I'm "in" the sphere of people whom were targeted by this researcher. I never was asked to friend her, but a few of my friends did friend her. A good number of them don't really share anything actionable on Twitter, FB and the like. They "friend" pretty much anyone, and opt to not share things that could come back to bite them. A lot of people who "fell for it" didn't really fall for much of anything. The couple of people who outright offered jobs and such? They were had.

Right, and by the third or fourth day, we all knew who it was. It was just too easy to pick out: this person's profile had too much in common with the person behind it (paintball team, Facebook fan of that person's company page, etc). Some of us who were asked to connect before "she" had any followers, spotted it right away.

Were people offering actual jobs? Seems more likely they only wanted to interview "her", which is a pretty reasonable thing to do. Doesn't give "her" much power.

I'd need to go back and grok the epic pile of shoddy journalism that this event created. Somewhere, I thought I read that people were trying to hire Ms. Sage's persona.

Also, this really isn't much different than what Shawn Moyer and Nathan Hamiel did ahead of DefCon 16 and Black Hat Las Vegas 2008. They set up a twitter and facebook account in the name and visage of someone who is a REALLY big name in information security (who happened to have not yet gotten on board with social networks) and just started going at it. They amassed a bunch of followers and "friends" on a few different networks. They generally tried to say the kinds of things this person would say in real life. They linked the account to that person's real web presence, etc.

You really wouldn't know it was an impostor at first glance.

Welcome to the Internet, where the men are men, the women are men, and the kids are cops.

It's funny that no one picked up on the fact that ROBIN SAGE is the code-name for an Army Special Forces qualification exercise.

http://en.wikipedia.org/wiki/United_States_Army_Special_Forc...

Actually, a lot of people pointed this out, as well as the suspicious address, and other inconsistencies (her age, lack of presence in the MIT student database, ...)

Check out http://twitter.com/fakerobinsage etc.

The only question at the time was "is this a recreational troll, or is it a "security researcher" trying to test the community?" -- it seemed too amateurish to be a real intelligence gathering attempt.

> What type of information can one get through such connections? > Pretty much everything. I had access to e-mail and bank accounts

I know facebook et al. have their share of privacy concerns, but I think this is a bit much to drop in without giving more details.

Seems like a non-story to me.

+1 .. It'd have been nice if he had disclosed some of his methods. Just saying "I had access to email and bank accounts" doesn't really do much. This fake profile of a good looking lady is social engineering 101.

It's psychological more than anything else. When a good looking woman who matches on your interests and qualifications, approaches you, it's but natural for the person to lower their guard down. Also, a lot of people could have been in touch for purely networking reasons, wanting to leverage the network such an individual would possess.

This is being presented at Black Hat on Wednesday (https://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.ht...), so presumably more details (and hopefully less spin) will be forthcoming or available then.

Semi-dupe on the original (longer) article: http://news.ycombinator.com/item?id=1544661

More about "Robin Sage", with whom (which?) a fair amount of people's stupidity about social networks was exposed.

Great comment, I'll be thinking about whether it should be "whom" or "which" for days now.

On the Internet nobody knows you're a dog.

I guess nobody heard that Sage goes in all fields.

Somehow I doubt security and intel ppl actually put sensitive information on their Facebook.

Or at least I hope so.