April 19, 2009

Is Twittering safe?

So Susan has been on my case about Twitter for some time now. In a recent round table we were recording she "beat me up" about it, and tonight on IM we had a good discussion about the REAL vs PERCEIVED risks in Twitter.

Susan's biggest complaint is that security minded individuals shouldn't be blindly recommending the use of Twitter without educating the user on 'safe-twittering'. I would say that same logic exists for setting up web pages, blogs and the use of social networking sites like Facebook.

She stepped that up a bit tonight when she blogged her discomfort in the fact the RSA Conference was recommending Twitter as well.

So in an effort to stop spreading the FUD about Twitter insecurity, I wanted to share some of my thoughts through a quick set of safe twittering rules.

@DanaEpp's 5 Rules of Safer Twittering

  • Never share information in a tweet that you wouldn't share with the world. You can never expect to take it back once it's on the Internet. Even though you can delete a tweet, 3rd party clients may still have it archived. If you feel you want to share private thoughts through Twitter, consider using a "Private Account" and limited it to only people you trust and want to share with. Of course, remember nothing prevents your friends from sharing your tweets with the world. So never share private information on Twitter. Ever. it's just easier that way.
  • There is no assurance that a Twitter account is the person you believe it is. Deal with it. Anyone can register an account if it doesn't already exist. As a real world example, for some time @cnnbrk was NOT an official CNN account, even though most of the Twitter world thought it was. It wasn't until recently that CNN bought the account from James Cox (the account holder) for an undisclosed amount of money. Another example is the fact that one of Susan's Twitter accounts was actually created by a fellow SBS MVP, and not actually her. :-)
  • Never click on links in a tweet, unless you trust the URL. If unsure, don't click! The worms that were used to attack Twitter came from people getting users to go to profile pages etc that they had control over for some interesting script attacks. With only 140 chars, its common to "shorten" the URL. Which means you might be clicking on a link blind. That's fine. But only trust shortened URLs that can be previewed BEFORE you go to it. As an example, my recommendation is to use something like TinyURL. However, here is the trick. When you create a TinyURL, use the preview mode. As an example, if you want to send someone to my blog you can use http://tinyurl.com/silverstr to go directly. However, if you use http://preview.tinyurl.com/silverstr it will stop at TinyURL.com and let the user SEE the link before they actually get to it. That is much safer. If using TweetDeck, select TinyURL as the provider, and when it creates the shortened url, simply add "preview." in front of "tinyurl.com".
  • Use a 3rd party Twitter client instead of using the Twitter.com website directly. I am a fan of TweetDeck and Twitterfon, but there are tons of different clients out there. Why? It is the lesser of two security evils as it relates to web based attacks in Twitter. Most clients have ways to reduce or turn off linking, prevents the script attacks in profile viewing and generally is just an easier environment to stay protected in. Are these clients free of attack? Of course not. But its another layer of defense. Of course... you need to have trust in your client. But that's a story for another day ;-)
  • You never know who is following you. Remember that. As you use Twitter more and more, you never know who might be watching. I recently had someone who has been trying to get an interview with me who follows me on Twitter, knew where I was having coffee one day because of a tweet I wrote (and it's geotag) and ended up coming down to confront me with his resume. Which was inappropriate in my books. But my own fault. I wasn't too concerned.. but it definitely gave me pause when considering my daughter uses Twitter and could be as easily found. Nothing like the potential of being stalked. GeoTagging makes it way to easy to find you. Remember that.

Look, Twitter is addictive. Simple. Short. Fast. A great way to see the thoughts of others you might care about. Ultimately though... like any other Internet based technology it has the potential to be abused... and put you at risk. No different than websites or blogs.

So be careful. Follow these rules and enjoy the conversation!

Posted by SilverStr at April 19, 2009 10:58 PM | TrackBack

Not bad, but my thinking regarding twitter is to think of it like it says it is, a micro-BLOGGING system. Your rules for twitter above hold fairly well to the rules for blogging. The big danger is that people forget each tweet is a blog post and start thinking their @ conversations are private IMs.

Posted by: Arcterex at April 20, 2009 09:11 PM

Totally agree. I think the difference is how the conversation take place. Twitter can at times almost be real time convo... where blogging rarely is (ie: I am just getting to your blog comment... but have seen you more on Twitter in the last 24hrs).

It's true that some people thing their @ convos are private IMs. I wish they would treat it more like a convo at a conference center. So much noise going on... you never know who is listening.

Posted by: Dana Epp at April 22, 2009 08:14 AM

I think the person looking for a job was very creative and persistent. In the USA today if you want to get a chance to beat the 1000 other people looking for a job like yours you need to do whatever you can ( that's legal ) to try and get it.

But like you said stalkers can use it also. Everything in this world is a two edged sword.

Posted by: Dean at April 24, 2009 07:36 AM