Has Facebook Turned Evil? (OK, it always was)

The ACLU(!) thinks so.  I'm not so sure.  Their new privacy policy opens up a *LOT* of information about the users, and the "privacy wizard" is really hard to understand for privacy experts - what's a normal user to do?

Right now, I'm begging you, review your Facebook privacy settings, including search, log out of facebook, and do a google search of yourself.  And prepare to be shocked.

Here's a good analysis from Jason Calacanis and the ACLU was already writing about their AWFUL privacy policy regarding quizzes (DON'T TAKE QUIZZES ON FACEBOOK!) You're giving out both your own and your friends's information.

Update 3-20-2010: 
From Business Insider - Mark Zuckerberg is a really sleazy guy.  All signs point to the fact that he stole lots of ideas from his classmates and (sorta) employers at Harvard, and bragged about it.  When they sued him, the judge didn't look at all the evidence and still gave them $65 Million.  If that figure is true, that's a lot, but they might get more based on the fact that Zuck hacked their web sites, stole their logins and passwords from Facebook records, etc.  Nice guy, huh?  And everybody keeps their private data with him?  I'm not sure how I feel about that.

Next: Read You Tube is Evil a and Google knew it when they bought them.

Perry

Antivirus Programs are not Perfect

Sounds silly when said this way, huh?  Well, it's true, and its sometimes surprising when people think otherwise.  This means that when you do dangerous things, like go to dangerous-type web sites (gambling, warez, porn), click on suspicious email attachments (even after scanning them), you could get into trouble.

For proof., look at this (safe) link created by Adrien at the from Internet Storm Center.  He analyzed a message that said it was an security message from Facebook notifying customers of a password change.  We all know this never happens, and the attachment contained malware.

The link above, here again, shows multiple virus scanners against the file, and while my favorites (except one) all found it, there were a troubling number who didn't - 20 out of 41 - technically less than half.

This does not mean that you should completely stop clicking on attachments.  Just that you should think, and do a quick risk analysis.  Don't click on every "this is funny" when send by a friend of a friend when it's an attachment, don't click on ANY attachment that's sent by a bank or financial institution unless it's generated by a transaction you made yourself.

Use Mozilla Firefox for browsing,  Use Noscript, stay off bad sites, be internet safe.

Perry

LaLa is a really cool music service

I started using LaLa a couple of weeks ago, and actually bought a bunch of songs.  It was when we saw the Trans-Siberian-Orchestra, and I wanted to get some of their music.  LaLa has lower prices than iTunes for downloads, and wicked cheap web-listen prices - like $.10 per song without download.

This just in - too late - Apple bought them , let's see if iTunes is the Borg and assimilates (kills) them - Oh Well

Perry

Do you have a jailbroken iPhone?

It looks like iPhones that are jailbroken can be accessed by from the internet using ssh with the root password "alpine".

Instructions for changing the password are here. Please change the password now, you don't want your beautiful iPhone to change into a nice, shiny brick.

Perry

UPDATE 12/1/2009

It's not rickrolling now, the newest one actually steals information, like passwords, and changes your ssh password so you have to wipe the phone to remove it.  Luckily it's really easy to tell if there - The battery usage is so high you'll want to wipe the phone anyway.  Lucky the battery isn't replaceable, huh?   Change those passwords, folks.

Facebook Apps are really Insecure (and their creators know it)

The architecture of Facebook apps has some security problems, and according to this article, companies like Zynga (Farmville, Mafiawars) know about it and exploit it.

That means that you, the user take it in the chin ( and wallet ).

The problem is that when you load Facebook apps, they have access to your whole Facebook account, not just the piece they need. The app makers take advantage of this, or least point to people who do. This means extra charges on your credit cards at best, or identity theft at worst.

Moral of the story - be discreet when you load Facebook apps - do you really want to know which Anne Rice Character you are?

I don't. And I don't want to join MyCalendar, so no birthday requests(sorry), etc etc. I'm not sure about groups. Or Lists.

 Facebook is working on it - making your information disclosures selectable - no ETA though, I don't think.

Update 11/14/09 - ValleyWag says that there might be a class action suit in the works.  Zynga is going to have fun defending the "every horrible thing in the book"quote from their CEO, especially when it's on tape (nice touch).  Let's see how that IPO goes, huh?

Oh, another thing:  Do you use Facebook and care about your privacy settings? Are they all set to friends only?  I did a google search for myself (AKA vanity search) and found out my whole friends list was available to everyone.  I hadn't increased privacy on "search settings" - Click here to make those changes to your profile

Perry

Flash is really Evil

A post today on Slashdot describes how Adobe flash basically breaks the security of the Internet.

Unfortunately it's really complicated but the author maintains ( and shows ), that when a server sends an Adobe Flash object to a users browser, that object can execute code that's in a file in the originating domain, regardless of whether the file is a flash object. The executing flash object may not even have to be a flash object, it can be something else, like an image.

This opens up the web to a ton of attacks. Basically, any web site that allows file uploads ( like photo sites ), can only be partially resistant to this of they have a different domain for user uploaded content. So pbase.com would need to move all their files to pbase-img.com, or something similar. Some big sites like Yahoo are already doing this.

That means its bad news because it's really hard for anyone to fix other than Adobe, and the worse news is that Adobe says it's not their problem.

What's a poor user to do?

It's easy for a Security Goon to say:

1. Use Firefox. I already do this, as does my wife and kids. Really.
2. Use the NoScript add-on. I do this, but haven't got my wife or kids started(yet). This prevents flash from most sites, unless manually turned on. (I gotta pay him something). It's brilliant and improves the net experience if only because I haven't seen punch the monkey in years.
3. According to a comment in the above referenced article it's even better if you run the FlashBlock extension. This sounds good but I haven't tried it yet
   

If you insist on running Internet Explorer (bad), the above article mentions something called Toggle Flash which sounds really cool, but I haven't tried it.

Perry

Is Paypal a Bank?

An open letter to Paypal:

As I understand it:

1. Paypal banned Moxie Marlinspike, a well known information security researcher, because he wrote some online security tools that could be used against Paypal and accepted donations using Paypal systems.
(More information can be found here)
2. Paypal has a policy banning writing software that can be used against it. I have not verified this.
3. Paypal held $500 of Mr. Marlinspike's money until he removed the Paypal link from his web site

This is just my unsolicited opinion, but I think this should be addressed at the highest levels at the company since it addresses some fundamental questions:

1.Can Paypal confiscate people's money for breaking its terms of service?
2.Is Paypal a bank?
3.Should the United States government step in and regulate Paypal as an interstate bank?

Regardless of whether my understanding of Mr Marlinspike's situation is correct, it appears that Paypal thinks the answer to question #1 is “yes”.

I don't know the answers to these questions, but I think Paypal would want the answer to question #3 to be “no”. If this is so, and I were them, I'd be concerned that this has the attention of the US Government

Perry Engle
Stratham NH

Don't get fooled by Free Antivirus!

There are some scams out there trying to peddle free antivirus software, just say no!

You'll go to a web site, and it does all kinds of things to say you're infected, and to load their software. There's a technical description here.

Right now, suffice to say Norton and Mcafee are the best but co$t, and there's a free one I like called Avast.

Trend, ClamAV are OK too, I guess, but I haven't tried them.

Don't use any others

Perry

*Important* Update Adobe Products Now!

I'm back from Blackhat, and Adobe is now sharing the spotlight as a company *we like to make fun of*.

Don't worry, Microsoft, you still have the top of the heap, but with at least 3 zero-days in 2 months, Adobe is getting their share of abuse.

There is evilness out there, and all 3 of the usual suspect Adobe products need updating, Flash, Shockwave, and Reader. Mine didn't update automatically, so I had to go to the following 3 places:

http://get.adobe.com/flashplayer/

http://get.adobe.com/shockwave/

http://get.adobe.com/reader/

It's kind of a pain, but pretty quick on broadband, do reader last, and a reboot at the end, and if you're using firefox (update that too from "about") , and you should be pretty safe .

Happy end-of-summer
Perry

Is Conficker an April Fools Joke?

Update 4/9/2009: Obviously, the Internet didn't melt down, but some of of the information security people around were waiting for the other shoe to drop. According to this article, Conficker has woken up, and started moving files. We're still looking.


Original Post:

If you've been paying attention to media, you've probably heard about the Conficker worm. It really is a big thing, and has been a problem to corporate IT staffs since last October.

If you're a home user, there's not much you can do about it, except make sure your virus signatures are up to date, and run a virus scan.

If you would like a quick sanity check to see if you have conficker - click on one of these two links:
Symantec , or F-Secure.

You should see Symantec and F-Secure, two network security companies. If you had the Conficker worm, you'd get something else, and should immediately run a full security scan.

The reason it's come up now to the mass media is that researchers have found a reference to April 1 in the Conficker code, and they're not sure what it does. Conficker might wake up and do something, and it also might be part of a bigger event, so we're keeping alert.

You can find lots more about it at the Honeynet project and SANS (Extreme technical content on these sites )

Perry

What's the benefit of signing my email?

My brother, Pete, asked a great question when I used a digital signature to sign a message to him: "So what's the benefit of signing? Is it something I could/would/should do frequently?"

He's referring to using a Digital Signature to electronically "sign" an email message. The digital certificate is impossible to forge, and proves that the message was really sent by the person who claimed to send the message.

When people habitually use these signatures, then it prevents someone else (like a spammer, or worse) from impersonating them.

In this case, I signed my message to him, which sent both my digital certificate and a code at the end of the message. This code was created by mathematically processing all the contents of the message and the certificate. The email program on his end compared the code to the contents of the message, and the certificate, and found that they matched. It also checked the certificate against the signature of the company that issued the certificate, to be sure the certificate itself wasn't forged. This meant that not even one letter in the message was changed between my computer and his.

If Pete then saved my signing certificate into his email program, he could also encrypt the messages he sent to me, and no one could read them except me.

Pete also has a "confidentiality notice" on his email - legalese saying that misdirected mail should be deleted. Lots of people use these, my work recommends this sometimes, too. If people encrypted all their confidential information, they wouldn't need the notice, misdirected mail would be unreadable by any unintended recipients.

Signed and encrypted messages are widespread in the DoD and somewhat in the geek community

In fact, messages containing attachments or links won't even go through the US Air Force mail system unless they're signed. Yes, this is a pain in the neck when we work with external organizations who don't have digital certificates.

I used Comodo for my free certificate at home, in Mozilla thunderbird

Apparently it's only valid for a year - I had forgotten that ( oh look, good until 5/24/2009 ) - I'll be interested to see what happens on May 30 - I think it'll die and I have to get another one. I'll pay for it then, I think.

The fact that Pete is pretty savvy in computers, and digital certificates are wildy useful to prevent identity theft, shows the problem.

Digital Certificates are not widespread use enough to make a difference right now. Why? That's another post.

Maybe someday.

Perry

Do you know what TTFN means?

It's "ta ta for now". I knew that, but there are tons I don't know. I was googling for one, and found this page. It's kind of interesting.

The national center for missing and exploited children has a dictionary of kids phrases , or chat abbreviations up on the web.

http://www.missingkids.com/adcouncil/pdf/lingo/onlinelingo.pdf

Perry

What is Phishing?

Phishing is when a criminal sends an email that they forge to look like a trusted company like your bank. They make up some story and ask you to clink a link that looks a place you trust, but goes to them instead. If you log in with your username and password, you've given them keys to your kingdom.

Here's an example from SANS

Dear email account owner,

This message is from somewhere email administration center to all email account owners. We are currently upgrading the email securities of our database and email account center. We are also conducting a routine check by deleting all unused accounts to create more space for new accounts. To prevent your email account from being closed, you will have to update it below by providing us with the below mentioned so that we can ascertain that your account is prensently in use.

CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username:....................
Email Password:....................
Date of Birth:.....................
Country or Territory:.............

Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently.

Regards,
Admin Team

Thank you for using somewhere email account

If you ever get an email like this, just ignore it, or call your financial institution directly, using the number on your regular card or bill NEVER THE PHONE NUMBER IN THE EMAIL!

(This goes for phone calls and texts too!)

Perry

Edit: Carbonite Is a cool backup solution

Edit (1/31/09): I wrote the following without thinking about the dates. Apparently most of this happened in 2006, and some of the older review posts in question were recently deleted.

Carbonite is a needed service, they're a local company (Boston) and they have significant infrastructure so they're more likely to stay around in this screwed up economy, so I'm pulling for them.

I don't understand David Pogue reporting this like it's news, and I'm left figuring out whether I want to try the service myself - the backups I want to do are my photos that are probably 80 GB and completely disorganized - maybe they're the perfect solution.


People think they need a good system for backing up their computers. That's not exactly right - they need a system for restoring their computer in case there's a problem.

Online systems seem perfect, pay a little money, load a client, and your computer is backed up into the cloud. When there's a problem, simply get a new drive, hit "restore" and wait a little while.

Well, Carbonite seemed like the perfect solution, it's not expensive, it has some well known personalities that are fans it's got good reviews, etc.

Unfortunately it's not so simple, while it seems to back up pretty well, restore, not so much. Then when you need customer service, not so much either.

And then it turns out, there's widespread review-padding from employees. Yuck.

Oh well, I guess I need to look at another option.

Mac users have time machine - maybe PC people will get something similar someday, and we don't have to go buy a Drobo( the coolest drive out there ), but it still needs swell software.

Perry