Michael Santarcangelo has soft-launched the Security Catalyst Community forum site. This is something we do need, and I’m enthusiastic to see where this community goes. While I think this might be an excellent initiative, there are some concerns I’ll just post here because they’re really not important enough to bring up to Michael S or those forums.

First, growing a community is not easy unless you happen to have something that draws people in on its own. That’s rare, really. I’ve done community-building work back in gaming where I ran gaming leagues and competitions and basically worked hard to keep the community participating and just plain caring. It is not easy work and is not something you can just say, “I’ll build it and they will come.” Many forums and sites have sprouted with that mantra and within 6 months the only posts you see are spam posts and what might otherwise be seen as the dust and tumbleweeds of the Internet. It takes constant work by dedicated persons, constant content, and lots of posting and giving people a reason to show up. What makes this even harder? My communities were gamers with lots of leisure time. This community may be made up of a lot of very busy professional people. Hopefully this community will recruit some good people to lead the discussions and provide a reason for everyone else to slowly filter in and continue to contribute.

Second, I’m undecided about the somewhat informal policy of registering with one’s real name, or at least putting full name in the signature. I’m not sure the goal of this other than to look more professional. I don’t think we need a stuffy community, but rather one that is willing to talk openly. As information security professionals, I think we, of anyone, should be empathetic to our decisions to control or at least mitigate information leakage. Yes, I know McNealy will say my privacy is already gone, deal with it, and I agree with him. But that doesn’t mean I have to let go of every device by which I maintain at least a little control. One of those is forums and comments on other sites. The only site that I really like to tie my name, online handle, and/or contact information is either through my own pages or someone deliberaly tracking me down. I will lose this battle someday, but until the world starts getting better equipped to deal with it, I’ll still put up a fight. 🙂 We can’t let today’s inability to deal with information and identity and the internet get in the way of our professional and (oftentimes needed!) informal communication. The people who want their names posted typically are the people who are branded by their names. They have an interest in making sure their name is out there (typically analysts and experts). Also, if my name is associated with the company I work for, I can’t typically talk about certain things without people putting 2 and 2 together and knowing my company has an issue with security concept X. That sort of secrecy is one of my biggest issues and it makes it hard for any of us to properly learn from other’s mistakes. That’s really one of the biggest reasons I enjoy things like Infragard (NDAs) and other local informal groups of buds. There are many very smart people out there with very valuable ideas that may not want to be associated with their given name when online.

Kinda like McNealy saying my privacy war is already lost, so too is the war on anonymity online. Not only can you not always completely stay anonymous online, but (oddly enough), you can stay pretty damned anonymous online. I don’t think a forum community is going to be truly able to maintain the informal policy of non-anonymity. I could pick some random name and bounce through proxies to join in with a free email address and change my grammar/writing style. We shouldn’t need to do that here. Likewise, it should be enough that the moderators have the ability to check IP and logs and deal with any miscreants in due fashion.

Besides, come on, there’s plenty of Michaels running around here! Hell, at my last job we had 3 Michaels on the same team of 4 people (the odd one out had Michael as his middle name). Other than deliberate impersonators, I’ve yet to see another LonerVamp. 🙂

Nonetheless, I look forward to participating as LonerVamp in this new community and seeing where this goes. There’s a lot of vury smurt people whom I regularly read already signed up!