoEvil – Game Security, IT Security, and Secure Game Design Services]
Gold Farmers are human players, often in developing countries, who play the games in order to obtain virtual resources that can be sold to cash rich-time poor players in other markets. They are tolerated (after all, they have to pay to play in most games) and not the same thing as bots, which are computers using stolen identities (ie, usernames and passwords) to log in and masquerade as players. Anyway, in AreaNet there were 3,700 bots masquerading as human players. Meanwhile…
Symantec found a server which appears to be a key part of a botnet which has harvested 44 million user names and passwords for online games:
World of Warcraft – 210,000
Aion – 60,000
PlayNC – 2 million (NCSoft’s site-wide account)
Wayi Entertainment – 16 million
Symantec focused on an interesting feature of the botnet – it was used as an illicit cloud computing service to validate the quality of the stolen account information using a trojan program called Trojan.Loginck.[From Botnet Server found with 44 Million Game Credentials – PlayNoEvil – Game Security, IT Security, and Secure Game Design Services]
It’s amazing the amount of effort that goes into pretending to be a real player, but you can see why this is: bots are cheaper and more reliable than human players, particularly when they are being used for dodgy purposes. One day you won’t be able to play World of Warcraft unless your virtual identity includes the “IS_A_PERSON” credential. But should it be a requirement for joining LinkedIn? Or Facebook?
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]