By Bill Brenner Shortly after DEF CON last month, friend and journalist Steve Ragan made an observation in his Salted Hash blog: People standing in the many long lines at the event were forgetting a basic social engineering risk.
He wrote about how one individual in particular was talking in detail about a project he was working on:
So what’s the problem here? First, this person should know better (they are a security expert), and second, the project they’re working on is related to hacker legalities — some of the archaic laws that are used to prosecute (or threaten) researchers. Why was this person in the wrong? Because loose lips sink ships, and if word got out about this project before it actually gained any traction, it could be dead in the water. The government and federal law enforcement community can spook easily, and if pressed, they’ll take a hardline on just about anything. Also, this project could have political aspects to it, so debates or discussions about it that are fueled by speculation, could kill it before it starts.
Ragan touches on something we repeatedly warn employees about at Akamai.
Potential adversaries are always around us, especially with our company located in a big city. Our neighbors include several competitors who would almost certainly love to hear about what we’re working on. Employees for those competitors frequent the same restaurants and shops as we do, including a Starbucks around the corner.
The line is usually pretty long at that Starbucks. And when the line is long, people naturally pass the time by talking.
I’m in that line a lot, and I’m always thinking about my various projects. It would be simple for me to go over the details of those projects with the person I stand in line with.
I’ve had to train myself to limit the topics I talk about to the weather, family business and so on.
We’ve all spent so much time worrying about social engineering tactics online — phishing and the like — that we’ve forgotten about the threat offline.
I’m glad Ragan wrote us all a reminder.0