Much like early websites, built by enthusiasts (in all the negative connotations of this word), our current approach to distributing information about us has very little security precautions. This is partly because we don’t really understand the scope of our actions, partly because what we’re writing is free content for the social media sites: the more we write and the more people read it, the higher the value of their website.

This isn’t an attack on any specific protocol, site, or network, though I will discuss a few, but rather a talk in the general about our attitude. I realize I’m writing this 1 day after the launch of Google Buzz, but all of these vulnerabilities existed previously as well, Google ubiquity and attempt to centralize all of it makes it more obvious.

One great example of trust is the hash tag mechanism on Twitter. Companies are using hash tags to foster conversation about themselves without any thought about the lack of moderation in the medium. A corporation that would instantly file a cease and desist against a website that in official looking type made claims in it’s name, is more than happy to lend legitimacy to “its” hash tag by having reps post it to it from their twitter account. This creates a trusted space with absolutely no access control as anyone can post using with any hash tag.

If an attacker waits for this company name hash tag to achieve legitimacy and a crowd of followers, all she has to do is to push enough posts quickly enough to cause a (pardon) buzz and an instant bad press rumor is launched. There are plenty of forums that can (and off the top of my head 4chan, digg, and reddit have) push enough posts to create a trending rumor out of the blue, especially as the retweets from confused readers begin and take over the process. Since Twitter provides an API, this could also be done by a bored single person who created a few thousand accounts for himself with a capcha breaker and can write scripts. By endorsing these open hash tags, companies are basically giving the world at large the ability to speak in their voice.

Companies also have taken to displaying screens with their hash tags displayed as scrolling searches in their lobbies (or in one case in San Diego, on a large TV behind the bar). The lack of moderation means that anyone can post ads for their competitors, or simply embarrassing content in order to hurt the brand name. There is no way to stop this content from being posted to the hash tag, and short of closing the feed, no way to remove it. Some of the software goes as far as displaying images inline, ways to prank this are left as an exercise for the readers.

On the complete opposite side of this target space be personal social media attacks. A casual glance at facebook, twitter, and buzz feeds shows that we treat these websites like personal conversation tools, not billboards for all to see. Things that we’d never plaster over our house, like “I’ll be gone on vacation for 7 days so no one is home”, we’re more then happy to put online on a site that also has our address. We fight like mad against the invasive nature of omnipresent cameras while tweeting our exact location every 30 minutes in order to get Foursquare points, with absolutely no sensation of irony.

Google Buzz, which by default appends map information if posting by phone, makes this even more obvious. A chatty person involved in a back and forth might leave a complete trail of where they were at near constant intervals in their day. While I grant that this lack of privacy is not catastrophic in and of itself, a criminal with a smart phone and access to the “local buzzes” feature would be able to have up to the minute reports of who is where, who just went to the atm, who is bringing home a new expensive TV (and where exactly are they plugging it in), and with a trip to the airport, a constant feed of people excited to be going away for a few days.

The last in particular highlights that we have not reached the point that caused the tip towards security on the net: automation of attacks enough to let every Joe the Script Kiddy do harm. Currently an attacker would have to go to the airport, set up a laptop, pull buzzes of people leaving or arriving, compare it to their previous buzzes and figure out their home address. However, all of the above can be converted into a simple application which performs all these steps in a few seconds, something which we’ll playfully call iBurglar. Once it’s an easy to use app, available for download, is the point where we might start to see action from the social media websites.

We also do not realize how permanent the things we write on these website are and how trivial searching them has become. A search on social sites for phrases related to drug use (try 420) shows people more than happy to discuss illegal actions in criminally implicating ways. And this time, unlike phone or txt messages, we can’t even begin to claim an expectation of privacy, we are literally posting it for everyone to see. There was recently a news story about a bail-hopper who was caught because cops recognized the resort in the background of his new Facebook profile photo. This didn’t even require a warrant, it was a public photo.

It’s easy to dismiss examples like that, and all the previous ones, as the fault of the users, but users assume privacy and assume good intention. Currently the social media is a giant space completely open to attack, and our current open-by-default approach is not sustainable. It is the responsibility of social media designers to create mediums that steer users into safe behaviors and quite literally to protect them from themselves, while at the same time balancing the needs of their shareholders and advertisers. It’s an interesting future, no doubt.