Happy Thanksgiving to all my friends and family. For only the second time in my life, I am spending Thanksgiving away from home. The first time was when I was visiting a friend in Venice and the reason this time has to do with a combination of seeing my family back in October, and my recent travel to and from Germany. I got back from Germany Monday, am here in Seattle for Turkey Day, and then I leave again for Germany on Monday for a good couple weeks.

Germany was, simply put, awesome. Knowing absolutely no German was a bit of challenge, but most Germans actually know enough English to help me along so it wasn’t really too much of a problem. I would go through phases of confidence, however. Like the second day I was there and I had looked up a few German phrases on about.com and headed out into the streets saying “Morgen!” to passerby and anybody else I had a chance to. Unfortunately, with such confidence comes the assumption from others that I was able to actually speak German. And when they would reply to me as such, I just kind of stared back at them with a big dumb American expression on my face. Oh well.

Seeing as how I didn’t know German, I eventually started ignoring most signage. This became a problem when I wanted to eat breakfast at the hotel I was staying at. I was actually staying in a co-workers apartment as he was out of the country, so I wasn’t familiar with the hotel. Little did I realize that even though the room I was staying in was located in one building, the actual hotel was down the street. This wouldn’t have been so bad were it not for the fact that the building I was staying in was also a hotel. But when I walked down to their front desk to drop off my laundry, the poor girl was quite confused. I eventually showed me room key and she grinned and said she would take care of it for me. Not really understanding what had just happened, I walked across the hallway and sat down for breakfast. The girl, again looking confused, came up to me and told me that I could have a much nicer breakfast if I went to the hotel I was actually staying at. *oops*

The weekend before I came home, I went to Dresden to take part in an Expat Blogger Meetup. This was really fun as I got to spend time in Dresden, a fantastic city, with several Americans that were already pretty familiar with Germany. One of the other Expats even grew up in Connecticut originally! Dresden, and all of Europe, is so full of history I feel I could wander around aimlessly for quite a long time. Driving on the autobahn was also fun - it’s nice to be amongst other drivers that are considerate and know the rules of the road.

I’m off to a turkey here in Seattle for now. Feel free to check out my Dresden trip on Flickr.

There’s a meme going around about socnet ROT measurements and I got pinged by Clay Newton about socnet inputs into security metrics. It’s always interesting to discuss security and ROI, because one of the more elusive aspects of security. Having good security is generally compared to insurance. You don’t realize you need it until it’s too late. OR You pay and pay and pay for it, but never realize the need for it. So what’s the ROI? Not being hacked? How do you monitize that? ROI is hard enough to determine in general, nevermind on a social network where there’s no data. So allow me to ramble for a few brief moments.

Security metrics are somewhat difficult in general, especially if you’re trying to get detail on how much “hacking” is going on. People don’t like talking about being hacked in general, never-mind on a public network. I’ve tried tracking various security related keywords on twitter such as “hacked”, “security”, “hacker” etc and the resulting tweets are pretty limited. So let’s talk about security within social networks themselves.

What are the two primary concerns on social networks? The enormous!!! attack surface and the information disclosure.

Let’s take attack surface first. Organizations have their perimeters relatively well locked down these days. The internal networks are getting better, but still pretty soft. Nevertheless, any security research will tell you that the current target these days is the client, more specifically…the browser. Individuals are becoming much more connected. And attackers have realized that if you can attack the individual, you can gain access to a whole bunch else. Historically there have been a couple widescale attacks on social networks. The samy worm (October 2005) took advantage of an xss bug in MySpace’s site and affected over one million users in 5 hours. Now the samy worm was fairly benign, but there was another attack on MySpace that took advantage of the ad network and a vulnerability in windows metafile to install adware, keystroke loggers and who knows what else. Again, this attack likely affected over one million users. Even this past week, there was an issue with MySpace music pages. So we’ve seen that malware distribution through social networks is definitely possible. But, of course, social networks are getting more dynamic. With Facebook releasing their SDK and OpenSocial coming out, socnets are trying to make it easier to write applications that are portable across all networks. And the only difference between a malicious application and one that’s not…is the intent of the author.

The other concern, of course, is privacy. Imagine a low-profile worm, silently crawling across all networks gathering the information you’ve put about yourself on those networks and compiling it into a giant database. Think, just for a brief moment who you’ve given access to your life. You could build an immensely detailed picture of the past five years of my life by simply crawling the diferent social networks I’m on.

Think of all the hard work you’ve put into making each of your networks complete. MySpace - how many crimes (the most recent is the UW student being accused of murder) have been revealed becauuse of MySpace. OpenSocial - how long did it take to “hack” the first opensoc app? 45 minutes. Facebook - Facebook is “more mature” than MySpace, but it collects a lot more statistics about their users (I believe, because it’s beneficial to then join facebook networks). What if somebody could harvest all of that data. …and then sell it. How’s that for an ROI?! Twitter. To make twitter work, you have to tweet. To tweet, you have to expose information about yourself. To expand your network, you have open yourself up. Unless you already have a network.

So those are a couple of my immediate thoughts when the words security and socnet appear in the same sentence. I realize that didn’t quite address the original question, but I would be happy to answer any specific questions. For now, I must collapse on my German bed.

So after approximately 21 hours of travel, I am sitting in my temporary accommodations in Germany. The trip was great, mostly because of the business class ticket that allowed me to eat non-stop and catch some good movies on the way over. I just wanted to say a quick hi that I’m excited to be here (this is my first trip to Germany) and I’m already having a great time. I went exploring a little bit tonight and got a little lost, but not really. My fantastic male sense of direction kept me tuned in at all times to where I was.

For now though, it’s time to catch up on some much-needed sleep.