Thursday, April 28, 2011

Book: Little Brother by Cory Doctorow

Little Brother is a novel about a group of teenager friends and school mates in San Francisco who, in the aftermath of a terrorist attack on the San Francisco – Oakland Bay Bridge and BART (Bay Area Rapid Transit) system, defend themselves against the Department of Homeland Security's (DHS) and the new rules of the police state, an oppressive regime bent on discovering national threats at the expense of the freedom and privacy of the people.

The main character Marcus and three of his friends Van, Jolu and Darryl are playing truant from high school and find themselves near a terrorist bombing of the San Francisco Bay Bridge, where they are apprehended by the DHS and held as enemy combatants because of their suspicious behavior. As for the protagonist Marcus, he's a likable if undeniably cocky hero – he hacks cellphones, sasses clueless authority figures and quotes the Declaration of Independence from memory.

Marcus' best friend Darryl, who was stabbed after the bombing, is the only one of the foursome not released after the torturing and humiliating 5-day interrogation, and provides Marcus' main motivation to fight back against the DHS. Although the book focuses mainly on security-privacy aspects and technology, it is also an affectionate story of braveness and strong friendship, where even a little love triangle is not missing. While organizing resistance, Marcus develops new friendships and a love interest, Ange, that support him during his doubts and fears over fighting the federal government. To do that, Marcus develops a clandestine wireless network, Xnet, that avoids DHS monitoring using anonymity and encryption.

Doctorow's enthusiasm shines through the whole book and is contagious and amusing to follow. It's quite remarkable that he wrote the story in no more or less than exactly eight weeks from the day he thought it up to the day he finished it. "Alice, to whom this book is dedicated, had to put up with me clacking out the final chapter at 5 AM in our hotel in Rome, where we were celebrating our anniversary," he laughs off. His recalls two periods from his own life: when he was 17 and the world seemed like it was just going to get more free, and now, 17 years later when things are different. "The computers I love are being co-opted, used to spy on us, control us, snitch on us," he says in the introduction. With parallels to post-9/11 policies, such as the Patriot Act, Doctorow brings in a good amount of criticism towards government's control over the internet.

Motivated and inspired by the fight for freedom, Doctorow develops his protagonist Marcus, a young and rebellious character who makes Little Brother an enjoyable reading both for the contemporary as well as somewhat older audience who still feel young at heart. However, while Marcus is the protagonist and well displayed throughout the whole book, Doctorow could have put some more emphasis and gone into a little more detail with the other characters as well. Unfortunately, any character that wasn't Marcus got rather short-changed in the story. Ange and Marcus' mother Lillian, with whom he has a very strong relationship, were perhaps the best developed characters beside himself.

Although I'm personally not the biggest fan of sci-fi books or movies and sometimes frightened away by writings with too much technical detail, Little Brother kind of won my heart. Perhaps I was also positively disposed due to earlier contact with Doctorow's blog Boing Boing and his activist statements. Little Brother draws our attention, once again, to the human-computer (human-technology) relationship, its current and future potential, and raises questions about our enthusiasm for technology and how we contribute to our own lack of privacy. Doctorow brings the question of the right use and balance between security and privacy and makes a didactic point within a well crafted fictional framework.

The moral of Little Brother is that unless you're passably technically literate, you're not fully in command of the given freedoms. Doctorow writes: "Even if you only write code for one day, one afternoon, you have to do it. Computers can control you or they can lighten your work – if you want to be in charge of your machines, you have to learn to write code."

Some interesting facts and findings

The title "Little Brother" is a play on Big Brother in George Orwell's Nineteen Eighty-Four. Marcus also uses the handle "w1n5t0n", a reference to the book's main character, Winston Smith, in leetspeak (an alternative alphabet for the English language that is used primarily on the Internet, it uses various combinations of ASCII characters to replace Latinate letters).

Each chapter of the e-book edition of Little Brother is dedicated to a different bookstore: Bakka-Phoenix, Amazon.com, Borderlands Books, Barnes & Noble, Books of Wonder, Borders, Forbidden Planet, Books-A-Million, MIT Press Bookshop, Hudson Booksellers, and so on.

The author of the book, Cory Doctorow, is a Canadian writer, blogger (co-editor of Boing Boing), journalist as well as an activist in favour of liberalising copyright laws and a proponent of the Creative Commons organization, using some of their licences for his books.

Little Brother is downloadable for free and made available in quite a number of different formats: plain text, HTML, PDF, iPhone, Kindle, LaTeX, PalmDoc, etc. In other words, anyone who's interested in this fast-paced and well-written masterpiece, finds it online here.

Security and privacy matters of social networking sites

Introduction
1. Three examples of Facebook’s vulnerability
2. How carefully do Facebook users consider their online privacy?
3. How to protect yourself online?
4. TripIt Auto Import
5. Facebook Connect
Conclusion

Introduction

On large social networking services, there have been growing concerns about users giving out too much personal information. For the Internet generation, social networking sites have become the preferred forum for social interactions. However, because such forums are relatively easy to access, posted content can be reviewed by anyone with an interest in the users’ personal information.

Privacy on social networking sites can be undermined by many factors. For example, users may disclose personal information, sites may not take adequate steps to protect user privacy, and third parties frequently use information posted on social networks for a variety of purposes. In addition, there is a perceived privacy threat in relation to placing too much personal information in the hands of large corporations or governmental bodies, allowing a profile to be produced on an individual’s behavior on which decisions, detrimental to an individual, may be taken.

Facebook is a very popular social networking site, but there are a number of security issues with the site that can put you at serious risk if you aren’t careful. The number of Facebook account hackings seems to be on the increase. „While any online account is in danger of being hacked, Facebook has unique features that make this danger even more likely. For one thing, it is very common to post personal information which can be used to steal your identity. But the significant danger is because it is so easy to run malicious programs that can hack your account,“ explains software engineer Bill Pringle on his website. [9]

1. Three examples of Facebook’s vulnerability

The „ethical attack“ by Ron Bowes

In July, 2010 security consultant Ron Bowes used a piece of code to scan Facebook profiles to collect data of 100 million profiles. The data collected was not hidden by the user’s privacy settings. Bowes then published the list online. This list, which has been shared as a downloadable file, contains the URL of every searchable Facebook user’s profile, their name and unique ID. Bowes said he published the data to highlight privacy issues, but Facebook claimed it was already public information.

„People who use Facebook own their information and have the right to share only what they want, with whom they want, and when they want,“ the statement read. „In this case, information that people have agreed to make public was collected by a single researcher and already exists in Google, Bing, other search engines, as well as on Facebook.“ Facebook has a default setting for privacy that makes some user information publicly available. People have to make a conscious choice to opt-out of the defaults. „This highlights the argument for a higher level of privacy and proves the case for default nondisclosure,“ said Simon Davies from the watchdog Privacy International to the BBC. [2]

BBC’s picture guide for Facebook privacy can be found here.

The Turkish attack

Also in July, 2010 a group of Turkish pranksters decided to abuse Facebook’s translate application and posted a plan on how to do it online. Their actions changed the translation of commonly used words and phrases across the Facebook platform. The word „Like” for example was substituted for another word that rhymes with „Luck“ but begins with an F. The familiar notification in Facebook chat „Your message could not be sent because the user is offline“ became „Your message could not be sent because of your tiny penis“.

The attackers abused the official Facebook Translate interface, a crowdsourcing method for improving the linguistic accuracy of the site. It seems as though the replacement translations did not go past any human eyes before going live. And it is only fortunate that the hole has been exposed through a prank in the first instance and not something more nefarious. „Any online service, whether it’s transaltion or reputation services, which solicits user generated content would be well advised to quality check that content before going live with it,“ says Rik Ferguson on Business Computing World. [3]

These misguided translations were reverted back and the translate application went offline for many languages. However, it is unknown if this was related to the Turkish attack.

Likejacking

Facebook’s software has also proven vulnerable to likejacking – a Facebook-enabled clickjacking attack that tricks users into clicking links that mark the clicked site as one of your Facebook „likes“. [8] Using the wizard provided by Facebook, you can create a button for any URL you want and embed it on your site. „By tricking site visitors into „liking“ something by mistake, spammers could immediately place their links into that person’s News Feed, a feed seen by all of that person’s friends. And since an average Facebook user has 130 friends, even tricking a handful of people into doing this gives the spammer access to hundreds, potentially thousands, more people,“ explains Sarah Perez on Read Write Web. [7]

The term „likejacking“ came from a comment posted by Corey Ballou in another article by Perez, How to „Like“ Anything on the Web (Safely), which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook Like Button. [6]

2. How carefully do Facebook users consider their online privacy?

The number one social networking site in terms of monthly active users, Facebook, has nearly 700 million user accounts and a reported 700 000 new people joining the network every day. [12] But how carefully do Facebook users consider their online privacy? Not enough, according to a study carried out by Sophos Australia at the end of 2009 during which two female Australian Facebook users were created, Daisy Feletin (21, single) and Dinette Stonily (56, married). Each sent a friend request to 100 randomly-selected contacts in their age group, and waited two weeks to see who would respond. [1]

The results were astonishing: 46% of Facebook users accepted friend requests from strangers, 89% of users in their 20s divulged their full birthday, nearly 100% of users posted their email address, and between 30-40% of users listed data about their family and friends. Both groups, younger and older, were very liberal with their email addresses and with their birthdays. This is worrying because these details make an excellent starting point for scammers and social engineers. Nearly half of the youngsters, and nearly one-third of the 50-somethings, also offered up details about friends and family – again, information which scammers and identity fraudsters can exploit to build up an accurate and abusable profile of you and your lifestyle.

Identity thieves can use this information to commit crimes against individuals and their companies. „Ten years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate,“ Paul Ducklin, the Sophos’s Head of Technology in Asia Pacific, said about the results. [1]

3. How to protect yourself online?

Facebook gives users powerful controls to protect themselves online, but it’s up to individuals to check and ensure that appropriate settings are in place. Most social networking services, including Facebook, provide the user with a choice of who can view their profile. To edit information on a certain social networking service account, the social networking sites require you to login with a password to prevent unauthorized users from adding, changing, or removing personal information, pictures, and/or other data.

To bring an example, parents who want to access their child’s MySpace or Facebook account have become a big problem for teenagers who do not want their profile seen. By making their profile private, teens can select who may see their page, allowing only people added as „friends“ to view their profile and preventing unwanted viewing of the profile. Whether it’s parents and their children or individuals and governmental bodies, for instance, whether they’re online or offline, everybody should have the right for privacy and for control over their information.

Because it’s much easier to prevent having your account hacked than to recover from a hacked account, here are some good security practices by software engineer Bill Pringle that should be kept in mind not only for Facebook, but for any other web site account you might have. [9]

  • Use Firefox or Chrome instead of Interner Explorer as there are a lot of security problems with IE. Other possible browsers are Safari and Opera.
  • Never click on a suspicious link contained in e-mail message or IM. The more a message encourages you to click on a link, the more you should not click on it.
  • Use a strong password. Find a balance between a password that is easy for you to remember and one that is hard to guess. It should have at least 6-8 characters, and should include letters and digits or possibly symbols.
  • Don’t give out your password. If you have already given out your email address and password, change your password immediately. If, in the future, you need to enter that information, login to your email account, change the password to something simple (like „secret“) and then submit that password. Once you have done what you needed to do, go back into your email account and change your password to something strong.

Facebook offers a very sneaky way of getting you to enter your username and password: by offering to help you find your friends on Facebook. Facebook asks you for your email address and password, and then uses this information to access your address book (list of contacts). They then search Facebook for any matches. The problem, of course, is that your email address and password are now stored inside a Facebook database. And, since Facebook doesn’t have a history of keeping your private information very private, you should be very concerned about that. If you want to find friends on Facebook, search for them using their email address.

  • Always logout when you are done. Some websites use cookies to remember who you are so that you don’t have to sign in each time. While this might be convenient when using your desktop at home, it can be disasterous on your laptop, cell phone, or PDA. When you logout, that usually destroys the cookies so that you will have to login the next time.
  • Change your password fairly often. If you change your password too often, it makes it hard to remember, and you might start writing it down, which would be very dangerous. The idea is to change your password often enough so that by the time somebody figures out your password, you have changed it.
  • Don’t let others use your computer, phone, PDA, etc. They might accidentally download some malicious program, or actually post or send something under your name.
  • Run anti-virus and anti-spyware software. Not only should you run anti-virus software, but make sure you get updates on a regular basis. Most people know about anti-virus, but not as many are aware of anti-spyware software. This works similar to anti-virus, but it is looking for programs that do things like track your web browsing.

Sophos Australia gives the following tips for better security on Facebook to secure your personal data and avoid identity theft. [1]

  • Don’t blindly accept friends. Treat a friend as the dictionary does, namely „someone whom you know, like and trust.“ A friend is not merely a button you click on. You don’t need, and can’t realistically claim to have, 932 true friends.
  • Learn the privacy system of any social networking site you join. Use restrictive settings by default. You can open up to true friends later. Don’t give away too much too soon.
  • Assume that everything you reveal on a social networking site will be visible on the internet forever. Once it has been searched, and indexed, and cached, it may later turn up online no matter what steps you take to delete it.

Account settings holds mostly administrative items with little impact to your privacy, but there are a few areas that warrant caution.

  • Think whether the option „full alternate name“, which allows you to add your maiden name or nickname to your profile, is a good idea to use. It should be kept in mind that some sites use your maiden name (if applicable) as a security question for account access, so weigh this possibility before disclosing. It is recommended to avoid using a nickname that might give away sensitive information (such as your birth year). Be sure it is different from your bank login username, for example.
  • To avoid likejacking, think carefully before you change settings for Facebook Ads. In the wrong hands, information about ads you liked can be handy for socially engineered attacks. The more entities that have access to your information, the greater your risk. It is best to limit this information whenever possible.
  • It also makes sense to be careful with linked accounts, including Google, MySpace and OpenID – use them with caution to avoid overexposure.

4. TripIt Auto Import

I would like to bring one personal – and quite enlightening – example of the linked accounts here. As someone who loves to travel often and share these experiences with friends, I’ve been using TripIt – a service that organizes travel plans into an itinerary that has all of your trip details in one place. It is, indeed, a practical tool, especially when you are staying at different hotels, using more than one means of transportation, and need to keep track of your timetable. It can be accessed anytime, either online or from a mobile device. TripIt offers the possibility to sign in with Google and Facebook accounts and allows you to automatically publish when you are planning, departing and returning from a trip. I was aware of this and had the option to share my trips on Facebook activated, as normally I would start a new trip there myself and know when this information was shared.

However, the last time I booked flights for my upcoming summer adventure on Ryanair website, I was rather surprised to find out only a moment later that this information was already published under my Facebook wall posts without me even logging in to TripIt. It took me a while to figure out how this connection from Ryanair to Facebook was created. It turned out that TripIt also offers to auto import travel plans from your inbox, in my case Gmail. And because it recognizes the standard confirmation letters, it auto imported my Ryanair flight details directly from their confirmation e-mail to my TripIt account, created a trip and automatically shared it on my Facebook account. The annoying thing was that I didn’t remember activating the „Auto Import“ option, or perhaps it was activated by default. In one way or another, I felt like I was suddenly rendered powerless and had lost control of my information.

I think it’s a perfect example of overexposure on social networking sites. To avoid this happening to others, and because this information is rather hard to find on TripIt (you need to dig around in their Help Center), here’s a little more about TripIt Auto Import and its security standards. Auto Import claims to be using secure standards. Nonetheless, it would be wise to consider both the security and privacy risks before activating this or similar applications.

Auto Import (beta) connects your Gmail or Google Apps email inbox with your TripIt account. Once connected, your travel plans are automatically added to your TripIt account. You do not have to remember to forward an email. TripIt will scan your inbox multiple times a day for travel plans, then automatically import them into TripIt. You can choose whether to add plans directly to your plans, or keep plans in your private „Unfiled Items“ area until you place them into Trips.

Security for Auto Import

When you setup your Gmail or Google Apps account, TripIt doesn’t ask for or store your password. It uses OAuth (an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications) to authorize access to travel emails from your Gmail or Google Apps inbox, without needing your login credentials. You can revoke OAuth access at any time, either from your TripIt account, or directly from Google.

TripIt uses https (secure communication) to scan the headers of your inbox to look for travel plans. If TripIt finds a travel plan, it will parse the contents of the email for trip related information. If you have an existing trip with overlapping dates, TripIt will add the plan to your trip. If the plan is new, TripIt will create a new trip.

Auto Import is opt in. You can also use TripIt without connecting your email account. If you decide to stop using Auto Import, it can be turned off. [13]

5. Facebook Connect

A more authentic Web or loss of privacy?

In August 2006, Facebook introduced the first version of the Facebook API, enabling users to share their information with the third party websites and applications they choose. In May 2007, the company launched Facebook Platform, which allowed third party developers to build rich social applications within Facebook. In May 2008, the next iteration of Facebook Platform, Facebook Connect, was announced to allow users to „connect“ their Facebook identity, friends and privacy to any site. „These are just a few steps Facebook is taking to make the vision of data portability a reality for users worldwide. We believe the next evolution of data portability is about much more than data. It's about giving users the ability to take their identity and friends with them around the Web, while being able to trust that their information is always up to date and always protected by their privacy settings,“ writes Dave Morin on Facebook Developers website. [4]

Although Facebook Connect is just one example of this new trend involving the portability of our social graphs, it has a leg up on both Google’s Friend Connect and MySpace’s implementation of OpenID. With Google's Friend Connect, they’re relying on the power of their brand, but not everyone has a Google account or a friend graph there. You would be creating an account to have the sake of the account. This doesn’t appeal to anyone. As for OpenID, a mainstream web user does not know what an OpenID is. But everyone is able to wrap their heads around Facebook Connect. „„Login with your Facebook ID“ – that's pretty much as straightforward as it comes,“ says Perez. [5]

Through the seamless Facebook Connect integration, sites can access your Facebook account details and friend graph and move that data back and forth between their site and Facebook. For example, people commenting on a blog using the Moveable Type platform will be able to login via Facebook Connect. Their comment will link to their Facebook profile and the commenting activity itself will make its way back into your activity feed. On Digg, another site adopting Facebook Connect, you can login with your Facebook ID and your digging activity is returned to Facebook, too. TripIt, that connects both your Facebook and your e-mail account, is another example of how easily information is shared between one website and another. The fact that some program scans your inbox to look for travel plans feels as disclosing as the „naked truth“ body scan at the airport. The difference is that online you’re given the option to decide whether it’s something you allow or not whereas at the airport you’re not. So it’s up to individuals to get acquainted with their options and to ensure that appropriate security settings are in place.

Facebook has always known that their value – that is, their monetary value – is selling off bits and pieces of your privacy to advertisers. The „real you“ on Facebook is a holy grail for marketers. With the power to spread that to sites across the entire web, everyone using Facebook needs to think where their line is – that is, how much they are willing to expose – and then act accordingly. „The problem is that this time it might not be something as innocuous as the video you rented at Blockbuster that finds its way back to your Facebook profile. As more of the corporate and business-oriented web adopts Friend Connect, the greater the chance for privacy intrusion,“ warns Perez. [5]

In March, 2010, Facebook proposed a new privacy policy, Pre-Approved Third-Party Websites and Applications, in other words, a possibility of working with some partner websites that, when pre-approved, offer a more personalized experience at the moment you visit the site. [10] Imagine visiting a website and finding that it already knows who you are, where you live, how old you are and who your Facebook friends are, without your ever having given it permission to access that information. How safe do you feel about this? As changes and updates on Facebook Pricacy Policy have become rather frequent, users are encouraged to review the newest proposed changes in their entirety and provide their own thoughts on the Facebook Site Governance Page.

To help ensure online privacy, Google engineer Brian Kennish developed Facebook Disconnect, an extension for the Google Chrome browser, which effectively blocks the transmission of data back to Facebook servers through Facebook Connect on third party websites, while still allowing a user to access the sites. The developer says the project was created on his own time and it is not endorsed or related with his employer. „In light of Facebook’s highly publicized privacy missteps, some users may be rethinking their relationship with the Web’s most popular social network. If you’re one of them, Facebook Disconnect may be for you,“ advises Catharine Smith on HuffPost Tech. [11]

Conclusion

Associating every action you take online with your real identity is problematic even for people who are less concerned about their privacy. Certainly, the most obvious concern relates to people’s personal safety. It’s already reasonably easy to find out information on most people online, especially if the person is not net savvy enough to take extra steps to make that information harder to find. As more people utilize Facebook to stay connected, more and more people are posting personal information without realizing the information is not always private, and that it could even be shared with third parties without their knowledge.

In one way or another, whether you choose to always stay connected or feel like logging out after every login is a wise step to take, learning the privacy system of any social networking site you join and using restrictive settings by default is in everybody’s best interest – both your and your friends’ who you trust and who trust you not to share their personal information. Because on social networks everybody is conneceted and granted access to your profile can be easily used to access your friends’ profiles as well.

To get started
  1. Learn the Facebook Privacy Policy: www.facebook.com/policy.php
  2. Controll how you share: www.facebook.com/privacy/explanation.php
  3. Take the Security Quiz: www.facebook.com/security
References
  1. Ducklin, Paul (December 6, 2009). Sophos Australia Facebook ID probe 2009. Nakedsecurity.sophos.com. Retrieved April 26, 2011.
  2. Emery, Daniel (July 29, 2010). Details of 100m Facebook users collected and published. Bbc.co.uk. Retrieved April 26, 2011.
  3. Ferguson, Rik (July 29, 2010). Facebook Prank, Lost In Translation. Businesscomputingworld.co.uk. Retrieved April 26, 2011.
  4. Morin, Dave (May 9, 2008). Announcing Facebook Connect. Developers.facebook.com. Retrieved April 27, 2011.
  5. Perez, Sarah (July 25, 2008). Facebook Connect Will Be Game-Changing... and Dangerous. Readwriteweb.com. Retrieved April 27, 2011.
  6. Perez, Sarah (April 23, 2010). How to „Like“ Anything on the Web (Safely). Readwriteweb.com. Retrieved April 26, 2011.
  7. Perez, Sarah (April 22, 2010). How to Trick Users into Liking Facebook Pages They’re Not On. Readwriteweb.com. Retrieved April 26, 2011.
  8. Perez, Sarah (June 1, 2010). "Likejacking" Takes Off on Facebook. Readwriteweb.com. Retrieved April 26, 2011.
  9. Pringle, Bill. Facebook security issues. Billpringle.com. Retrieved April 26, 2011.
  10. Richter, Michael (March 26, 2010). Another Step in Open Site Governance. Blog.facebook.com. Retrieved April 28, 2011.
  11. Smith, Catharine (October 21, 2010). Facebook Disconnect Built By Google Engineer Brian Kennish. Huffingtonpost.com. Retrieved April 28, 2011.
  12. Socialbakers – Heart of Facebook Statistics. Socialbakers.com. Retrieved April 25, 2011.
  13. TripIt Auto Import. Tripit.com. Retrieved April 27, 2011.

Three examples of security scams and frauds

Facebook stalker apps

To know who's been viewing their profile, a lot of Facebook users have been trapped into a new form of scam: "stalker apps" or apps that claims to show you who's been looking at your profile. The apps that have made their way around the social network lately have been a mixture of phishing scams and twists of the truth. In reality, it's not possible for a Facebook app to gather that kind of data under Facebook's current terms. The explicit goal of these apps is to gain access to your profile information in order to sell it or hijack your account, and they technically don't show you your "stalkers". A recent app called Stalker Check, for example, ended up showing you the users who were the most active on your Facebook account. So, if you had a friend who was constantly commenting on your wall posts and leaving "likes" all over your images, he or she would show up on the Stalker Check. If you had an ex-boyfriend who was visiting your page every day without leaving a trace, however, he would not show up on the Stalker Check.

Considering how much information the normal Facebook apps can legitimately collect from your profile, it's wise to avoid any kind of stalker app, as none of them is real. They are used to trick users into allowing rogue third-party apps access to your profile to post spam links on your friends' Facebook walls. A recent example from my personal Facebook account, a message from a friend who's been affected by just another stalker app called ProViews. As my Facebook and Windows Live accounts are connected, this message appeared both on my Facebook account and Messenger.


Clicking on the link takes you to a standard "Request for Permission" box that asks to access your basic information, post to your wall and e-mail you notifications from the stalker app. If you click on the "Allow" button, you have just started an automated process that secretly posts other "bait" messages to all your friends walls from you that will likely snare some of them as well. If you have fallen for this scam, make sure you edit the settings for "Apps and Websites" at the bottom left corner of the "Privacy Settings" menu to remove the scam stalker/creeper app from the "Apps You Use" list.

The Facebook attack by Ron Bowes

In July, 2010 security consultant Ron Bowes used a piece of code to scan Facebook profiles to collect data of 100 million profiles. The data collected was not hidden by the user's privacy settings. Bowes then published the list online. This list, which has been shared as a downloadable file, contains the URL of every searchable Facebook user's profile, their name and unique ID. Bowes said he published the data to highlight privacy issues, but Facebook claimed it was already public information.

All together, Bowes said he was able to collect names and Web addresses for 171 million Facebook users. That's a little more than a third Facebook's 500 million users. Bowes compiled this list of text into a file and made it available online as a downloadable torrent. Is this a big deal? Facebook points out that some of the data Bowes collected was already available through search engines like Google and Bing. The entire data set is also available to any user signed into Facebook. So the data was already publicly available, and nobody's private Facebook data has been compromised. Nevertheless, this is the first time that 171 million Facebook profile names have been collected into one set of files that can be easily analyzed and searched by anyone. As Bowes pointed out in a blog post, someone could use this data as a starting point to find other publicly available user data on Facebook. The more a bad guy knows about you, the greater your security risk is.

Apple's security breach: 114 000 iPad owners exposed

A security breach exposed iPad owners including dozens of CEOs, military officials, and top politicians. The breach exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel's information was compromised. The specific information exposed in the breach included subscribers' email addresses and an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID.

The subscriber data was obtained by a group calling itself Goatse Security. The hackers created a computer script known as the "iPad 3G Account Slurper," which attacked AT&T's servers over several days in June 2010. The computer program was designed to mimic the behavior of an iPad 3G, so that AT&T's servers were fooled into believing they were communicating with an actual iPad. Once deployed, the program would randomly guess the unique identifier for each iPad. Each correct guess would result in the iPad's email address being displayed on AT&T's website. The group wrote a PHP script to automate the harvesting of data.

Goatse Security finally notified AT&T of the breach and the security hole was closed. However, it's horrendous how customer data, specifically e-mail addresses, are negligently leaked by a large telco provider. In addition to complicating the AT&T-Apple relationship, the breach also unnerved customers thinking of buying iPads that connect to AT&T's cellular network. They were vulnerable to spam marketing and malicious hacking. Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. This is particularly the case given that U.S. iPad 3G customers have no choice in mobile carriers.

In January 2011, two men, Andrew Auernheimer, 26, and Daniel Spitler, 25, were taken into custody and charged with conspiracy to access a computer without authorization and fraud in connection with personal information.

Turvalisuse ja privaatsuse küsimused: ettevõtte turvaaudit

Andmesidevõrku iseloomustavad kolm peamist omadust – turvalisus, käideldavus ja hallatavus. Nagu ei seisa püsti ühe jala kaotanud kolme jalaga laud, nii ei ole ka ühest neist omadustest ilma jäetud andmesidevõrk kõlblik ettevõtte ärikriitilise infrastruktuuri osana kasutamiseks.

Allpool ülevaade ühe Eesti ettevõtte turvasüsteemist.

Ettevõtte arvutivõrk on kaitstud riistvaralise tulemüüriga. See keelab enamiku väljastpoolt tulevad ühendused ja lubab läbi vaid vajalikud. Et aga mitmed sisevõrgu serverid vajavad ligipääsu väljastpoolt, on tulemüüris kirjeldatud ka palju erandeid. Seetõttu on oht, et mõne reegli hoolimatul muutmisel avaneb soovimatu turvaauk. Tuleks optimeerida ja võimalusel minimiseerida väljastpoolt lubatud ühenduste arv.

Töökoha arvutitena kasutatakse enamasti sülearvuteid ja neisse on installeeritud ESET NOD32 Antivirus. Kuna sülearvuteid kantakse kaasas ja neil ei ole alati internetiühendust, siis viirusetõrje uuendused saadakse võrguühenduse taastumisel. Siin on vajalik tõsta kasutajate teadlikkust, et esmalt uuendataks alati viirustõrje ja alles siis alustataks muud tööd, mis nõuab võrguühendust. Samuti oleks kasulik tundliku sisuga failide ja kaustade krüptimiseks kasutada failikrüptimissüsteemi (Encrypted File System – EFS). Kui sülearvuti varastatakse, on failid ja kaustad kaitstud, kuna krüptitud faile saab avada ainult erilise krüptimisvõtme abil.

Mailiserver töötab Linuxi operatsioonisüsteemis ja seal kasutatakse kombineeritud kaitsemehhanismi. Viirusetõrjeks on ClamAV ning samuti blokeeritakse spämm SpamAssassin-i ja aktiivsete antispam serverite abil (spamhaus.org, spamcop.net, dnsbl.njabl.org jt.). Siiski ka need vahendid ei anna 100% garantiid ja kasutajatele tuleb regulaarselt meelde tuletada, et nad ei avaks tundmatuid e-maile.

Ärikriitilised rakendused töötavad terminalserveris, mida haldab koolitatud IT personal. Tavakasutajad ei saa ise installeerida serverisse tarkvara. Kasutajate ligipääs serverisse on piiratud kasutajanimede ja paroolidega, mida muudetakse kokkulepitud aja tagant. Paroolide keerukus on etteantud vastava malliga. Lahkunud töötajate kontod suletakse koheselt ja andmed arhiveeritakse. Siin tuleks aga ka töötajaid regulaarselt kontrollida ja jälgida, et paroole ei kirjutataks üles näiteks lipikuga ekraanile või klaviatuuri alla. Selline kasutajatest tulenev hooletu suhtumine võib nullida IT osakonna muidu hästi läbimõeldud turvakontseptsiooni.

Liikuvad töökohad saavad ühenduse serveriga VPN ühenduste kaudu ja neile kehtivad samad ülaltoodud kasutajapõhised piirangud ja ettevaatusabinõud.

Regulaarsete varukoopiatena säilitamiseks on määratud järgmised andmed:
  1. raamatupidamisandmed
  2. kliendi objektide andmed
  3. kliendihalduse andmed
  4. ISO dokumendiregister
 Nimetatud andmetest tehakse perioodiliselt turvakoopiaid:
  1. iga tööpäeva lõpul serverikeskuses asuvasse varundusserverisse
  2. iga töönädala lõpus väljaspool kontorit asuvasse varuserverisse
  3. igakuiselt korduvkasutatavale andmekandjale, mida säilitatakse vähemalt kaks aastat firma arhiivis
Turvakoopiate tegemise eest vastutab firmas IT osakonna juhi poolt selleks määratud isik. Tema ülesandeks on jälgida piisava kettaruumi olemasolu varundusserverites.

Thursday, April 21, 2011

Social Network Activity and Social Well-Being

Review by Kairi Fimberg

The following is a review of the research carried out by Moira Burke from the Human-Computer Interaction Institute of Carnegie Mellon University in Pittsburgh, Pennsylvania, and Cameron Marlow and Thomas Lento from the Facebook Team in Palo Alto, California.

The objective of the research is to investigate the relationship between use of social networking sites and feelings of social capital. It’s a common belief that social networking sites complement the network of relationships present in the offline world by providing a platform for active communication between friends and more passive observation through aggregated streams of social news. The current paper uses empirical data from Facebook, the most used social networking service by worldwide monthly active users, to validate previous findings from a number of studies that have mainly relied on self-reports by college students.

The topic of the research is definitely actual and has caused quite a lot of discussion ever since social networking sites, especially Facebook, were introduced and made accessible to a wider audience. Interpersonal communication has been a growing issue as more and more people have turned to social networking as a means of communication. Once the domain of college students, Facebook has now become an omnipresent entity. It features users of all ages and has also turned into a promotional tool for artists, politicians and businesses. Vincenzo Cosenza has been tracking various social networks’ popularity throughout the world. His recent map from December 2010 shows just how prominent Facebook has become.

The demographics of the most popular social networking sites are rapidly changing. Today, more than ever, older Internet users are flocking to social sites to join in the conversation. In fact, the most significant growth among these sites in the last several years has been among adults 50 years and older, which has steadily upped the average user age across the board, being 38 years old, according to Flowtown, who compiles demographic statistics about social network usage, including Facebook. The number one social network has come a long way since first launching exclusively to college students.

Social networking is the way the 21st century communicates today. According to Jesse Rice, the author of The Church of Facebook, online social networks are connecting people like never before. And with millions of users, they’re creating a virtual world that erases all boundaries. It’s a movement that is changing how we form relationships, perceive others, and shape our identity. Yet at their core, these sites reflect our need for community. Our need for intimacy, connection, and a place to simply belong. The question is – do these networks help or hurt relationships? Does social networking increase social well-being and reduce loneliness, or vice versa?

There is no doubt Facebook has affected the social life and activity of people in various ways and it needs no research to prove that social relationships are critical to our well-being, which is mostly increased by life goals associated with family, friends, social and political life and decreased by goals associated with career success and material gains. Facebook has proved to be able to reunite lost family members and friends. However, some studies have named Facebook as a source of problems in relationships. Several news stories have suggested that using Facebook causes divorce and infidelity – claims that have been questioned and refuted by other commentators.

Research in a number of academic fields has shown that social networks operate on many levels, from families up to the level of nations, and play a critical role in determining the way problems are solved, organizations are run, and the degree to which individuals succeed in achieving their goals. Although social networking is possible in person, especially in the workplace, universities, and high schools, it is most popular online. This is because unlike most high schools, colleges, or workplaces, the internet is filled with millions of individuals who are looking to meet other people, to gather and share information and experiences about common interests. The topics and interests are as varied and rich as the story of our world.

Burke, Marlow and Lento point to earlier studies of social interaction online that tended to show Internet or SNS users as lonely because the pool of interactants was small. At the time of their survey, Facebook had a worldwide user base of 350 million users. Today this number has already doubled, reaching 600 million active users as of January 2011, most of whom also have their entire social circles on the site. Internet opens new options for communication and changes in the way people communicate are important, because communication is the mechanism people use to develop and maintain social relationships, valuable for their physical and mental health. Social participation makes people happy. Giving to others seems to be a gift for the giver as well. Thus, people who are engaged in local activities, who meet friends or relatives regularly, and who help others are more likely to report higher levels of happiness or life satisfaction. Social networks just make it a whole lot easier. We should be looked at as an „arm extension“ rather than a substitute to personal interaction.

Burke, Marlow and Lento investigate three measures of social well-being: bridging social capital (access to new information through a diverse set of acquaintances), bonding social capital (emotional support from close friends), and loneliness. They distinguish between two types of activity, directed communication and consumption, and predict:

H1. Bonding social capital will increase with the amount of direct communication.
H2. Loneliness will decrease with the amount of direct communication.
H3. Bridging social capital will increase with consumption.
H4. Consumption will be associated with loneliness.

They find it surprsing that, while directed communication is associated with greater feelings of bonding social capital and lower loneliness, users who consume greater levels of content report reduced bridging and bonding social capital and increased loneliness. But when you think about it, it’s actually quite obvious because we only interact with a small core of our friend network and for the majority of our network, we keep track of our friends’ activities through the news feed. The truth about friendship seems to be valid also in social networks. It’s not the number of acquaintances that matters, but the relationship, the real friend qualities that are the most important. In the era of SNS, when the overall network size grows and news from our friends keep coming in an unstoppable flow, we may simply feel lost in the amount of information. Because as soon as we’re away for a few hours, we have more than 300 recent updates that we miss and and feel the urge to catch up with.

A lot of people are living a life based on what looks good on their Facebook profile. Often, it is the result of Facebook envy – the feeling you get when you come across an old friend on Facebook and realize that their life turned out way better and is more interesting than yours – and a key element of the Facebook paradox – the inverse proportion between the number of friends one has on Facebook and the number of friends one has in real life. Relationships are now called Facebook official, which means that they are determined official by posting it under the relationship status on Facebook, making it public for everyone to see when people make up or break up. Facebook may be a great way to reconnect with old friends, but it's not always easy on relationships. Some people live their lives online, while their partners don’t. To some extent, the divide is generational, experts say. People under 30 tend to feel more comfortable letting it all hang out online, while those in the 40s often don't. In one way or another, these are only a few examples of a long list of phenomenon Facebook has brought about and definitely not the example of the healthiest use of the social networking service.

In the study by Burke, Marlow and Lento, all of the hypothesis, except for H3, are confirmed. Their predictiction that users maintain their large, diverse networks by monitoring site content not specifically targeted at a given user is disproved as consumption seems to be associated with reduced bridging social capital. Nonetheless, the present study confirms previous survey-based findings that greater SNS use, mainly direct communication within the network, is associated with increased social capital and reduced loneliness. This can be interpreted by assuming that people who feel more socially connected gravitate toward technical systems that reify those connections, suggesting that communication in one medium stimulates the others. It is also true that using sites like Facebook allows people to reinforce fledgling and distant relationships. Tales of reunited family and friends can be read on Facebook Stories.

Therefore, the main goals of the study are achieved. It helps to tease out the relative weight of different activities online and their relationship to social well-being. It shows that the common tool for estimating SNS use, the Facebook Intensity Scale, correlates relatively well with actual site behaviour (empirical data from Facebook), which means that users are generally good at self-reporting their friend count and time online. However, as the participants were recruited via an ad on Facebook, it would be a good idea to also include responses of people who choose not to use social networking online. The results were extended to an international, English-speaking audience. However, different languages are likely associated with varying beliefs abd cultural norms that may affect the results. For example, a recent survey carried out by the European Commission on social participation and social isolation shows that although there is little variation in the total level of social contacts (more than three quarters of the population meet relatives or friends at least once a month in all the countries), if we focus on daily or weekly meetings, however, there is much greater cultural divergence across Europe. The Mediterranean countries tend to be among the most ‘social’, especially Cyprus, Portugal and Greece, where about 40% or more meet friends or relatives on a daily basis. At the other end of the scale are the Baltic States, the Netherlands, Poland and Sweden, where only 5-9% meet relatives every day. The difference between the two extremes, in terms of the share of population meeting relatives daily, is ninefold.

People tend to have more virtual contacts than personal ones. Friendships, love relationships, professional contacts, etc are increasingly nurtured in a virtual way: via mobile phones or the Internet. It seems to be more widespread in relationships with relatives, and more prevalent in countries with lower levels of social contacts. On the other hand, virtual contacts and personal meetings tend to reinforce each other, rather than being complementary, as we are more likely to phone or e-mail friends whom we meet anyway.

One thing is sure, the more Facebook and similar social networking sites grow, the bigger social impact they make and the deeper we need to delve into analyzing their effects. We can intuitively assume that meeting friends makes people happy. But how much is it so, for example compared to the effect of income? Is helping and volunteering a source of contentment, or rather do they decrease the well-being of the helper? There is no one answer to what makes people happy or satisfied. We can assume that happiness is a group thing – you are happy if other people in your network are happy. It thus seems to be the case, online as well as offline, that when you smile, the world smiles with you. We also mustn't forget that social well-being is only domain of the overall well-being – an important one though.

Sunday, April 17, 2011

Digital Culture

Participation, Remediation, Bricolage:
Considering Principal Components
of a Digital Culture

Within media theory the worldwide shift from a 19th-century print culture via a 20th-century electronic culture to a 21st-century digital culture is well documented. Mark Deuze investigates the emergence of a digital culture as amplified and accelerated by the popularity of networked computers, multiple-user software, and Internet in terms of its principal components.

A digital culture as an underdetermined praxis is conceptualized as consisting of participation, remediation, and bricolage. Using the literature on presumably "typical" Internet phenomena such as the worldwide proliferation of independent media centers (indymedia) linked with (radical) online journalism practices and the popularity of (individual and group) weblogging, the various meanings and implications of this particular understanding of digital culture are explored.

In this context, digital culture can be seen as an emerging set of values, practices, and expectations regarding the way people (should) act and interact within the contemporary network society. This digital culture has emergent properties with roots in both online and offline phenomena, with links to trends and developments predating the World Wide Web, yet having an immediate impact and particularly changing the ways in which we use and give meaning to living in an increasingly interconnected, always on(line) environment.