Accordingly, Mr. Ryan delivered his findings at the BlackHat conference a couple of weeks ago. My friends over at SecurityCurve posted a disappointed review of the talk.
It’s not that the discussion didn’t lay out how Tom Ryan did what he did – oh sure, there was plenty of that. He even had the woman whose picture he pilfered in attendance. But at the end of the day, the discussion was very heavy on the titillation factor: from the girl he exploited to the practitioner he embarrassed via their connection to a wife swapping site. But why do we care? So he tricked some people into friending him… And (surprise, surprise) Facebook and Twitter make it easy to link together various information about someone – that’s the point. So if you went into that talk wondering why you should care, you came out of it the same way.
It's really too bad Mr. Ryan didn't dig a bit deeper into the security ramifications of the ease in creating relationships on-line. BTW Diana at SecurityCurve told me that the name Robin Sage is likely to be a red flag for anyone trained in covert operations, which is probably why no one in the CIA or FBI accepted the friend request.
Still, despite the anemic analysis of the Robin Sage experiment, the issue still stands; what are the criteria that people use to make on-line connections and how deep does that trust go? Clearly Mr. Ryan experienced more than a cute face and a blue-chip pedigree gets you connected. His final comment in the CW interview points to the fact that it was Robin's contacts that got noticed:
Toward the end of the experiment, there was this massive influx of Arabs from overseas that were trying to get on the Robin page where all the military stuff was. I didn't really care for it. That was a bit scary.