Why are you still at Facebook?


why do you affect me? why do you affect me still?
why do you hinder me? why do you hinder me still?
why do you unnerve? why do you unnerve me still?
why do you trigger me? why do you trigger me still?
From Can’t Not by Alanis Morissette

This week was the occasion for yet another Facebook attack on their users sufficiently egregious to stir me out of my summer hiatus. Or was that my extended spring hiatus? Regardless of my obvious neglect of this weblog, I just couldn’t let this one pass. Basically the facts, as reported by Graham Cluley at the nakedsecurity blog, are these.

Back in April, Facebook quietly announced that it would be giving users @facebook.com email addresses so that they matched their public username (used as the URL for users’ profile pages).

However, the social network didn’t make clear that it would also be making the @facebook.com email addresses the default address displayed to your online friends.

Clearly this all part of the site’s plan to get more people using the @facebook.com email addresses, thus making the social network even harder to extricate yourself from.

As we described extensively in our examination of the Facebook messaging system, the @facebook.com email addresses are likely to prove attractive targets for spammers hawking goods and malicious links.

Facebook will have to implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network’s messaging system.

My guess is that it won’t be long at all before we see criminals abusing @facebook.com email addresses for their own nefarious reasons.

Well that was just the beginning of this debacle. Turns out we didn’t have to wait for criminals to start abusing those dandy new (and mostly unwanted) email addresses because Facebook’s unbridled lust for every scrap of personal information they could steal from their users caused a really nasty side effect. The facts surrounding this (presumably) unintended consequence, as reported by Help Net Security, are these.

If you thought that Facebook’s recent unannounced change of its users’ email address tied with their account to Facebook ones was bad, you’ll be livid if you check your mobile phone contacts and discover that the change has deleted the email addresses of many of your friends and acquaintances.

According to Facebook, the glitch was due to a bug in its application-programming interface, and makes the last added email address be pulled and added to the user’s phone Contacts.

The company says they are working hard at fixing the problem, but in the meantime, a lot of users have effectively lost some of the information stored on their devices.

And Violet Blue over at CNet News wrote this.

An alarming number of people are reporting that the new e-mail address Facebook forced on users this week is changing their address books while intercepting and losing unknown amounts of e-mail.

Facebook users say contacts’ e-mail addresses on phones and personal devices have been altered without their consent — and their e-mail communication is being redirected elsewhere, and lost.

One very angry user is Adobe employee Rachel Luxemburg.

On her personal blog she writes,

 Today, a co-worker discovered that his contact info for me had been silently updated to overwrite my work e-mail address with my Facebook e-mail address. He discovered this only after sending work e-mails to the wrong address.

And even worse, the e-mails are not actually in my Facebook messages. I checked.

They’ve vanished into the ether.

For all I know, I could be missing a lot more e-mails from friends, colleagues, or family members, and never even know it.
As Luxemburg explains, this disaster is happening despite the fact that, like many others, she rushed to replace the @Facebook e-mail with their correct e-mail address once they’d found out about Facebook’s change.

When Facebook forced its hundreds of millions of users into an @facebook account, commenters across the Internet talked about alterations that had begun in their contacts and address books outside Facebook — valid e-mail addresses were being changed for @Facebook without people’s awareness or consent on their phones and computers.

So if I’m a lawyer (which I’m not, but let’s pretend) right about now I’m thinking Class Action Lawsuit, Booyah! If I’m a corporate IT guy (which I’m not – but I know quite a few of them) right now I’m thinking Holy BYOD [Bring Your Own Device] Batman! I think I’ll re-route the help-desk to those frickin’ brain donors at Facebook! And if I’m a security guy and recovering Facebookie (which I am), right about now I’m thinking Why in the name of all that is sacred is anyone putting up with this crap?

Seriously folks, things were bad enough at Facebook when I dumped them last year and wrote about it, and I’ve been kept busy by the rascals since then with this piece about Facebook’s way-too-cozy relationship with law enforcement and this post about a micro-lending start-up using Facebook “friends” as credit references. Look, I get it – Facebook gives you the illusion of being connected with long lost friends and family. And that’s not altogether terrible. But don’t kid yourself, it’s still an illusion and if you really cared to “be connected” with those people you would call them or send personal emails to them. For goodness sake, think about what you are giving up to have this virtual (read phony) social life: not only your personal information but now your personal correspondence too. What’s next? A webcam feed to Facebook from your bedroom? Or better yet, try explaining to your boss how you missed that big order because it went to your @facebook.com account which you didn’t even know you had. But Facebook did and I’ll bet they’ll be happy to sell it back to you.

Another nasty Christmas Present from Facebook

Whenever somebody comes up with a new business idea involving social media it’s usually time to cover your private parts. To the extent that you can. Take this idea from Hong Kong-based microlending startup Lenddo as described in this article in The Observer.

[Lendo] calls itself “the first credit scoring service that uses your online social network to assess credit.” The first thing Lenddo asks for is a Facebook account; then it wants access to Gmail, Twitter, Yahoo, and Windows Live. The Observer was given a respectable score of 470. But when we tried to apply for a loan, we were told “you need at least 3 connections with scores above 400 in your Lenddo trusted network.”

The company’s algorithm is proprietary and secret, said CEO Jeff Stewart, but the primary metric is what Lenddo knows about the people you’re friends with. “We think that in the age of the internet you should be able to establish your reputation and your identity through your social graph, through your on- and offline community, and use that to get access to financial products and information,” he said.

If Lenddo sees one of your best Facebook buddies took out a loan and paid it back, there’s a good chance you will too. “Our backgrounds are in machine learning and pattern recognition,” Mr. Stewart said. “It’s some serious math.

“There’s no reason there shouldn’t be thousands of engineers working to assess creditworthiness.”

I should note here that I too have a background in machine learning and pattern recognition but would hardly summarize it as “some serious math” except maybe to US GOP Presidential nominee hopefuls to whom addition is apparently an arcane art, but I digress…

Marketing hype aside, this simply checks to see if your Facebook “friends” are creditworthy and makes the unwarranted leap that you are like them with respect to creditworthiness. Problem with that idea is when you have “friends” with completely fictional profiles on social media sites. Like say me (when I was on Facebook) or Nitrozac and Snaggy. If you had friended me on Facebook, services like Lendo might conclude (not without basis) that you were a total wackjob. Seriously though, there is a very ugly side to this social credit rating business.

In another nifty but nefarious innovation, Lenddo reserves the right to broadcast your loan status if you fall into default. As the site warns: “Failure to repay will negatively impact your Lenddo score, as well as the score of your Lenddo friends. Lenddo MAINTAINS THE RIGHT TO NOTIFY YOUR FRIENDS, FAMILY AND COMMUNITY if the borrower fails to repay, however, this is only done after several notifications to the borrower and an attempt to work out a payment plan.”

“I think Mark Zuckerberg said it best,” Mr. Stewart said. “Every industry will be in fact impacted by social.”

Banks have been curious about using social media to gauge risk for at least a year, said Matt Thomson, VP of platform at Klout, which calculates “influence” based on a user’s social media activity. Determining creditworthiness is not a core product of Klout’s, he said, but banks have approached the startup to ask about it. He wouldn’t name names. “It’s really like the who’s who of banking,” he said.

(Mr. Stewart of Lenddo also said his startup is approached “regularly” by major banks curious about the algorithm.)

So let me get this straight, the same weasels who trashed the global economy with financial instruments that institutionalized fraudulent and unsecured, except by other equally dodgy financial instruments like credit default swaps, mortgages are now using the fact that everyone knows – or is – someone who was victimized in this debacle to further victimize people?

This time I’m not even going though the pretense of some imaginary conversation about privacy being dead, I’ll just throw out this quote and leave it at that.

Media theorist Douglas Rushkoff dismissed the idea that social media credit scoring is a serious erosion of privacy, mostly because there’s nothing left to hide. “We’re already in the nightmare scenario,” he wrote in an email. “They already know everything about you—more than most of us realize. If anything, the addition of social networking information to this data mining will help us come to some understanding of how much more these companies know about us than we know about ourselves.”

And there you have it folks from the lips (or keyboard) of a bona fide Media theorist – social media credit scoring doesn’t invade your privacy because you have no privacy to invade. So if you are still on Facebook you might as well just bend over. Again. Or quit being a tool. I’m just saying.

Facebook will throw you under the bus

Tryin to ruin my name
Threw me under the bus
Riding all over the town
Spreading rumors around
Threw me under the bus
From Under the Bus by Lolene

In my previous post I explained why I left Facebook. Doing so freed up enough time to actually do another bl0g entry so it’s only apropos that this entry reinforce the idea that Facebook is not your friend. Unless of course your friends are conniving weasels who steal from you and will throw you under the bus in a heartbeat. Like being friends with Casey Anthony (but I digress). If you have friends like that then Facebook is what you are used to. If not then read on.

In this post by the oft quoted (by Security For All at any rate) Sharon D. Nelson, Esq. of the {ride the lightning} blog the following question is asked: How Much Data is Facebook Giving Law Enforcement Under Secret Warrants?

According to Reuters, since 2008, federal judges have authorized at least two dozen warrants to search Facebook accounts to the FBI, the DEA and ICE. The investigations have involved such things as arson, rape and terrorrism.

What interested me most is that these warrants demands a user’s “Neoprint” and Photoprint” – terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to. So much for Facebook’s claim that the “Download Your Account” button gives you everything that Facebook itself possesses.

Facebook doesn’t tell users about the warrants to give them a chance to challenge those warrants legally.

Yikes! Talk about throwing your users under the bus. And without notice. As Sharon points out even Twitter has a policy of notifying users before they hand over anything to law enforcement. But not Facebook.

And then there is this post by fellow Security Blogger Carole Theriault in the nakedsecurity blog that asks Does using Facebook put you at more risk elsewhere on the internet?

The Pew Research Center has shown that the more time you spend on the internet, especially social networks like Facebook and Twitter, the more trusting you become.

Not just on social networks, but everywhere – both online and in real life.

With 30% of the world estimated to be online – about 80% of North America and 60% of Europe – and more than half of these users belonging to some social networking site, an increase in trust could have major impacts on how people interact in the future.

Does this mean that social network users will eventually become a bunch of loved-up hippies? It is really difficult for me to imagine what I would be like if I shed my cynical armour.

I shouldn’t really worry: while I study social networks all the time, I am more of a voyeur than a player. Let’s be honest here – I find them really scary.

Many users of social networks seem completely addicted – they are on there all the time, recording every event of their lives. It just seems so intrusive to me…and compulsive.

So the premise is that people on Facebook are more trusting than other internet users, and MUCH more trusting than non-internet users.

It seems clear me to me that if Facebook users are genuinely more trusting, they are more at risk of online scams, both on and off social media sites.

Maybe research like this proves that social networking sites like Facebook and Twitter need to show greater interest in educating their users about being safe online.

One could argue that they should proactively protect their community against commonly encountered threats.

I agree that it would be swell if Facebook showed a greater interest in educating their users about being safe online but from where I sit I’ve only seen an interest in exploiting their users. But it is a great interest.

To borrow a soundbite (in spite of the lack of audio in this blog) from former First Lady Nancy Reagan, Just say No! to Facebook. Or friend Casey Anthony.

Why I left Facebook

Speak my friend, you look surprised
I thought you knew I’d come disguised
On angel wings, dressed in white
From Descent of the Archangel by Kamelot

Last week I finally had enough. The cumulative effect of every sleazy privacy invading stunt that Mssrs. Zuckerberg et al have pulled was definitely part of the motivation. Also the recent departure of several of security blogger “friends” including Richard Stiennon was another part. That, and the reality that I’m already following all of my blogger “friend’s” blogs so Facebook was like a cheesy notification service of new blog entries which is not only redundant  as news aggregators do a much better job, but includes tons of advertising  which I was compelled to filter.

Then there was the simple fact that Facebook is a an incredible time sink [read waste of time]. When I realized that the last two entries in this blog were Captain X-Ploit sagas – and the good captain doesn’t appear that often – it became clear that some priorities were seriously amiss. There were some mitigating factors of course not the least of which is that I work for a company that builds actual products for actual customers and the particular actual product that I’m working on is getting close to release [disclaimer: this is not a product announcement since I have nothing to do with that kind of stuff and is not meant to imply or represent anything about Ricoh products] which means plenty of work and deadlines. And the fact that I spent any time on Facebook is hard to justify.

And then there was a post that was forwarding and reposting it’s way among my less technically savvy (or possibly delusional) “friends” that went like this.

Who says Facebook friends aren’t real friends?.. They enjoy seeing you on line everyday. Miss you when you’re not there. Send condolences when you lose a loved one. Send you wishes on your birthday. Enjoy the photos you post. Put a smile on your face when you’re down. Make you laugh when you feel like crying. Repost if you are grateful for your Facebook friends. I know I am.

Seriously? Come on folks – a Facebook “friend” is an online persona. They are NOT REAL PEOPLE. You may buy into the abstraction that your “friends” represent real people, but I for one have always been very open about the fact that my Facebook profile was completely fraudulent. This was to help mitigate the privacy infringing business model of Facebook. If you really don’t mind letting Facebook have it’s way “monetizing” your personal information with no compensation to you I guess that’s your choice. Sucker.

And then there’s the legal exposure. Yeah that’s right. Legal exposure. Here’s an example from the Electronic Discovery Law blog.

In this case arising from a car accident which the plaintiff claimed resulted in physical and psychological injuries, the parties invited the court to conduct a review of Plaintiff’s social networking accounts “in order to determine whether certain information contained within Plaintiff’s accounts is properly subject to discovery.” Using Plaintiff’s log-in information, the court reviewed Plaintiff’s Facebook account, including “a thorough review of Plaintiff’s ‘Profile’ postings, photographs, and other information.”

But the thing that finally caused me to bail from Facebook was the realization that the Facebook – and nearly all social networking sites’ – business model is fundamentally flawed. This is articulated quite nicely in this article by Bob Garfield in IEEE Spectrum entitled The Revolution Will Not Be Monetized.

1. If you build it and they come, does that guarantee that there’s money to be made? (Hint: No.)

2. Which of Facebook, YouTube, and Twitter will amass the millennium’s first megafortune and a borderless virtual state, with a vast population, political influence, economic clout, and a lair in a hollowed-out volcano from which to control the world’s weather? (Well, you can probably eliminate Twitter.)

3. The Wall Street valuations of companies like Facebook, which is worth US $85 billion on the secondary market, are stratospheric. Should we stockpile ammo and canned goods for when the bubble bursts? (Not a bad idea; remember Pets.com.)

According to the Interactive Advertising Bureau, U.S. advertisers spent $25 billion online in 2010—representing about 15 percent of the $164 billion U.S. ad market and, for the first time, a bit more than their spending on print newspapers. That was no small milestone. But here’s the thing: According to eMarketer, 31 percent of Americans’ media-consuming time in 2010 was spent online. Which means, speaking broadly, marketers valued new-media time only half as much as old-media time. And that’s the rose-colored view. Chris Anderson, curator of the TED Conferences, recently crunched numbers from Nielsen, Forrester Research, the Yankee Group, and other modelers to synthesize the value, medium by medium, of an individual’s time. Globally, print publications fetched $1 per hour of reader attention. TV got a quarter for a viewer hour. Online fetched “less than a dime.”

Why is online advertising such a poor stepchild? Well, extremely delightful and informative books with pale-blue and white covers have been written on this subject, but let’s reduce the problem to its essence: The endless supply of online content means an endless supply of places where ads could go, which by definition depresses demand and, with it, price. Period.

The second problem is more basic still. Ever click on a banner ad? Have you? Ever? Of course not, because why would you leave what you’re doing—especially socializing—to go listen to a sales pitch? The click-through rate, industry-wide, is less than 1 percent—and chalk some of that up to mouse error and click fraud. Some advertisers deal with this problem by popping ads into your face, blaring audio, or subjecting you to “preroll” video messages before the video you actually wish to see. As Anderson sagely observed to a Madison Avenue audience, that was an acceptable quid pro quo in the days of passive TV viewing. Online, though, users are active and in control. “If you take control away from them,” he said, “they will hate you.” Or, put another way: Online, all advertising is spam. These two structural problems leave two possibilities: Either advertising will never be the force in new media that it was in the five predigital centuries (a theory to which I personally subscribe), or someone will crack the code.

Yep. That pretty much covers it. When you are a Facebook “member” [read product] you are essentially trading your privacy for Facebook to convince advertisers that they can target you with spam better than their competitors. It’s not even as clever as Google’s for-fee search engine poisoning (er… Search Engine Optimization) and a whole lot more intrusive.

So there you have it. I really doubt that I will be missed on Facebook. Certainly not by Facebook themselves since I never provided them with any private information and probably not by any “friends” [read online personae that I found amusing] since those who matter in any real way can either call me or find me at this blog. All the others will probably find it refreshing to not be mocked with snarky comments when they post silly nonsense on their walls. And fear not, this blog is still represented on Facebook through the intrepid David Nicholas Stone, AKA Captain X-Ploit. Feel free to become a fan.

Oh – and to my “friend” Mark Zuckerberg - Take the money and run dude! It will get ugly when the investors sober up.

Social Network privacy officially an oxymoron

It’s good to know you’re thought of, it’s good someone should care
It’s good to know you’re trusted but not to know they’re there
Too late to shut your curtains they’ve caught you unaware
They’re not at your window man, they’re sitting in your chair
From Privacy Invasion by Exploited

I have attempted on numerous occasions, for example here, here and here, to get the point across that you have no reasonable expectation of privacy on social networks. Posting anything on Facebook or MySpace is the same as announcing it on network television. Only with more marginally sentient viewers. “Oh yeah, we already know all about that.” I hear you thinking (it’s a gift, my telepathy). “ But that’s only on the public part of my Facebook page and stuff I post publicly to my friends’ pages. All my private stuff is password protected and, well, private“. Yeah. You wish. This entry in the Electronic Discovery Law blog describes a ruling that should disabuse you of those social networking privacy notions forever.

In this personal injury case, defendant sought access to plaintiff’s social network accounts and requested production of his user names, log-in names, and passwords.  Plaintiff objected, arguing that the information was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days and that plaintiff should not take steps to delete or alter the existing information on his social network accounts.

Holy social privacy slapdown, Batman! You mean that a court can compel you to [that means throw your fuzzy butt in jail if you don't] hand over your Facebook logins and passwords? Yes indeed. And that’s not all, folks. The judge in this case had some very specific points to make vis-à-vis social networking [emphasis mine].

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.

The court concluded that no person could reasonably expect that his communications on a social network site would remain confidential; that confidentiality was not essential to maintain the relationships between social network users; that the relationship between users was not one that the “community seeks to sedulously foster”; and that “whatever relational harm may be realized by social network computer site users [by disclosure of their communications] is undoubtedly outweighed by the benefit of correctly disposing of litigation.” As to the last point, the court went on to reason that “[a]s a general matter, a user knows that even if he attempts to communicate privately, his posts may be shared with strangers as a result of his friends’ selected privacy settings.  The court thus sees little or no detriment to allowing that other strangers, i.e., litigants, may become privy to those communications through discovery.

So you have only the right to be hoist by your own petard and your friends’ petards and their friends’ petards and so on. Privacy? Not so much. Actually, not at all. Not now. Not Ever. I would especially like to draw your attention to the statement: the relationship between users was not one that the “community seeks to sedulously foster”.  While you should definitely look up “sedulously”, I’ll translate as a public service: the “community” doesn’t give a rodent’s pa-toot about your relationships. Don’t ask, don’t tell, don’t care. And just in case you are still holding a glimmer of privacy hope allow me to allow the court to snuff that glimmer forever.

Where there is an indication that a person’s social network sites contain information relevant to the prosecution or defense of a lawsuit, therefore, and given Koken’s admonition that the courts should allow litigants to utilize “all rational means for ascertaining the truth.” 911 A.2d at 1027, and the law’s general dispreference for the allowances of privileges, access to those sites should be freely granted.

In case you doubt the veracity of my paraphrase and quoting abilities here is the full opinion.

RIP Social Network Privacy. We only wished we knew you.

Can you be social and private simultaneously?

You keep on stalking me
Invading my privacy
Won’t you just let me be?
From Privacy by Michael Jackson

So now that everyone and their mother are on FaceBook it’s just swell how social we are. Keeping track of family and friends has never been easier. And how about those cute games? And that nice Mr. Zuckerberg is there to watch out for your privacy. He said so here and here. Or not. Okay – that last little foray into social networking fantasy land was cute, but unfortunately the the facts are somewhat more pedestrian and commercial [note to self: avoid writing blog entries while drinking brandy and listening to Porcupine Tree - coherency suffers]. So let’s start this over. Here’s the fundamental reality of social networking: You are not Facebook’s customer. You are the product they offer to their real customers – advertisers. [to paraphrase a tweet by @gollmann]. So what exactly are we supposed to do to protect our privacy? Because hey, social networking really IS cool. I mean you don’t want to throw the baby out with the bath water. It turns out there are some things you can do to help preserve what little privacy you have left online. This entry in LifeHacker has some great ideas. Here is an abbreviated version of their list.

10. Run a Background Check on Yourself to Know What’s Out There
It takes only a few seconds to know what Google knows about you, but there are many, many other avenues into your past and present on the web. Want to know more about what a potential employer can know? Consumer action blog Consumerist has a nicely comprehensive list of background check tools to try out.

This one is a must. Not only is it informative it will scare the bejeezus out of you the first time you go to some of these sites. Who knows it might scare you enough to actually take some action. In this case fear is your friend.

9. Skip Incognito/Private Browsing and Really Leave No Trace
Private browsing modes might prevent your coworkers or roommates from seeing where you wander on the web, but you still leave plenty of traces for someone who knows where to look. Take the How-To Geek’s advice and really browse without leaving a trace.

That’s right, the vaunted “porn mode” of Google Chrome  – and now pretty much every other browser out there – might fool your spouse but it certainly won’t fool your teenager. Or those pesky e-Discovery folks. Sandbox it, portable-ize it and lose it forever. I’m not saying, I’m just saying…

8. Pick Better Security Questions
Some security questions and password recovery schemes offered by webapps are so bad, anyone with your casual acquaintance and a small amount of Google savvy could poke into your email whenever they felt like it. To get around weak security questions, use blogger danah boyd’s security question algorithm.

I prefer an easier solution here. I’ve mentioned many times before that I use a password manager program. I just keep track of the “security questions” and answers I provide – which are completely irrelevant nonsense. Example – Q: “Mother’s maiden name” A: “Chevrolet Belair”.

7. Set Up BitTorrent for Private Downloading
BitTorrent is a public commons of file sharing, and that means that all kinds of folks interested in, say, what your home IP address is, and what you’re downloading, can dig into it. With both a proxy and settings in your favorite torrent app, you can protect your privacy when downloading.

Yeah – I know you use it. Just be aware that you are most exposed when seeding. Sure if you don’t seed you’re just a freeloading leach. You can live with that.

6. Know Your Google Settings
If you’re anything like us, or most of our readers, you’ve got a lot of your life floating around in Google’s cloud-based apps. It pays, then, to know how to set what Google shares publicly about you, how much of your search history is being saved, and how to back up your data so you’ve always got your own copy. These are among the 10 Google settings you should know about that center on privacy and data retention, though it’s always a good idea to know the parameters of the spaces you share your data in.

Google is almost as bad as Facebook about “knowing what’s best for you”. Just ask yourself how Google makes so much money when you don’t pay them anything for those nifty free services. Then go change your settings. Now.

5. Know How to Travel Without Being Spied On
Just because some countries have widespread net access doesn’t mean it’s an open and private web. It’s often meant to deter dissidents in strong-handed regimes, but why take the chance of letting your web data fall into the wrong hands? One Lifehacker reader, wishing to remain anonymous and in a non-specific region, crafted a survival guide for traveling where privacy isn’t respected.

Lately the good old USA has been the most fascist place with respect to traveler’s privacy that I’ve been to. Full disk encryption – don’t leave home without it. Period. Most businesses, my employer included, mandate this nowadays.

4. Know Where You Stand With Facebook at a Glance
Facebook has promised “simplistic” privacy settings coming soon, but in the meantime, knowing exactly what you’ve offered to share or keep private is far from transparent. One very crafty hacker at ReclaimPrivacy has put together a settings-scanning bookmarklet that shows what you’re sharing beyond your social circle, and offers links and automatic fixes for those settings. Another coder, Ka-Ping Yee, offers a site that shows what the public web can see on Facebook, some of which you can then remove.

If you let things default then you are standing right where they want you. That’s probably not where you want to be.

3. Run Your Browser Through a Proxy
It’s not something you’ll want to do all the time, but once in a while, you might want to hide your online tracks. To do so, you can use the go-to web randomization tool,TOR, which has tools available for nearly every OS and browser.

I use TOR regularly when I need to check out unsavory or questionable corners of the web. For research purposes. Just remember that TOR is a double-edged sword – you are anonymized but you will also draw some very unhealthy attention from folks who realize that TOR users are doing something interesting.

2. Better Protect Your Mint.com or Other Financial Accounts
The thing that makes Mint.com such a convenient one-stop shop for financial data and budgeting also makes it a gold mine for anyone looking to learn more about you, or know which accounts they could try to jump into. Security professional Jason Owens provides some smart tips on better protecting your Mint.com account that can apply to any site where you manage your financials.

I’m not a big fan of online financial services. Call me old fashioned, but I just don’t trust those guys. Of course I don’t trust my bank either. And I hate my credit card companies. I find it’s safer to treat them like the enemy. More fun too. As a result my wife handles our finances.

1. Stay Available on Facebook Without Really Being In It
You might have considered quitting Facebook, but stopped short because it’s how a few far-flung friends and relatives stay in touch, or a place those without your email address can ping you. We can understand, and, luckily, have a halfway solution to recommend. Quit Facebook without really quitting.

This one is near an dear to my heart. Not only is Facebook a spectacular time sink, I really don’t like them pimping my info to their customers. So I decided to get creative. If you go to my Facebook profile you will see that I work for “The Universe at Large” as a “Transdimensional Protocol Facilitator” and that I’m a lot older than I seem, being born on 29-Feb-1904 [not bad for 106!] but then again time is a slippery thing when your in my line of work. Consider that I got my doctorate from the Ramses II Institute of Science when I was only 9 years old and went to high school at San Dimas High some 71 years later.

So here’s a shout out to all my classmates from Egypt in 1913 – it’s time to become who you really are on the internet. Then privacy isn’t such a big deal.

Web 2.0 Miranda

don’t say a word or we’ll surely expose
that it’s you who are wicked and vile
anything you say will be used against you
and now it is you here on trial
from Don’t Say a Word by Cici Porter

For a long time now I’ve tried to get folks to realize that there is nothing private or protected about social networking. To wit, these posts here and here. In case you think I’m overreacting you should check out this post by Sharon Nelson in the {ride the lightning} blog.

Recently, Facebook spokesman Andrew Noyes said that the company has created a team led by a former FBI employee to manage requests for information in criminal cases. According to Noyes, a big part of the job is explaining the applicable laws and the limitations on access to Facebook user information. He said that Facebook strives to respect the balance between law enforcement’s need for information and the privacy rights of citizens.

To be fair to Sharon’s point in the post, judges are increasingly ruling on the side of individual privacy in cases with requests to make social network content discoverable or admissible. But the fact that the number of such cases have increased to the point that FaceBook needs a team to “manage requests for information in criminal cases” is my concern. It almost seems like this has progressed to the point that every social networking site should display your Miranda rights prominently. In actual fact FaceBook does display, albeit not terribly prominently, something like that in their Privacy Policy.

We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.

Twitter has a similar statement in their privacy policy.

We may disclose your information if we believe that it is reasonably necessary to comply with a law, regulation or legal request; to protect the safety of any person; to address fraud, security or technical issues; or to protect Twitter’s rights or property.

So what’s the big deal? These Web 2.0 site have to comply with the law just like everybody else. Exactly. So think about that the next time you want to post a photo of that truly epic party. You know, the one with the funny pictures of you and your peeps totally hammered and passing the bong. Or maybe that post where you really let everyone know how you feel about your sleazy ex. Just remember that you have been “Mirandized”. Sort of. And to the extent you have any rights you didn’t waive by using the social network.

Exposing yourself Web 2.0 style

Everybody knows that social networking sites are notorious for their ill-advised exhibitionism. Folks who are reasonably demure and respectable in person get their freak on when it comes to FaceBook or MySpace. Yep, insert an internet connection between them and the world and the gloves come off. Or rather only the gloves stay on. I’ve written about this phenomenon before and warned of the need to take your online shadow seriously. But increasingly the exposure these social network exhibitionists face is more than simply embarrassment and ridicule on a worldwide scale. Prosecutors  have discovered a veritable treasure trove of unprotected self-incriminating evidence on social networking sites. This entry in the Electronic Discovery Law blog describes just such a case.

Defendant was found guilty of murdering a two year old girl left in his care and was sentenced to life in prison without parole.  On appeal, [he] argued that the trial court improperly admitted evidence from his MySpace account in violation of Ind. R. Evid. 404(b).  Taking up the “novel question” of the propriety of admitting such evidence, the Supreme Court of Indiana ruled that the trial court did not err in admitting the evidence, particularly where [his] own testimony made his character a “central issue” of his defense.  The verdict and sentence were therefore affirmed.

Yikes! Hoist by his own petard as it were. While most Web 2.0 exhibitionists are no doubt posers and certainly not murderers or child abusers, it’s going to be a little embarrassing – not to say legally damaging – if they are ever find themselves a defendant in a criminal or legal proceeding where their chief defense is good character and their FaceBook page proclaims “Gangsta 4Evah!”.

But there are further exposures as well as illustrated in this entry by Christopher Boyd on the SpywareGuide blog.

Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer “Hacked Facebook and Photobucket accounts” for a price.

Yes, the site is actually called “Hackedsluts.com” and claims to offer up an endless series of images from “hacked” accounts including Myspace, Photobucket and Facebook in return for a monthly fee.

Just when you think they can’t possibly get any creepier or salacious, [they] throw in dubious claims of hacked accounts / stolen images AND [they] lob in a blood splattered “Too extreme” banner supposedly covering up some of the pictures. While this is clearly a piece of Lame Marketing 101, the overall effect of the site is extremely disturbing.

Disturbing indeed. While I agree with Christopher when he concludes that the bulk of the content on “Hackedsluts.com” is made up of stock pornographic content and almost certainly not the result of hacking social networking sites, the fact that there is an actual market for such content is a very distasteful realization. We all know what happens when you mix unsavory and illicit demand with criminal entrepreneurs. Clearly there are people out there who would pay to see you acting the tart. Only you don’t get paid (like a proper tart). That’s being a pro-bono hooker, which is just stupid. And what happens when your future boss turns out to be a Hackedsluts.com aficionado? Good luck with those sexual harassment claims. Or how about when your future ex-spouse sues for custody of your kids?

So the next time you feel like exposing yourself to the world, kick it old school and just get naked, throw on a trench coat and flash the neighbors. The indecent exposure misdemeanor will be way less exposure than an ill-considered photo on MySpace.

Security ideas for your mom revisited

Information security for  everyone is a big deal with me. I even have a weblog devoted to that very ideal. So Julie Seedorf’s Something About Nothing article, “Be careful of what you store on computers” definitely resonated with me.

I read an article from PC Magazine recently. It was titled “Day in the Life of A Web 2.0 Hacker.” Because many of my days consist of repairing damage done by viruses and hackers to people’s computers, this article was of interest to me.

I like the Internet. I remember years ago my first experience with the Internet. It was exciting to be able to read Web pages created by people many miles and countries away from my home. It was exciting to be able to connect with new people. The Internet was a new information highway that would revolutionize our life.

There is no question that the Internet has changed the way we receive our news, the way we do business and the way we are in touch with people. However, reading this article confirmed what I have been feeling recently. I am frustrated with the dangers that the Internet has invoked upon our society. I am frustrated with the controls we need on our computer to keep our information safe. I am frustrated by the lack of security enforcement by law officials.

While I completely concur with Julie’s sentiments, isn’t everybody aware of the risks of our Web 2.0 lives? Aren’t there plenty of wise and erudite security experts providing all of the information that everyone needs to know about being secure? And what about all the excellent and ubiquitous security suite software packages available? Surely a tech savvy person like Julie has nothing to be concerned about. And clearly if you are a Republican VP candidate the Feds are quick to enforce even the most trivial security breaches at least as long as the Feds are Republicans. Sorry couldn’t resist.

Unfortunately all of the preceding rhetorical questions are pure irony. Phillip Hallam-Baker’s Web Security Blog article “Zero Overhead Security” sums it up this way.

Folk tell me that if you take 60 confused users, split them into three groups of 20 and show them different security interfaces they are all still confused. Well what did they expect?

A good part of the problem can be laid our door, fellow security professionals. We can certainly build brilliant complex software and our marketing and sales brethren can sell the heck out of it. But there is something very wrong when at the end of the day someone like Julie is left with this anemic solution.

The new security programs are good. The problem with many of the new programs is that they put blocks and watch everything we do on the computer and sometimes they make it difficult for us to understand how they work. These programs sometimes block sites that we want to use. These programs sometimes warn us more than we want.

Why am I writing this column? There is no fun in this column. I don’t feel funny about the Internet right now. I am here to tell you to put a good security suite on your computer and learn what it does and what you need to do to keep your computer and information safe. Make sure you update your virus signatures, keep your firewall on and be careful what you open.

Be careful of the personal information you share with others. Create strong passwords that contain a mix of numbers and letters and don’t use the same one for all Web sites. Watch what your kids and teenagers are doing on the Web.

All of these precautions may not protect you completely but they will help.

So why do I say this is anemic? Isn’t this exactly what we’ve been telling Julie to do? Hasn’t she hit on every “best practice” point? Enough with the ironic rhetorical questions. How about some concrete ideas that Julie or you can give your mom on security that will make a difference. In three earlier articles here, here and here I attempted to build a framework of ideas that mom should consider when getting a new computer and going online. What’s missing from those articles are specific details. So without further ado:

Security Ideas for Mom – Revisited

  1. Get a good firewall. Most of the popular security suites available will come with a desktop firewall, but not all of these are created equal and some are not even created well. Specifically several of the most popular include predefined exceptions for their “partners”. Now I don’t know about you, but just because someone has finances to partner with a security vendor does not imply that I should trust them. Note to vendors – transitive trust is not a desirable feature of a firewall. What I would suggest here is to think outside the software box a little (I know, heresy for a software geek, but I’m also an EE). Why not buy a hardware firewall? Like the ones that come with decent wireless access points. Even if you aren’t interested in running wireless (yet) and only have a single computer (so far) this is still a great idea, not to mention a bargain. Given that the annual subscription fee for the most popular security suite is $60, you can get a very nice wireless router for that price. And you only have to pay for it once. Furthermore, setting up the firewall, and other features on a consumer NAT router is simple. They really aren’t that smart. Which is a good thing. The only caveats are do not keep any of the defaults (i.e. SSID and passwords) and if you actually use wireless, lock it down to the specific hardware (MAC) addresses of the devices you want to allow on your network and turn off any broadcast or UPNP. Also turn off any remote maintenance. You can also use desktop firewall software along with a hardware firewall and NAT router, if you are paranoid (and you should be). Just be sure and get a good bidirectional firewall that watches outgoing as well as incoming traffic so it can stop spyware and adware that wants to phone home. Once you get your NAT router/firewall system in place, you need to go to Gibson Research web site and run ShieldsUP!. You should be completely stealth. A ghost on the internet. In my opinion, a hardware NAT router and firewall, coupled with a bidirectional software firewall eliminates most of the need for anti-virus software (more heresy I know). But l like the idea of cutting off the malware at the pass as is were.
  2. If your computer is portable use full disk encryption. Period. No exceptions. Essentially full disk encryption converts the entire contents of your hard disk to random noise that cannot be deciphered without a key (passphrase or hardware key). There have been rumors over the years of groups like the NSA having the capability to break strong encryption, but trust me, you, me and mom are not worth the effort. The most widely known full disk encryption package is Microsoft Bitlocker, which is available with Vista Ultimate. For most average users, it’s probably not worth the $300 upgrade to Vista Ultimate, but for business users that are running Vista Ultimate on their mobile workstations should definitely contact their IT folks and get it set up. Fortunately there are some great (some would argue superior) alternatives to Bitlocker. I use the open source TrueCrypt package, because it runs on all of the platforms I use (Windows, Mac and Linux) and it’s free. The point is that when you lose your portable computer and the disk is encrypted, all that is really lost is the hardware (assuming you have backups) which is far less valuable than your data and personal information.
  3. Get a good password manager. Certainly you can try to create and remember 50 odd strong passwords, but it’s a whole lot easier to create and remember one strong password that can be used to access hundreds of your insanely strong and impossible to remember passwords. I’ve already written an article about this, so you can read all about it. There are some very good password managers, both open source and commercial. An important feature of the password manager you choose should be the ability to set up expirations on your passwords – i.e. something that reminds you to change passwords. For email accounts you should change the password every 6 months and financial services every 3 months. Since with a good password manager this is easy to do, feel free to do it more often.
  4. Get different email addresses for different purposes. When you sign up with your ISP you get an email address that is your primary. If you intend to do Web 2.0 stuff, like say a weblog or social networking like facebook or MySpace you should get a free online email address from Google (GMail), Yahoo (Yahoo Mail) or Microsoft (Windows Live Hotmail). Use this online account when you register for social networking sites. Then you can have your friends and casual acquaintances contact you via the social network site. Only use your primary email account (the one from your ISP) for banking and other communication where there is a risk of Personally Identifiable Information (PII) leakage. Do not give out your primary email to address to anyone but those sensitive accounts. This can be a problem if you’ve already let the horse out of the barn so to speak. Fortunately you can still get around it by sending out change of email address notices to everyone who has your primary asking that they use the new email address or contact you through your social network. If they don’t, just ignore them. They’ll figure it out. Or not. If you are involved in a legal or highly sensitive situation where privacy and confidentiality is crucial then you should check out a secure email service like VaultletSuite 2 Go. This service includes a minimal, but extremely secure email environment. For everyday it’s overkill, but if you are sending sensitive messages to your lawyer, it is definitely worth considering.
  5. Use different web browsers for different purposes. Let me be specific here: use Internet Explorer for your banking and financial sites, and no other sites. Use Firefox, Opera, Safari, Chrome or even another copy of IE for your social networking and casual surfing. The reason I recommend IE for banking and insurance sites is that they tend to work best (or only) with IE. Social sites, on the other hand tend to favor Mozilla (Firefox) or Webkit (Safari and Chrome) browsers. Now wait, isn’t it really inconvenient to share bookmarks between browsers? Yes. Exactly. Which is why you don’t want to do that. Your banking browser should only have bookmarks for your banks. Actually sharing bookmarks is not hard and if you really want to share between multiple social browsers, get a del.icio.us account. With your public email from #4.
  6. If you download software get a disposable virtual environment. Downloading anything from the web and installing it on your PC is risky business, even if it is from a reputable site, but it can be catastrophic if your tastes run to the wild side. The problem is that even decent shareware (of which I’m a huge fan) rarely uninstalls cleanly from Windows. And much of the stuff available for free download isn’t decent. In fact a fair portion of it is infected with malware, malicious or just plain bad. What you need is a virtual environment where you can download this stuff, install it and try it out before you commit it to your real environment. This can be done a number of ways. Virtualization software like VMware and Parallels allow you to create virtual machines that are exactly that. If you trash one, you just delete it and move on. The downside, as you can well imagine, is that virtualization software requires a lot of resources (i.e. a very powerful computer) and it’s not trivial. There is another kind of software that you can use to accomplish this: sandbox software. Basically a sandbox sets aside a place on your computer where programs can play nicely, isolated from everything else. Just like naughty children. The best known of these packages is Sandboxie. Using this kind of software, you can run any program “sandboxed”. Then if it blows up, or simply tuns out not to be what you wanted, you just clean out the sandbox. If you do happen to decide that you want to keep your changes for real, you can recover everything to your computer. Trust me, this will save your bacon.
  7. Keep your professional and personal stuff separate. By stuff, I mean everything: email accounts, social networking sites, computers and software. Everything. That means, don’t pay games or have personal email on your work computer. It also means don’t copy that spreadsheet from work to your home machine. Now hold on, I can see not doing personal stuff on my work PC, but what’s wrong with working on my personal PC? Ask your IT folks which is worse. They’ll tell you most emphatically that taking company data into an unsecured environment is way worse than stealing a some CPU cycles, hard disk space and time playing games. Either way it’s bad for you and bad for business. If you really must check your personal email at work, then use one of your web mail accounts (see #4). Also be aware that if you are using your employer’s computer equipment you have no reasonable expectation of privacy. Think about that before you fire off a note to that hotty you met last night. But what about connecting to the office VPN from my home machine? Well okay, but just be aware that if you have a home network where you share stuff like photos, music and files you could be sharing them with everyone on your company VPN. I’d think about that for a while. Finally if you work for the government, you may have safeguards and accountability requirements on your email. So don’t be like Sarah. Nuff said.

I’m sure there are other good, and straightforward ideas for securing mom’s computer. I would love to know about them. I would also love to hear about problems with the ideas I’ve put forth here [note - blatant pandering for comments]. Maybe we can make things a bit nicer for Julie and mom. Or convince them that the internet is funny again.