You can always tell how important a secret is to you by how many people you tell and the way you keep the secret. That is to say, when hiding whether or not you were dating So-and-So, you might coyly smirk – a simple tell for anyone to determine you’re lying and that’s exactly your intention: to gain more attention. But when you killed someone in a hit-and-run for example, there’s no coy smirk on your face when you adamantly deny it. These two types of lies are an important differentiation to realize when protecting yourself.
If you have an interesting project that needs to be kept secret, it may be hard to maintain the discipline of keeping it a secret. Often, the vanity of your project will tempt you to share the details with someone else even though you know it is safer to keep them a secret. In hindsight, you’ll come to realize that you’ve created a liability but for those few moments of discussion, you will irrationally determine it was worth it.
In hacker OPSEC the first rule is of course we don’t talk about OPSEC. And that, just like in Fight Club, is the first rule that is broken. We have friends that we’d like to share information with, or we disclose a small portion of a secret that leads to questions about that secret. If this doesn’t make sense, let me present you a conversation:
A: I wonder what $Company does for their physical security system. B: Well… they actually do X, Y, and Z. A: How do you know that?
Now you may coyly reply with “I’m sorry I can’t tell you” with an all-knowing smirk, or if that truly was information you’re protecting, you lie. And this is my point: People feel more comfortable being blatantly lied to as opposed to telling them that they can’t find out the truth.
I bring this up because this should be remembered from two points of view. The first from your own perspective: you should never break the first rule of opsec and hopefully never lead someone into asking you these types of questions. The second reason is to bring attention to those that talk this way and how they are leaking intel.
In most cases, those people that say they are hiding something, are usually not. The coy smiles are a way of appearing interesting without the threat of actually requiring to be interesting. In these cases, you can easily define whether the person could become a resource or should discarded.
In summary, make sure you lie to people. Ideally it should be a well thought through lie but if you don’t have that, say something… anything. A stupid lie is much better than saying nothing or that you can’t tell them because it makes the other party more interested. This type of attention is not something you usually want.