It’s been roughly 24 hours since I posted about paranoia and foursquare. I was correct in my foresight expecting people to respond somewhat forcibly, or strongly – but I got my responses from ENTIRELY the wrong crowd I was trying to speak to: my infosec friends.
I wanted to acknowledge valid points that were brought up in conversations carried on after the fact and transmogrify the undertone from my last post into an overtone in this one. My suspicion is that my previous snarkiness may have obfuscated the clarity of the point I was trying to make.
- Yes, absolutely, I agree that over-sharing your location creates a vulnerability and allows an attacker to build an attack profile (excessive meaning say, more than 3-5 checkins daily). As one friend put it “updating foursquare 24/7″ = bad. Foursquare is not “HELPING” the problem – yes they are “CONTRIBUTING” to it, but they are not “THE” problem.
- This is not a “new” attack vector. Foursquare is not the first application to allow one to publish ones whereabouts (if you REALLY wanna crap your pants, have a look at lattitude. If you think foursquare is bad your head will fall off)
- No, in this context, knowing if you’re in a building or in a certain room to a building is irrelevant. The point here is you’re “leaving your home vulnerable”. Personal security is a different subject entirely, and I prefer to stay on topic. The site that was mentioned was “Please rob me”, inferring “come to my home and rob it while I’m not there”. If people would like to have a healthy discussion about personal security, I’d be happy to be a part of it – however this is not it. This discussion is about the home.
- It is less likely that an ACTUAL home-invader will use foursquare over any other social/web2.0 site. Standard usage dictates one has to click an accept button to allow someone to view their checkins (unless they’re published to facebook/twitter, then it’s moot anyway). I’ve had friends that have had their homes burglarized and in every case the attacker was not what any of us would consider an “advanced enough” computer user to utilize foursquare as a prelude to a burglary. It was always something like “we saw them packing up to leave on a ski trip” -visual, in person. If an attacker is enlightened enough to employ the use of attacks like CSRF and social engineering methodology they’re going to go after what you have in the bank, in investments, carbon credits (a new one!) and other things that are far more valuable than your television.
- In this context its foursquare that’s being thrown under the bus. Their ‘fault’ in this case was to take an already popular idea (dodgeball) and make it more popular. It’s the “in” thing to do rightnow – overshare. Some people do it, other people don’t – people manage their own risk. Telling twitter you’re going to the bar, versus checking in on foursquare AT the bar, versus gowalla, or a facebook update – its all the same thing: You’re telling the internet you’re not home. The problem is the behavior, not the “tool used”.
The last line of the last post I wrote is more or less the overall point I’m trying to make. Somehow, or for some reason the masses have decided to have an epiphany where they throw their hands in the air and declare foursquare unsafe.
Agreed, they have a valid point. I won’t argue that, but its synonymous with walking into the burn ward at a hospital, walking past rows and rows of disfigured and suffering individuals, stopping at one random person then exclaiming to the world how THIS PARTICULAR PERSON is suffering and needs medical attention and oh-woe-is-me-what-a-world.
Generally speaking, the same people who have ‘come to this realization now’ are guilty of using many other applications that “tell people they are not home”.
My point, reconstituted without snark is: You’ve been doing it for years, and you JUST NOW realized it? THATS the problem. Not foursquare. The very same author of the blogpost I linked to is guilty of frequently publishing their location using a variety of applications. At best I can only speculate, but my speculation is that it was done for the readership and stir the pot – not to actually provide any real warning.