Incompetence Saturday Begins: That Annoying “Ten Concerts, One’s A Lie” Facebook Game

It’s a relief to know that I occasionally pay attention to what I teach.

When so many of my Facebook friends started rushing like lemmings to play the viral “Name ten concerts you attended, with one phony one” game yesterday, I hesitated, and not just because listing Al Jolson, Enrico Caruso and  Jenny Lind would reveal my true age. I had just been explaining to a group of Pennsylvania lawyers that they probably weren’t as competent in using technology and social media as they thought they were, and that if there was one thing of value to extract from the last Presidential campaign, it was a searing lesson in the consequences of being naive, lazy and gullible while using the internet. (Yes, I’m looking at you, John Podesta!)

By purest coincidence, yesterday also marked my four hour efforts, involving four phone calls, three phones, two websites, three passwords and a consultant (my son), to switch my e-mail address from Verizon to AOL, since AOL has purchased Verizon’s e-mail business. As I neared the finish line of this ordeal, I encountered AOL’s list of “Secret Security Questions.” One of them was “What was the first concert you attended?


Sure enough, this morning the New York Times revealed that internet experts recommend not playing the ten concerts game, or other social media quizzes either. “Privacy experts cautioned it could reveal too much about a person’s background and preferences and sounds like a security question — name the first concert you attended — that you might be asked on a banking, brokerage or similar website to verify your identity,” said the Times.

Michael Kaiser, executive director of the National Cyber Security Alliance, told the paper that while the concerts quiz posed only a moderate security risk (pssst: Moderate risks are still risks), since not every website offered a security question about a person’s first concert,  such a list might  telegraph information about a user’s age, musical tastes and even religious affiliation, any of which could be used by internet marketers to target the creator. Similarly, the answers to quizzes on Facebook may reveal specifics about a person’s upbringing, culture or other identifying features.

Another privacy expert recommended exercising “vigilance bordering on a little paranoia” in online posts, noting that “We need to understand how we interact can disclose not only specific details but patterns of behavior and often our location, among other things.”

Kaiser concluded with this advice: “People always have to have their eyes wide open when they’re on the internet. It’s the way of the world.”

Except that they don’t have their eyes open. Every fun-loving Facebook user who passed along the concert game was potentially setting up their friends to be hacked. Using the internet, including e-mails, the web and social media, really is like driving on the highway, but a highway with features, potholes, dangers, risks and new traffic patterns that can change daily. Doing so competently and safely requires care, anticipation, caution and skill, and most of us don’t have enough of any of these.

In other words, most of us are too incompetent to use the internet the way we do, and that incompetence can harm us, our families, our friends and our clients.

By the way, here’s my list of concerts (and one’s a lie, though it shouldn’t be)…

1. Victor Borge

2. Jimmy Durante

3. The Happenings

4. Marlene Dietrich

5. Martyn Green

6. Paul McCartney

7. Bonnie Raitt

8. The Neville Brothers

9. Ladysmith Black Mambazo

10. Anna Russell

Hey, only five of them are dead!

Anyone who can figure out anything about me from that list that isn’t readily available elsewhere has earned their hack.

28 thoughts on “Incompetence Saturday Begins: That Annoying “Ten Concerts, One’s A Lie” Facebook Game

  1. If that is a true concern, people should adjust their Facebook settings, because obviously their safeguards are too loose. Also look closely at their friends list. Because, if you think about it for half a second, your entire Facebook account is rife with information people could use against you. You could find someone’s birthday, their mother’s maiden name, the name of pets, cars, the street they grew up on, their elementary schools, etc. all quite easily from an account. You could find the same concert info from looking at their music ‘likes.’ There really isn’t much protection for the ignorant and careless, but there never has been.

    • This is why many security experts recommend not answering the security question honestly at all. They recommend using security questions as a second password, following the same rules you would use for the first one.

      • Exactly… the answer the any three security questions might be the same word or phrase… and so noted in my password vault, which is itself guarded by 256 bit encryption AND a 23 character password. Really important information does not reside electronically ANYWHERE.

  2. > to switch my e-mail address from Verizon to AOL

    A side note: Jack,

    I believe AOL uses gmail’s interface for their new mail, and while I don’t know if they use their spam filter now as well; I know that their spam filter used to be garbage.

    Why not consider switching to gmail directly, as it has excellent spam filters, and is the most popular web mail (which, while not an argument to it’s quality, is an argument for it sticking around a long time)

    Or, if you are not OK with Gmail’s anonymized data collection for advertising(certainly a fair point!), why not consider a domain email address through G suite, such as

    It is $5 a month per user for G suite, my company uses it and it’s great, not only for the mail features and security/peace of mind but the calendar and google drive are very useful as well. As well for the $5 a month, you get the assurance that, unlike free webmail services like gmail (or perhaps aol as well), you are in fact paying for the product, instead of getting it for “free” (ie, you and your data ARE the product to them)

    I note that your website contact us link uses your verizon email, something that would be easy to impersonate should someone want to
    as it is not a

    …I realize this might come off a bit as a sales pitch, and I will admit for a living I sell and set up things like this often, but I do believe that gmail/gsuite is one of the best if not the best email providers on the market right now, and would support transferring your entire inbox over from your verizon account, worth thinking about if you’re being forced to make a change anyway.

      • Exactly. Gmail also shares with the Big Brother without a warrant (as will Facebook)

        Why do I use it? NOTHING of (personal) consequence goes on that account: I use it to get notices and newsletters. My work account is much more secure 🙂

  3. Security questions are probably the weakest form of authentication, even weaker than passwords. It irks me that companies still use them, because they don’t offer any protection – they’re just ‘security theatre’, meant to make people feel safer without actually making them safer. (I don’t mean to imply that companies have malicious intent here- actual security takes effort, education of users, and money.)

    Some companies actually are starting to phase out security questions in favor of other forms of second-stage authentication, particularly e-mail authentication, SMS authentication, or tokens. One thing that I’m seeing become more common is the use of smartphone apps as a login token to help secure a user’s account far better than a security question.

    When you have to fill in a security question, don’t answer the question. Instead, use your security questions for a second password equally secure with the first. Where possible, opt in for SMS authentication or authentication tokens (if it’s in the form of a physical widget rather than a smartphone app, the token may cost you a nominal fee, usually at cost). Always check your computer for malware, and for accounts you’re particularly paranoid about, use the virtual keyboard from your computer’s accessibility features to enter passwords, so as to foil keyloggers. So sayeth the sophomore cybersecurity student. 🙂

    • Yeah, it always seemed obvious to me that I shouldn’t answer the question in a way that someone else could figure out if they Googled me.

      If the security question actually meant anything, they would censor it like they do with an actual password, instead of displaying it in plaintext.

    • Agreed. If you care about security 2sv and app specific passwords should be active on accounts you care about.

      • The Great Dane’s concert wasn’t my first but it must have been close to it. It was my 9th birthday present, to share with three of my friends, and Borge’s hilarious Punctuation (especially) left us gasping for breath with non-stop laughter. I went myself once more at the age of 16 and enjoyed the performance (identical to the first, for all I could tell) all the more for understanding the artistry — impeccable timing, superb musicianship — as well as its remarkable and possibly unique accessibility to children (as many boys as girls) or sophisticated grownups. Victor appealed deeply to a kind of joy that transcends age.

        I believe that performance holds the Broadway record for one-man shows.

        Thanks for the reminder, Jack and EC.

  4. Agree with Chase’s recommendations. Two factor authentication and other methods can help prevent someone from logging in as you but do nothing to guard against the more dangerous threat of your bank, medical records, whatever being hacked. They also don’t protect against social engineering attacks and the ever popular stealing an unencrypted laptop. Encrypt, use two factor authentication, don’t post anything on social media you wouldn’t want in the news, and try to keep sensitive stuff off line to mitigate the risk but keep in mind you are always vulnerable to a crash on the information superhighway no matter how careful you are.

    I’m guessing Marlene. She is definitely the one I would have most liked to see although Victor Borge would be a close second.

  5. A perfectly good response to the security question: “What was the first concert you attended?” is, of course: “Volkswagen”.

    it’s a simple Challenge – Response situation, not Question – Answer, and the most left field response you can have is the best. The other criticisms apply. I don’t know how many times I have had to give out my birth date and mothers maiden name, or similar, in a location where others could overhear.

    Security, what’s that?

  6. So it’s a big phishing scam?

    I guess I shouldn’t have also done the “list your bank accounts, one has to be a lie” quiz right after the “list your mother’s maiden name…yeah that’s it…just list your mother’s maiden name” quiz…


  7. So I suppose the “what’s your porn star name” from several years ago (which consisted of your first pet’s name and the street you grew up on) was also a phishing scam…


  8. This is why I don’t use Facebook (YOU are not Facebook’s customer, always remember that!) and the server on which my email resides is located in my basement.

    Yes, it’s an expensive solution that’s not at all practical for most people, but this is what I do for a living.


    • No.

      Long, sad story there. My wife and I bought premium ticked for one concert long in advance. Grace put them somewhere safe in the house, and we never saw them again. Then the next time Paul came to DC, we were limited to two. I decided that my son should join her, and it was, by all accounts, a great show.

      I do have a T-shirt, though.

      • Jack, sorry about your lost tickets. I’ll admit I guessed, but, I am Lucky, and I do have some intuition that works in my favor…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.