Faux femme fatale finds flaws in social networking security

Discuss

33 Responses to “Faux femme fatale finds flaws in social networking security”

  1. kingfelix says:

    Seeems like there was a lot more fun being a spook before facebook when you had to disguise yourself alias style and crash fancy cocktail parties in lavish villas in europe instead of just getting a facebook account.

  2. PeterErwin says:

    There’s some more information in this Washington Times article. (Hat tip to Bruce Sterling.)

    I’m a bit disturbed by the casual racism in Ryan’s rationale for the actual image he used. From the article I linked to: “Mr. Ryan chose the photos, which he found on an amateur pornography site, ‘because she looked foreign’ – which he said was another potential counterintelligence red flag – as well as for her attractiveness.” Because, as we all know, no “real American” would look like she does, and attractive young Caucasian women are far less likely to be spies.

  3. Anonymous says:

    wow, I’m surprised this person got this level of attention. saw lots of posts during thenexthope, and they were completely disreputable or incendiary. doesn’t matter who the person was, or what gender, just seemed like an obvious dumb ass.

  4. Osprey101 says:

    News story for the day: Internet surprised at how hot MIT hackerchick gets hit on by guys on social networks.

  5. bkad says:

    This is interesting, but not all that surprising. Be friendly and attractive, and some people will reach out to you. Lie about who you are, and some people may believe your lies.

    Maybe the guys actually in three letter organizations are briefed not to identify their profession via social networking, I don’t know. But I’d be skeptical if everyone involved in these communities is so trained. Also, not to downplay the importance of operations security (even regular old businesses worry about this stuff, to detour headhunters), just knowing person X is affiliated with lockheed martin or DoN probably isn’t that bad a disclosure. I live near a few defense companies and I see people walking around with branded apparel all the time.

    • MadMolecule says:

      Maybe the guys actually in three letter organizations are briefed not to identify their profession via social networking, I don’t know.

      Some of the older generation in my family worked at the Pentagon back in the 50s-60s, so this may be out of date, but I doubt pretty strongly that they’ve started wearing nametags.

      In general, if you ask one of them about his/her profession, at most you’ll get a vague answer about “the State department.” I can’t imagine the rules are much looser on Facebook.

  6. jamesb says:

    This is pretty much the same as in the old cartoons when a guy puts on a dress and lipstick and sashays past the guards. I’m pretty impressed that still works!

  7. Anonymous says:

    She’s still cute, and if I’d know any cyber-secrets, I’d tell her.

  8. macemoneta says:

    Rule 30, guys:

    There are no girls on the Internet.

  9. Mac says:

    What security was actually broken?

    I have plenty of Facebook friends that I haven’t met in real life. That isn’t a security threat – it just means my social circle isn’t limited by geography. So what?

    The great result after this massive con? She was invited to conferences – which, by definition, aren’t exactly secret! (Oh – and she was invited to review documents for the public conferences as well. Clearly they weren’t secret documents, or that would have been mentioned as well)

    So isn’t this a demonstration that the con DIDN’T work ?

    Wouldn’t a more accurate headline be ‘Femme Fatale experiments fails to get any secret information from intelligence community’ ??

    Mac

  10. kleer001 says:

    Well, yeah, duh, humans are the weakest link. That’s why we should [redacted]

  11. W. James Au says:

    But what’s that chick’s actual name, the one in the photo? I’d like to know so I can friend *her* on LinkedIn and offer to tell her national security secrets at a bar.

  12. Anonymous says:

    I’m a bit disturbed by the casual racism in Ryan’s rationale for the actual image he used. From the article I linked to: “Mr. Ryan chose the photos, which he found on an amateur pornography site, ‘because she looked foreign’ – which he said was another potential counterintelligence red flag – as well as for her attractiveness.” Because, as we all know, no “real American” would look like she does, and attractive young Caucasian women are far less likely to be spies.

    First of all, I don’t think the woman looks particularly foreign, so I don’t know if that part of the experiment was successful. But I disagree that this reflects racism. Being foreign born, or having ties to foreign countries, IS significant to counterintel. Such individuals, even if US citizens, have potential motivations to spy that others do not. And this happens in real life.

    Ironically, your example, Ms. Chapman, spoke with a Russian accent, which while not evident online, certainly would have made defense people more reluctant to discuss their work with her.

    ((And from what I’ve read, Ms. Chapman spoke with a Russian accent, so she is hardly the exception you are looking for).

  13. bkad says:

    The great result after this massive con? She was invited to conferences – which, by definition, aren’t exactly secret! (Oh – and she was invited to review documents for the public conferences as well. Clearly they weren’t secret documents, or that would have been mentioned as well)

    Well, the claim would be that large part of attacking an organization would be knowing who to ‘attack’ — who people work for, what they are likely to be working on, who do they know, etc… and even an online interaction could be the basis for everything from innocent questions to more serious probes later.

    Also, you can learn some other useful things from a person’s social networking profile. Are they going through a divorce? Has one of their kids been diagnosed with an expensive medical problem? Do they complain a lot about work or their boss? Do they seem to have a taste for nice things? What are their political and religious views? etc.

  14. Susan Oliver says:

    I’m impressed that in this realm being a woman actually got her *more* job offers, not less.

    As opposed to the whole “Why James Chartrand Wears Women’s Underpants” saga (female writer assumes male identity and gets more offers, for higher fees, than she did under her female nom de plume).

    Makes a girl think.

  15. Tirjasdyn says:

    This reminds me. Ever here of the talk about the navy on the internet and they’ll show up to do PR in the conversation?

    It works.

  16. bklynchris says:

    I have a girlfriend from high school (both of our fathers worked for the DOD in Asia). I always tease her about working for the “company”. Why?
    -she speaks English, Korean, Russian, and French fluently
    -she has no discernible source of income (though in the past has worked for an international executive temporary housing company in London, currency trading in Asia, and wine importing in the Mediterranean…I mean, really, wtf?).
    -Is in her 40′s and still works out every day
    -she has the highest level of PADI certification
    -she had made the Olympic archery team in college
    -not married
    -right after college says she made it to the last level of NSA interviews and said no bc she would not be able to not let her family know she works for the NSA
    -she has hilarious CIA jokes

    and NOW the proof in the pudding?

    She has adamantly refused to get a facebook page, and said she would kill me if I fraudulently started one in her name (maybe she was speaking literally?).

    Oh, and she’s scary hot too.

  17. Antinous / Moderator says:

    Is faux femme fatale French for fake floozy?

  18. Anonymous says:

    bklynchris, i’m going to tell her you said that. she’s not going to like it. i suggest you lay low for a while.

    seriously the study of what information it takes to identify someone, and how that leaks out online, and what kind of security risk results, is very much in its infancy.

    among people who can talk about it, that is. it’s not all intelligence, either – there’s major marketing $$$ to snag. the weird part is where a few bucks to the marketing warehouses yield intelligence info.

    there’s probably 3 great books of fiction and 12 of journalism in there, they are just hard to do correctly. except the fiction, for someone sufficiently gifted in intuition.

  19. D2S says:

    it is just a mix of role playing and social engineering …. as long as u can control it you deceive others.. if you dont, your schizo multipersonality ass fools yourself

    jump on SL to see some pros at work

  20. bklynchris says:

    Antinous-it is now!

  21. Anonymous says:

    So, the big secret that nobody in the press seems to understand is that “everyone” knew it was Tom within a couple days. Sure, he got some isolated folks, but most of the “marks” were playing along with full knowledge.

  22. resnovae says:

    1) I work for the government. And I have social networking accounts I use for work- using my real name and everything. I’ll also friend just about anyone who asks *because I use them for work.* Just because I friend someone doesn’t mean I’m spilling state secrets. Heck, just because I friend someone on my non-work account doesn’t mean I’m spilling state secrets. In fact, I am pretty sure if I had any state secrets to spill, I wouldn’t post them on Facebook or Twitter- no matter how personal or professionally oriented my postings on that account might be.

    2) Robin Sage? Really??? For a Twitter account, ok (maybe)… but for her LinkedIn profile? People probably friended her *because* they thought it was a joke.

  23. jonw says:

    robin sage? was she from pineland?

  24. miah says:

    I suspect 82% of her friends were male simply because thats how the security industry is. Have you ever gone to any type of hacker con? I mean the male:female ratio is like 300:1.

    I think this simply says a lot about how people treat social networks. People are incredibly afraid of saying “no” to somebody. “hi I met you this one time at a hacker con” is how “she” got past anybody who said “how do i know you”. Does that mean we’re friends? No. I got hit on by this guy at a bar once, 8 months later he friends me on facebook.. are we friends? No.

    Stop accepting friend requests from people you dont really KNOW. Its that simple.

  25. Anonymous says:

    Who says her “friends” are the people they said they were?

    Why wouldn’t at least some of them exaggerate/lie to be her friend?

  26. ackpht says:

    I’m impressed that in this realm being a woman actually got her *more* job offers, not less.

    Women with technical credentials are relatively scarce in the US, and are actively sought by companies and agencies eager to improve their image of gender equality. It has been this way since the 1970s.

  27. Anonymous says:

    Faux femme fatale finds flaws, felling Facebook fence

    Always alliterate all-in.

  28. bkad says:

    Women with technical credentials are relatively scarce in the US, and are actively sought by companies and agencies eager to improve their image of gender equality. It has been this way since the 1970s.

    It’s not just ‘women with technical skills’, but ‘women with technical skills who want to work in intelligence or defense’. Either because of the nature of the work or because of the nature of these workplaces (socially and managerially ‘old fashioned’, to be charitable), these individuals are even more rare.

  29. ackpht says:

    And I have known women who earned engineering degrees to please their parents, and had not the slightest intention of working in that field.

  30. loonquawl says:

    Osprey101 had the last comment needed. And it was the first.

Leave a Reply