The Dangers of Friending Strangers: the Robin Sage Experiment

Would you approve this person's friend request? (Photo courtesy Provide Security)

Would you approve this person's friend request? (Photo courtesy Provide Security)

By Petty Officer 2nd Class Elliott Fabrizio

Adding tons of Facebook friends doesn’t necessarily make you popular; it may actually put you and the Defense Department (DoD)’s information security at risk—especially when you have friends you don’t even know.

Provide Security, a cyber security company, illustrated this danger with the Robin Sage Experiment. The experiment created fake Facebook, Twitter and LinkedIn profiles under the alias “Robin Sage.” A photo of a cute girl (borrowed from an adult website) and the job title “Cyber Threat Analyst” completed the fake profiles.

Thomas Ryan, co-founder & managing partner at Provide Security, posing as Robin, sent requests and established social network connections with more than 300 professionals in the National Security Agency, DoD, and global 500 corporations.

Robin’s new friends revealed information to Ryan that violated military operational security and personal security restrictions.

“The worst compromises of operational security I had were troops discussing their locations and what time helicopters were taking off,” Ryan said during a phone conversation.

People also sought Robin’s professional advice, invited her to dinners and offered her job opportunities. Not bad in this economy for a person who doesn’t even exist.

“From one person I was profiling, I was able to get all the security questions for their e-mail and bank account,” Ryan said. “These are questions like what was your first car?”

I don’t even want people I know to have access to my e-mail or bank account, much less anybody on the Internet with audacity to send out a friend request from a fake profile.

From time to time I have received a random friend request from a person I don’t know, usually accompanied by a profile picture of a pretty girl, but I have this rule of thumb: if I haven’t met you, we aren’t friends yet. Megan Fox is the only exception to this rule.

My suspicions are that the unknown friend request could lead to anything from phishing scams to something as harmless as trying to get me to fill out annoying surveys—either way the answer is ignore.

Out of curiosity, I still like to confirm they are fake requests. You know, on the off chance it actually is a cute girl that found me out of the blue and is totally into me. Having low amounts of friends is my first clue, as is having only one photo.

According to Ryan’s report, an inspection of Robin Sage’s profile would have revealed her claimed ten years of cyber security experience would have put her in the career field at age 15.

During the experiment, one person checked the alumni records of the Massachusetts Institute of Technology (MIT), her claimed educational background, and this confirmed that MIT had no record of a Robin Sage.

The danger isn’t social networking itself. The danger is doing it carelessly.

According to DoD’s directive-type memorandum concerning social media and Internet capabilities, it is the responsibility of military leaders on all levels to ensure the safety of DoD and personal information.

All service members are instructed to beware of operational security when using communications such as telephone lines and e-mail; however, service members need to remember that information posted through social media should be regulated the same way, despite the casual feel of many of these sites.

Having a friend you don’t know means virtually anyone could be monitoring your activities and the information in your posts. If you post as much as some of my friends that means they’d know almost everything about your schedule right down to that “epic cheeseburger” you ate.

Social media is a great tool for networking and communication if the user is careful about the information he or she is sharing and who has the privileges to view it.

So, for anyone hoping to be my friend in the social media realm, you’ll have to at least buy me dinner first.

Sign up for Armed with Science email alerts!

This entry was posted in Cyber Security, Education & Culture, Technology and tagged , , , , , , , . Bookmark the permalink.
  • guest

    What permission was obtained to use a real woman's photo for a fake identity? That move posed potetial threat to that individual.

  • JD

    Also sounds like good advertisement for Provide Security to me.

  • http://twitter.com/providesecurity Thomas Ryan

    The appropriate permisions have been obtained and she will be with Mr. Ryan at BlackHat on July 28th.

  • http://twitter.com/ArmedwScience Armed with Science

    @ProvideSecurity, thanks for the clarification! When will the report be released?

  • http://twitter.com/providesecurity Thomas Ryan

    There will also be a recommendation document posted at 19:45 EST at

  • janice33rpm

    Wow – this reminds me of something I saw in another article – it talked about “friending” on social networking one minute, and then “businessing” in the corporate environment the next, and mixing the two. Check out the article at IT Knowledge Exchange, called “Social Networking and the Blended Environment” by David Scott – it's a great companion piece. For that matter, check out his book, “I.T. WARS” (which you can Google). He makesthe point that most organizations enjoy “security” largely as a matter of luck! These topics are fascinating! Keep these coming – security is my main interest. For some free insight, check out his blog,“The Business-Technology Weave” – you can Google to it.

  • armedwithscience

    Approve.

  • Guest_1

    Bitter sweet; Info. Warrior's in a Digital Labyrinth waging Cyber-Warfare. Sounds like some wild fiction however it isn't.

  • Nich_apostol

    oh! totally stranger! I know my hubby told me that military stuff is only for PRIVATE. “DON'T ASK DON'T TELL” so even me i don't ask. I am carefully to accept who will be my friend here. Never trust to anyone if you don't know or meet him/her in person.

  • ReinhardtvonMeinhardt

    If only Jerry Sage could know how far his daughter's name has gone. From his bestowal of it as the name of a Special Forces Field Training Exercise, it has now been used in a internet sting operation. What next?

  • guest

    You are missing the most important issue here. Besides, how could it pose a threat by her picture alone? Her location or identity isn't known.

  • Guest

    Yes–a porn star's photo, with no other identifying information, was posted on the INTERNET! My god!Actually, that's called publicity.

  • Guest

    If your husband is holding you to “Don't Ask Don't Tell”, you may have bigger things to worry about.

  • Bobwearejustlikeu

    serious???

  • jaa

    I've been out of the military for almost 30 years and I still remember my ComSec training (and annual refreshers). What kind of an idiot discusses operations with anyone who doesn't have a need-to-know? Has the concept of 'unclassified information of possible intelligence value' disappeared from ComSec?

  • cori

    Looking at the profile info at , her claims put her “in the computer hacking scene” for 10 years. That's not an impossible “fact. Improbable, perhaps, but not as telling as claiming 10 years of *work* history.

  • http://www.facebook.com/people/RedDirt-LoveGoddess/100000032104930 RedDirt LoveGoddess

    Sauce for the gander? (pardon the pun) But if somebody decided to “borrow” a picture of a DoD employee from their website and do the same experiment, that would most likely incur someone's “displeasure”.

  • Spoofer

    It's also very easy to pose as a “real friend” of a person. In other words, you could easily pretend to be an old high school friend that the mark doesn't talk to in real life much. Most people don't ask a bunch of verification questions before they accept a friend request. They just look at the picture.Of course, you can always get around that by just looking hot, apparently.

  • http://twitter.com/ArmedwScience Armed with Science

    No apologies necessary. We actually prefer that all comments include puns. (not really)

  • http://www.facebook.com/horatio.caine1 Horatio Caine

    heck yeah shes hot

  • Basem

    I agree and I see people doing that…For me my account is only people I know and not because I met them I will add them … I know each person on my FB.Good thing to point out.

  • ex flight test

    Be interesting to see what the ages were of those who blabbed all sorts of EEFI. Then again I remember GS-14s who loved to yak about all sorts of Secret info because they found out about it.

  • http://www.facebook.com/elliott.fabrizio Elliott Fabrizio

    I agree the Robin Sage experiment does have the potential to step on a few toes; however, nobody has been thrown under any buses and called out for falling for the experiment. I see it as a strong warning for everyone military and civilian to be more cautious on social media.

  • http://www.facebook.com/elliott.fabrizio Elliott Fabrizio

    An excellent point. I almost was going to put the origin of the Robin Sage name in the article, but in the interest of sticking to the point, I left it out. But yes, the name was selected after that exercise.

  • Guest

    so who's the real author of this article???”Written on July 21, 2010 at 11:45 am by John Ohab”or”By Petty Officer 2nd Class Elliott Fabrizio”

  • Guest

    Borrowed a photo? WTF? That's messed up. They stole a photo from a business of a real person and used it for this research? Someone is getting sued I suspect.

  • http://ariwriter.com Ari Herzog

    This carries forward to anyone on any social networking site, though Facebook is particular in how people (carelessly) share information. Answers to typical online banking security questions ought to be easy to learn…

  • http://twitter.com/ArmedwScience Armed with Science

    Guest, thanks for your comment. The “real” author of the story is Petty Officer 2nd Class Elliot Fabrizio. The discrepancy you noted is a result of the Armed with Science content being written by a number of different contributors while the blog itself is administered by a separate core team, including myself. The WordPress theme automatically inserts the “Written on…” element to indicate who posted the material regardless of who wrote it. Any suggestions on how to resolve this? Thanks!~John | AwS Team

  • johnohab

    Guest, Mr. Ryan indicated a few comments earlier, “The appropriate permisions have been obtained and she will be with Mr. Ryan at BlackHat on July 28th.” You can reach him via Twitter at @ProvideSecurity. ~John | AwS Team

  • http://twitter.com/ArmedwScience Armed with Science

    Guest, Mr. Ryan indicated a few comments earlier, “The appropriate permisions have been obtained and she will be with Mr. Ryan at BlackHat on July 28th.” You can reach him via Twitter at @ProvideSecurity. ~John | AwS Team

  • http://twitter.com/Coyote_Longfall Coyote Longfall

    The whole take of this piece is flawed, and demonstrates a lack of understanding of social media and emerging technologies, or else intentionally misleads.I use Facebook and Twitter, and the emerging technology of virtual worlds such as Second Life, to network as an activist. I have built a network of almost 500 people on Facebook, engaged in conversations or debates, spread news stories and notified fellow activists of upcoming activities, all with my network, which is about 80% people I don't know.Be careful with your information, don't share sensitive details, but don't allow the NSA and Intelligence contractors to make you afraid.Peace,Coyote

  • guest

    christ she's a porn star, that move posed a threat to her bank account getting bigger when she demands royalties on whatever fees were charged on the service provided via her image. whoop dee doo.

  • ex flight test

    Bluntly, you should never post anything about your husband on a social website.

  • ex flight test

    Um being in DoD or the military you have to have different levels of security. I'd ban all social networks. OR establish one that is only a dot mil. Lets face it, people are sloppy with security matters. We all know what happens, passwords pasted to the bottom of the keyboard, safe combos in watch memories, papers in wallets, you know the drill. The same numbers used for multiple safes. And if Robin Sage did it, you know the Chinese, and all the rest of the people who would love to talk to us are doing it. Just because the wall collapsed in 89 doesn't mean security went away.

  • http://www.facebook.com/elliott.fabrizio Elliott Fabrizio

    Mr. Coyote,I appreciate your activism and the role that social media plays in both your activism and the activities of the DoD. As the author of this blog I feel it important to clarify that I did not write this on behalf of the NSA or intelligence contractors, but as a young Navy journalist writing for a DoD blog. 1984 is one of my favorite books, so I'd never propose to tell anyone how to use their facebook account, and my intention is not to scare anyone. My message was to inform people of a real danger and remind them that operational security and personal security need to always be protected. My policy of knowing everyone I'm facebook friends with is cited as 'my personal rule of thumb' and not stated as an official policy. Naturally, if you are running an official page or an activism page, you will not know all your connections. I also firmly believe that if you are careful not to compromise operational security or your own personal security information in any of your correspondences or posts, it wouldn't matter if you were friends with everyone in the entire facebook network. However, with the casual way that I and many of my friends use personal facebook accounts, I find myself much more comfortable knowing the people who can read my posts and access my information. That is the point of this blog. With that being said, I am not saying your comment is flawed or demonstrates a lack of understanding of what I was talking about, but only that I hope that cleared up any confusion. Very Respectfully… or “peace”, MC2 Fabrizio

  • http://www.facebook.com/elliott.fabrizio Elliott Fabrizio

    At Horatio: Yeah, but she's no Megan Fox.

  • Dirk

    Explain what permission was legally required. Then please explain the “potential threat.” Idiot.

  • thisheartsonfire

    and how many people do they know who you know. common friends in low numbers is a HUGE red flag.

  • http://www.facebook.com/profile.php?id=1780873737 Nora-Adrienne Deret

    Which is why I vet all requests from people by seeing who are our friends in common and then asking them if they know the person. Ninety percent of my FB friends are published authors and are very easy to vet out. Other then that if I don't know you, you don't get friended… duhhhh,. How stupid would you have to be to NOT follow that simple rule?

  • http://twitter.com/tdpubs Dennis M. Francis

    I totally agree with the author's position. I have tested this position as well to see how far the credibility of a fake personality can go. I also show people how to build their credibility on the Internet so it is a fine line that we all must be aware of.

  • Willow

    it is against the law to use a picture of someone without their consent, at least it was when i was working in photography…

  • http://www.facebook.com/people/Romeo-Ubaldo/100001151354667 Romeo Ubaldo

    WE MUST ALL LEARN ABOUT THIS TOPPIC TO ALARM EVERY ONE

  • Guest

    Actually you should be afraid there are people out there not only trying to rob you of details hacking computers for all your info because they can. They are stalking people after they get enough info also. IT is NO LONGER A SAFE WORLD…the real monsters are out there and they use any way they can to get at you. GUESS you don't watch the news.

  • http://ronsavelo.com Ron

    The real problem here is not befriending identities that might be fake. The problem really lies with people who have security clearances, and others who should know better, allowing a short circuit between their genitals and their brains.Meeting someone through social media is no different than meeting someone on the street or at your local supermarket. Why would anyone share confidential information with a stranger, particularly if you work for a government agency, unless that person had ulterior motives of their own?Everyone is ultimately responsible for their own conditions, wouldn't you say? Some are just more responsible than others.

  • juanrico

    The other clue is that “Robin Sage” is also the name of the capstone exercise in the Special Forces Qualification Course. But, you would have to be a special ops geek to know that…

  • ivan trograncic

    If you work for any service of USA, especialy for any sort of security…you must think before any longer contact with any person, that your eyes-beauty and smile arent only attraction… for a stranger. Trogi.

  • http://www.donatingmoney.org/ donating money

     I have learned my lesson on this topic. Thanks for informing the public

  • Detective Dar

    Being a detective, I really like to use social media for investigations. Getting someone to accept your friend request or following their tweets is very useful.