Trust 2.0

The pre-commercialized and non-web-enabled Internet was a trusted environment. The sys admins knew each other. If they saw a problem coming from a particular address space they knew who to call.

Because everyone was trusted there were few security controls built in to the architecture. Most of us don't lock the doors inside our home because we trust the people inside. Same thing. That's why the original Internet Worm (the Morris Worm) in 1988 was so devastating. And that's why we still have problems today.

Here's a fairly non-technical example of the technical security problems of the Internet. To send email you used to have to type who it was to, who it was from, and the message. Note that you TYPED who the message is from. In a trusted environment it was assumed that no one would lie about who they were. This is the exact same protocol that goes on behind the scenes in our fancy email applications and online services. This is why spammers can make their emails look they they come from a variety of fake addresses. This is why many viruses would hijack people's address book, so that their malicious message looked like they came from friends.

There are a multitude of problems like the email protocol. The Internet generally believes what it is told about what something is and where it is from. This creates problems when untrusted people enter into a trusted space. We try to layer on protections like anti-virus software and site analysis tools, but the underlying architecture remains open.

Enter Web 2.0. As pointed out by many including this recent CSO Online article social networking sites have the added danger of providing very powerful capabilities to non-techies. And they continue to be environments of trust.

The ability to post and share files (including pictures and applications) used to require programming, but now everyone can do it. Although Facebook users may invoke their privacy settings they are still in a largely trusted environment as there is little authentication for "friends." This combination of power to those who may not understand and lack of authentication allow for a multitude of threats.

First, actual friends may unknowingly open you up to threats. They may link to some malicious code (possibly found one of their "friend's" sites) that will steal your personal information or provide access to your employer's network. They may (with or without malice) post personal information about your or pictures that will haunt you later.

Lack of authentication means that someone who is not actually your friend can do the above, too. Additionally, if you friend a faker you have given them access to data that you considered private. Why did you friend that person? Perhaps they were a friend of a friend.

I admit that I use some of the Web 2.0 tools. And I blog, so I'm obviously not the most hardcore of privacy geeks. Security and privacy are always trade-offs for other things, such as convenience and functionality. Sometimes I decide it is worth it to make the trade. But I do so knowing that a trade is being made. Many people don't think about that part. And they get in trouble.

Whenever you post anything or click on anything or believe anything on the Internet consider who you are trusting. Since it is essentially impossible to delete anything from the Internet, the answer is usually that you are trusting everyone for all time. Privacy settings may temporarily limit the sphere of trust, but it should be assumed that those limits will eventually erode.

Who do you really trust?

UPDATE: For an example of how Trust in Real Life can create technical vulnerabilities. Check out this social engineering example that uses someone's MySpace/Twitter updates, a cheap shirt, a USB drive, and cookies to hack a network.