Tuesday, March 24, 2015

Social media risks and rewards

Social media are great for keeping in touch with friends, but be mindful of what you share and with whom. Simply planning a strategy for how each social network will be used can make all the difference.
Do you know with whom you share, and what you share, on social networks? I've had around a dozen conversations about social media in the last few months. Conversations with friends and family, with colleagues, and with professional peers. Conversations about differences in uses and privacy implications, as well as conversations about examples of ill-advised sharing. Over the weekend I had a brief Twitter conversation with Rafal Los (aka Wh1t3rabbit) bemoaning recent LinkedIn changes that make it difficult to introduce ourselves when requesting a connection.

On top of that, there have been a couple of widely-publicized news stories recently about direct consequences of social sharing: a Dallas teenager accepted a job with a pizzeria, and proceeded to badmouth the job to friends on Twitter. Word got back to the shop owner, who fired her before she started. Then the New York Times ran a story of a senior director of communications who's poorly-conceived tweet cost her a high-ranking job.

Before abandoning social media altogether though, consider a post by Caroline Regidor, managing director of an Australian PR firm. Caroline asks the question, would you hire someone that has no social media presence? While she says she would assume a person with no social presence simply values their privacy, many employers might take a complete lack of social media profiles to mean a person either has something to hide, or is incurably behind the times. In some job roles, they might be right.

I use several forms of social media, with very different purposes. Those purposes dictate what I share and with whom I will connect - what I share on Facebook bears little resemblance to what I share on Twitter, because my purposes and my "audience" are completely different. Therein lies the point of this post: social media make it very easy to keep in touch with friends, family, peers, and "peeps." Conversely, social media can make it very easy for others to inspect the parts of our lives that we choose to share. It is vitally important that we keep that in mind when choosing what to share and with whom.

I don't pretend that my "social media use cases" are the best or only way, or even the right way for you - but they work for me. I lightly use a few other social media apps - Pinterest, Instagram, Flipboard, and StumbleUpon are ones I have explored - but for the most part Facebook, Twitter, and LinkedIn are where you will find me.


The reigning king of social media is one I find myself spending less and less time on. I limit Facebook connections to family and close friends, and to parents of the children in my Awana ministry. Because my Facebook network is relatively small and guarded, I am willing to share somewhat more personally - family photos, funny anecdotes, events in my local ministry. They are not necessarily things I wish to hide, but rather in many cases things only relevant to family and friends. In the case of Awana, limiting those that can see posts is part of protecting the privacy of the children I teach.

Despite the reputation Facebook has as an enemy of privacy, the company has in recent years added quite robust options for controlling who can see what I post. In fact, even though a friend may share my post on their timeline, my privacy settings still take precedence - my post will still only be visible to those I shared it with. Granted that doesn't stop someone from copying a photo or post, and reposting it as their own, but the same is true of a written letter or a printed photo. If something were truly private, I wouldn't post it period.


As a security professional, Twitter is my social media mainstay. What began as a ridiculous hodgepodge of "I'm eating cereal," "now I'm walking the dog" evolved into a highly effective way of keeping up with the latest threats and research. Very often I will find myself drawn into a Twitter conversation on a newly-discovered vulnerability hours if not days before any mainstream news source knows of it. Granted, 140 characters is not a lot of space to communicate a complicated message - and at times, an emotionally-charged topic squeezed into a tweet can turn into "Hug-gate."

I favor Twitter over other tools in large part because of how Twitter is structured. Other social media programs use algorithms to predict what they think I would like to see, and put those "suggested readings" at the top, with other posts in seemingly random order. By design, that makes it impossible to be certain I have not missed something I actually am interested in, and makes it exceedingly difficult to find something I saw previously. Twitter on the other hand is purely chronological (ignoring for a moment paid "sponsored" tweets, which I do ignore). For me, a chronological timeline is exactly what I want to read.

Since Twitter is my mainstay, I put no limitations on who can follow me, and I follow several hundred individuals that I have found to reliably tweet useful information. Sometimes that information is a link to a long-form blog describing new research, sometimes it is a simple observation inviting a discussion. Either way, I learn new things every day through my Twitter contacts.

I have a finite attention span, and can't spend 24 hours a day reading a Twitter timeline, so I keep my "follows" to a few hundred. That way I can keep up with everything they say, and in many cases get to know individuals. Since I know who I follow, I regularly talk with people instead of just consuming content. I periodically unfollow those that have stopped tweeting, or that I no longer find useful, to make room for new people I discover. That said, there are many people I meet at conferences or other events, people I would like to keep track of and read when time allows. For that I use Twitter Lists.

I invite you to follow me at @dnlongen


LinkedIn has a reputation as the "job seeker's social media." That is not its only use though. I find it useful for maintaining professional contacts - people I once worked with that have since moved to a new company, or those I meet at conferences and professional association meetings.

I often hear those in my field say they find little use for LinkedIn. I disagree, for one very important reason. As a researcher, I sometimes discover security flaws in products or websites I use. I have cultivated a large LinkedIn network over the years, to the point that I almost always either know someone directly at the company in question, or know someone that can introduce me. In the technology field, many companies have well-established ways to report security concerns; that is not often so in other fields. I have found it quite effective (and sometimes rewarding) making an effort to reach someone that can understand and take action on my findings, rather than just sending an anonymous report that may or may not be taken seriously. Just this week in fact I noticed something unusual on the point-of-sale card reader at a nearby grocery store. Through my LinkedIn network I was able to reach someone responsible for PoS security at that store and report what I saw.

For this reason I generally accept any connection request, particularly if the requester has something in common with me (we are members of the same LinkedIn group, for example, or the person has a security-related job title). If there is not an obvious connection though, it helps if the person introduces himself or herself instead of sending a generic "I'd like to connect" request.

I am not happy with recent changes in this regard. I used to be able to type a brief greeting into a connection request, explaining who I was and why I would like to connect. In most cases now, though, LinkedIn immediately sends the request without letting me include a personal message. To me, this is a failure by LinkedIn to understand its audience. If I attend a large conference, I might meet dozens of people that I would like to connect with - I should be able to say "we met today and talked about such and such." Conversely, it is useful if a person can do the same with me.

You are welcome to connect with me at www.linkedin.com/in/dnlongen

One final tip

Regardless of what social media you choose to use, be sure to use a decent password, avoid reusing the same password for all your accounts, and consider using two-factor authentication (which requires you to enter an extra security code that is either sent via SMS or generated by an authenticator app on your phone if you try logging in from a new device). A hijacked social account can be a real embarrassment. 2FA is the strongest protection currently available against stolen passwords.

Update 04 May 2015: The US Department of Homeland Security published some social media "Smart Cards" for Facebook, Google+, LinkedIn, and Twitter a few years ago. I consider these to be a mixed bag: each is a good overview of the features of the respective social networks, but the recommendations range from prudent to tinfoil hat. For instance, the Twitter card recommends changing your username every so often to limit exposure. This makes sense if you are trying to live anonymously ... it does not make sense for an individual with a professional following.

The US Navy Fleet Forces Command has these cards available on their website. Take a look at the DHS advice, but temper it with your own plan for each social network you choose to use.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen