Why are you still at Facebook?

why do you affect me? why do you affect me still?
why do you hinder me? why do you hinder me still?
why do you unnerve? why do you unnerve me still?
why do you trigger me? why do you trigger me still?
From Can’t Not by Alanis Morissette

This week was the occasion for yet another Facebook attack on their users sufficiently egregious to stir me out of my summer hiatus. Or was that my extended spring hiatus? Regardless of my obvious neglect of this weblog, I just couldn’t let this one pass. Basically the facts, as reported by Graham Cluley at the nakedsecurity blog, are these.

Back in April, Facebook quietly announced that it would be giving users @facebook.com email addresses so that they matched their public username (used as the URL for users’ profile pages).

However, the social network didn’t make clear that it would also be making the @facebook.com email addresses the default address displayed to your online friends.

Clearly this all part of the site’s plan to get more people using the @facebook.com email addresses, thus making the social network even harder to extricate yourself from.

As we described extensively in our examination of the Facebook messaging system, the @facebook.com email addresses are likely to prove attractive targets for spammers hawking goods and malicious links.

Facebook will have to implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network’s messaging system.

My guess is that it won’t be long at all before we see criminals abusing @facebook.com email addresses for their own nefarious reasons.

Well that was just the beginning of this debacle. Turns out we didn’t have to wait for criminals to start abusing those dandy new (and mostly unwanted) email addresses because Facebook’s unbridled lust for every scrap of personal information they could steal from their users caused a really nasty side effect. The facts surrounding this (presumably) unintended consequence, as reported by Help Net Security, are these.

If you thought that Facebook’s recent unannounced change of its users’ email address tied with their account to Facebook ones was bad, you’ll be livid if you check your mobile phone contacts and discover that the change has deleted the email addresses of many of your friends and acquaintances.

According to Facebook, the glitch was due to a bug in its application-programming interface, and makes the last added email address be pulled and added to the user’s phone Contacts.

The company says they are working hard at fixing the problem, but in the meantime, a lot of users have effectively lost some of the information stored on their devices.

And Violet Blue over at CNet News wrote this.

An alarming number of people are reporting that the new e-mail address Facebook forced on users this week is changing their address books while intercepting and losing unknown amounts of e-mail.

Facebook users say contacts’ e-mail addresses on phones and personal devices have been altered without their consent — and their e-mail communication is being redirected elsewhere, and lost.

One very angry user is Adobe employee Rachel Luxemburg.

On her personal blog she writes,

 Today, a co-worker discovered that his contact info for me had been silently updated to overwrite my work e-mail address with my Facebook e-mail address. He discovered this only after sending work e-mails to the wrong address.

And even worse, the e-mails are not actually in my Facebook messages. I checked.

They’ve vanished into the ether.

For all I know, I could be missing a lot more e-mails from friends, colleagues, or family members, and never even know it.
As Luxemburg explains, this disaster is happening despite the fact that, like many others, she rushed to replace the @Facebook e-mail with their correct e-mail address once they’d found out about Facebook’s change.

When Facebook forced its hundreds of millions of users into an @facebook account, commenters across the Internet talked about alterations that had begun in their contacts and address books outside Facebook — valid e-mail addresses were being changed for @Facebook without people’s awareness or consent on their phones and computers.

So if I’m a lawyer (which I’m not, but let’s pretend) right about now I’m thinking Class Action Lawsuit, Booyah! If I’m a corporate IT guy (which I’m not – but I know quite a few of them) right now I’m thinking Holy BYOD [Bring Your Own Device] Batman! I think I’ll re-route the help-desk to those frickin’ brain donors at Facebook! And if I’m a security guy and recovering Facebookie (which I am), right about now I’m thinking Why in the name of all that is sacred is anyone putting up with this crap?

Seriously folks, things were bad enough at Facebook when I dumped them last year and wrote about it, and I’ve been kept busy by the rascals since then with this piece about Facebook’s way-too-cozy relationship with law enforcement and this post about a micro-lending start-up using Facebook “friends” as credit references. Look, I get it – Facebook gives you the illusion of being connected with long lost friends and family. And that’s not altogether terrible. But don’t kid yourself, it’s still an illusion and if you really cared to “be connected” with those people you would call them or send personal emails to them. For goodness sake, think about what you are giving up to have this virtual (read phony) social life: not only your personal information but now your personal correspondence too. What’s next? A webcam feed to Facebook from your bedroom? Or better yet, try explaining to your boss how you missed that big order because it went to your @facebook.com account which you didn’t even know you had. But Facebook did and I’ll bet they’ll be happy to sell it back to you.

Experian Identity Theft Protection = FAIL

Several weeks ago my years of free credit monitoring (courtesy of a number of high profile data breaches wherein my personal information may have been exposed) finally expired. So I decided it was time to shop for Identity Theft Protection services. My search led me to ProtectMyId.com – A part of Experian who seemed to have a pretty decent service at a reasonable price. Unfortunately therein lies the following cautionary tale.

So I fill out the easy 3 – step web application and viola! I’m protected by Experian. All I have to do is wait for the confirmation email and sign in to the web page and I’m golden. But then it starts to get ugly…

Instead of a confirmation email, I get a notice that “my social security number doesn’t match“. So I’m thinking “no big deal, I must have fat fingered something,” but there’s a phone number that I can call to finish the process. So I call that number and after explaining the situation to the nice lady, she decides that we should just ignore that earlier application and let it die on the vine and do a whole new telephone application. So far so good. Or so I imagine. Then at the end of this lengthy app interview, to verify my identity (i.e. authenticate me) she reads these questions that her system generates from scanning my credit information and enters the answers I give her. Once again my app is denied because of a wrong answer. The nice lady, of course, has no way of knowing which question was answered wrong or what the correct answer was, so she tells me to call back in 2 hours and try again.

By this time I’m fed up with Experian’s authentication processes and decide that it just isn’t worth the effort. So I call Experian back to cancel the application(s). Another very nice lady handles the call and is able to cancel the phone-based application and gives me a cancellation number, but can find no way to cancel the web-based application.  She tells me that it may take “5 to 7 business days” for the cancellation to take effect. Now at this point I’m hearing some bells go off in my head – 5 to 7 business days for the cancellation to take effect? I never successfully completed any applications, and therefore never received any service so what exactly is there to “take effect” with the cancellation? So I check my bank and sure enough, there is not 1 but 2 pending charges to my account from Experian for 2 annual fees for ProtectMyId.com. A fair chunk of change.

So now I’m thinking, that’s a little concerning, but it’s not too uncommon for pending changes to never actually go through. But the next day both charges actually go through. So once again I call Experian [this is the third time if you are keeping count] and get to talk to another very nice and patient (given my snarkiness) lady who can’t figure out how to cancel anything but assures me that the cancellation will take effect in 5 to 7 business days. She apologizes profusely and pins her lack of ability to make fixes on the “IT department”. Now having been involved with “IT” for my entire career I get that one of the primary missions of any IT department is “scapegoat”. But seriously 5 to 7 business days? While Experian’s IT department may very well have issues,  this is not one of them. This is a business policy issue.

So finally 5 business days later I get a refund from Experian. And a nice glossy letter welcoming me to the ProtectMyId.com program. Not being one to just live and learn without making a fuss, there are several things about this experience with Experian that really bother me. So I would invite any representative of Experian to explain some things and answer the following questions.

  1. When I buy anything from Amazon or NewEgg they never bill me until the product actually ships. Even when this makes them split an order because some items are not available when others are. Why does your billing system charge before services are delivered and before the order is even approved?
  2. You might claim Caveat emptor (Buyer beware) since I was the one who authorized the charges. Only I wasn’t. Since I was rejected due to failure to authenticate, then how exactly could I authorize anything? [That’s rhetorical – you don’t need to answer that]. So my question is: How do you justify taking money from a source that you have good reason to believe is fraudulent?
  3. Since it takes 5 to 7 days to do perform an IT process as trivial as a refund, how exactly is anyone supposed to trust Experian to flag identity theft in a timely fashion? I mean isn’t timely detection what the service is based on? This is the 21st century – 5 to 7 days to detect identity theft does not even pass the laugh test.

So how about it Experian? Send me a reply. I’m dying to see how you can spin this because the obvious answers are pretty ugly.

What we have here is a failure to authenticate

Friends are coming, friends are going
Ain’t got no password, just friend or foe
Maybee there is a fight
When nothing else to do
From Friday Evening by Unit Lost

So there I was, enjoying my summer vacation, blissfully ignoring Security for All blogging duties and generally just having a swell time doing pretty much nothing, when a government agency pulls an anti-infosec stunt so egregiously asinine that I was compelled, nay – forced – to emerge from my self-proclaimed sabbatical to blog about it. But I’m getting ahead of myself, here. This post from the DenverChannel.com describes the incident thusly.

Colorado has one of the easiest and quickest online business databases. Business owners can update their name and address on the Secretary of State’s website, but so can anyone else.Twenty five businesses in Colorado have had their company information changed through the Secretary of State’s website, leading to $750,000 in fraud in the last four months.

“Altering that information allowed the perpetrators to actually apply for and receive lines of credit in the name of that particular business,” said Colorado Bureau of Investigation director Ron Sloan.

“Now hold on just a darn minute!”, I hear you saying, ” Are you trying to tell me that the database where businesses register with the State of Colorado is not authenticated?”. Yep, that’s exactly what I’m telling you. I know this first hand, because my wife (AKA “the brains of this operation”) is setting up a new business and needed to register her trade name and other particulars with the state. She drew my attention to this after she (smart lady) found it suspicious that the site had captured her credit card number but never asked for or allowed her to set up a login and password. She also drew my attention to this article in a bit of a (justified) panic. So my reaction was initially just like yours – i.e. you can NOT be serious! Nobody could be that irresponsible. Actually it gets worse.

The state isn’t putting any security measures in place to prevent access to company information.”I’m not convinced that setting up passwords and pins has served as a deterrent that it’s thought to be,” said Secretary of State Bernie Buescher, D-Colorado. “Getting that implemented for 800,000 businesses, when this is a crisis right now, is not practical.”Buescher estimated that pins and passwords would require about six new employees and would cost the state millions of dollars in salaries, overhead and computer equipment.Instead of security measures, the state recommends that business owners register their e-mail address, so they can be notified if their information gets changed.”Signing up for e-mail notifications, we believe is an effective — cost-effective and easy way for people to take steps to prevent their corporate identities from being stolen,” said Buescher.

You have GOT to be kidding, right? “Not convinced that setting up passwords and pins has served as a deterrent that it’s thought to be” – well duh, Bernie neither am I, but that doesn’t mean they aren’t a deterrent at all or that you shouldn’t implement them! You know, for that due diligence thing. And what’s with that [I paraphrase here] “this is going to cost too much so we’re going to let Colorado businessess twist in the wind” deal? I mean seriously, nobody outside of public service would ever consider letting such a blatantly moronic statement pass their lips in public. Bernie, dude, watch BP and learn. And finally, “Signing up for e-mail notifications, we believe is an effective — cost-effective and easy way for people to take steps to prevent their corporate identities from being stolen.” Are you freaking serious? Why not sign up your own business with this system, Bernie, and I’ll be glad to show you why this “mitigation” doesn’t pass the laugh test. [Let’s see, if I can change information for your business without even going through the motions of cracking authentication, then what prevents me from changing the email notification destination].

My eldest son, now a lawyer working for a DHS agency, once remarked that if you think the Federal Government pulls some stupid stunts, just watch State and local government for the really breathtaking stupidity. I now see what he was talking about. This story just keeps diving to new and lower levels.

“I’m content that in this point in time this is the most effective and efficient way to deal with the problem that we’ve got on our hands,” said Suthers [Attorney General John Suthers, R-Colorado]. “If (identity thieves) change the records and the company is immediately notified of that change, they can act before there’s any stealing of money. The important part of the crime has not yet been committed.”

Yeah. Sure. This is the same AG that is wasting our taxpayer money on (er… pursuing – with extreme prejudice) that “Anti-Obamacare” lawsuit. Here’s a tip John-Boy – notice that Bernie is a Democrat. Someone with your keen political intellect should be able to make big political hay with this fiasco. I mean, letting a Dem slide like that? What kind of tea partier are you?

Oh, and Bernie, with regards to that “six new employees and would cost the state millions of dollars in salaries, overhead and computer equipment” cost estimate, I can see where you might think that, being involved in State government and all. But seeing as how I gave AG Suthers a tip to throw you under the bus, I owe you a tip as well: At least a few of those “800,000 businesses” you so blithely exposed to the bad guys, must have a couple of marginally IT-savvy interns they can loan you for a week or two. Of course if the entire State HR apparatus is as efficient as your department, you may have to wait a long time.

Seriously though – JUST FIX IT!

Simple things are the hardest

My eldest son decided that he’d consolidate all of his banking with a single institution. Probably got some swell interest rates or maybe even a toaster for doing it. Whatever the incentive, he did it. As you might expect this involved moving money from one place to another, albeit electronically. So far so good, everything seemed to occur swimmingly. Several months go by and he gets this invoice from one of his previous banks saying that he has failed to maintain the minimum balance in his account so they have charged him penalties which has resulted in his account being overdrawn. After quite a while on the phone speaking to the helpful and courteous (that’s sarcasm) help desk staff, he finally manages to convince them that he had closed that account several months ago. According to the bank representative here’s what happened: immediately after he had withdrawn the complete balance of his account, the monthly interest was accrued, therefore his account had $0.01 (a penny) in it so it could not be closed.

Aside from the completely boneheaded software error (or was it an error? Imagine if his balance had had 6 or 7 zeros following) he was glad that that was cleared up. Not so fast there lawyer boy, now they had to figure out what to do with that offending penny. My son suggested several seemingly common sense solutions like “keep it as a tip”, or “donate it to charity” or “just forget about it”. Unfortunately none of those ideas were compliant to bank policy or even possible given the bank’s accounting systems. Finally they figured it out. They sent him a certified check for $0.01 via overnight courier. He did in fact receive the check and dutifully signed for it. Rather than spend his windfall, this check now decorates the wall above his desk.

Where do you start with a story like this? Well if you’re me, which I was last I checked, you tell the story to your wife. In my case, she responded with “that’s pretty typical, let me tell you what happened with me last week.” Holy automated banking fail, Batman! Has the quality of banking service and support personnel declined dramatically to the point where only morons are doing the job? Or perhaps the quality of the software that handles the automation has all been outsourced to idiots. Actually I’m dubious of each of the aforementioned rhetorical questions, since my experience hasn’t been with stupid or even ignorant support staff or banking software developers. I suspect that the complexity of the systems has reached the point where no single operator – or even developer understands it completely enough to handle corner cases.

Mike Janke at the Last In – First Out blog recently had this entry about technology we don’t understand.

What are the consequences of building a society where we rely on technology that we don’t understand? Is lack of stewardship one of those consequences?

Should we expect ordinary computer users, who  understand almost nothing of how their computers work, to operate their computers in a manner that protects them and us from themselves and the Internet?

Back in the day (I mean way, way back) my wife’s grandmother was a chief teller at a bank. She knew absolutely everything about that bank’s accounting systems. All of which were paper and gray matter based of course. It would be inconceivable that:

a. she would allow something as silly as leaving a penny in an account a customer was trying to close or

b. That she couldn’t rectify the error immediately if such a thing had occurred.

Of course that was a long time ago, before people were separated from the actual physical reality of their bookkeeping systems by numerous layers of abstraction and indirection. My wife’s grandmother was capable of understanding the entire system end-to-end and had the experience (something like 30 years) to know all of the tiniest details. I doubt that any human alive now is capable of understanding a major bank’s accounting systems end-to-end. And ironically, because of the rate of technology advancement, 30 years of experience is a liability rather than an asset when it comes to making sense of modern software systems.

So when does it make sense to spend $30 and 4+ hours to send out a $0.01 check? Any time it happens. Hard is the new simple.

Law School network FAIL

So the other day my future daughter-in-law has this bizarre incident with her email account at the University of Maryland at Baltimore (Go Terps!) School of Law. Seems that she got one of those “time to change your password” messages, so like any tech savvy person who has been indoctrinated (and browbeat) by me she chooses a good strong password. System seems to take it okay only it’s obvious by several days later when she isn’t getting any email that something is wrong. So she calls the IT support guys who determine that the root of the problem is that their email system doesn’t like her new password. Apparently this antique system allows only 8-character passwords with only alphanumeric characters, so clearly her 14-character alphanumeric and special characters won’t work. Specifically the system really can’t deal with the semicolon character she used. Say what??!! Whoa dudes – party like it’s 1990! It gets better.

After recovering from the initial shock she asks them to reset the password and she’ll try to come up with a new one using the standards in place when she was a toddler. Sorry, says the IT support guy, but this will require “code changes” and since this is the weekend, that guy won’t be in until Monday. Eventually they decide to call the mystery email coder in to make the changes that will fix the problem. So four hours later she has a brand spanking new classic, eminently hackable password for her main law school account.

So where do I even start with a debacle of this magnitude? How about with a disclaimer. My son, who as you might guess also goes to UMB law school, tells me that UMB’s network is completely separate from and vastly superior to the law school’s network. So with that out of the way, where in the world did they find a POP server that lame? Coding? Give me a break, I’ll chalk that up to untrained and marginally functional tech support. Given the environment I’d imagine a student work study (read slave labor) gig. As for the 4 hour fix, I’m guessing 3 hours and 45 minutes to get onsite, 5 mins to reset the password and 10 minutes to write the notification. All in all not a stellar performance.

But herein lies the real problem. Given that this is a law school, all of those pissed off students who will be compromised when their data is lost in the coming breach will be lawyers. I’m thinking that’s a pretty big risk of litigation. Also one can only assume that the overall network, including the law school WiFi net, is as secure and well managed as the email server. Actually I have it on good authority that this is in fact the case. Holy pending lawsuit, Batman!

So let me end this with a plea to the security group that meets at the Barnes and Noble in Inner Harbor make an attempt to save these jokers from themselves. Unless of course you are sniping that free WiFi. And reading juicy emails from law students.