Glasshouses: Facebook

Showing posts with label Facebook. Show all posts

Saturday, September 22, 2012

Facial recognition: Nowhere to hide

Originally posted 08/10/2011 on lubbockonline.com

Jaikumar Vijayan reports on Computerworld.com that at the Black Hat hackers conference security researcher Alessandro Acquisti presented a disturbing paper on facial recognition, social sites like Facebook, and privacy.

The research involved taking pictures and applying facial recognition software - of the shelf software, not custom software written for the research. They did use a custom program to extract images from Facebook and a dating site - all from the same city - and then used the facial recognition software to identify the people in the pictures. The results were interesting:

In all, about 5,800 dating site members also had Facebook profiles. Of these, more than 4,900 were uniquely identified. The numbers are significant because a previous CMU survey showed that about 90% of Facebook members use their real name on their profiles, Acquisiti said. Though the dating site members had used assumed names to remain anonymous, their real identities were revealed just by matching them with their Facebook profiles.

Ok, more than interesting. Disturbing. They pulled the pictures from Facebook and a dating site, but what if they had sat in the mall taking pictures of people walking past, then compared those photos to Facebook? What if they had been stalkers taking pictures of potential victims?

Thoughtless implementation of facial recognition software could be very dangerous. What happens when the only way to hide is to actually change your face? People trying to escape abuse, people in the witness protection program, or others needing or wanting to escape will find it much harder, if not impossible, without changing their face. That is...unfortunate.

Saturday, August 18, 2012

Germany declares Facebook facial recognition illegal

Originally posted 08/04/2011 on lubbockonline.com

It looks like Facebook is learning the lesson Walmart learned when it comes to doing business in Germany. Germany is not the U.S. Matthew Shaer reports in the Christian Science Monitor that Facebooks facial recognition 'feature' has been declared illegal in Germany.

I don't know how much affect this will actually have on Facebook. It will depend on what kind action Germany decides to take and Facebook's response. Honestly, even if Germany successfully blocked Facebook, would Facebook care? The German government might feel the pressure more than Facebook. There will probably be some type of compromise, but I honestly don't see Facebook giving up it's facial recognition software completely.

Facebook overexposes videos

Originally posted 07/05/2011 on lubbockonline.com

Jason Kincaid of TechCrunch reports that Facebook suffered a privacy glitch in it's Videos feature for about a week, but it's fixed now. He explains:

Unfortunately, those controls haven’t been working as they should: for the last week it’s been possible to see a full listing of your friends’ Facebook videos, including the name, thumbnail, description, and people tagged in each clip — regardless of whether or not you were supposed to have access to the videos.

You couldn't actually see the videos, only the title and description and a thumbnail, but that could be enough to cause some embarrassment. It's important to understand that in the complicated, connected world we live in glitches and breaches will happen. But Facebook has a more than it's share of snafu's, and it's hard to believe they couldn't have fixed this issue in less than a week. Facebook is king of the hill in social networking, but if they don't watch it they could find themselves being replaced. It's happened before. At one time IBM was king of the technology world. They are still big, but they were supplanted by Microsoft. Microsoft may be in the process of being supplanted by newer companies that understand the connected world better. Facebook could find themselves in the same situation, but in the lightning fast world of the internet, Facebooks dominance could be measured in years instead of decades.

Will Google+ games threaten Facebook?

Originally posted 07/22/2011 on lubbockonline.com

According to Tricia Duryee at the All Things Digital blog, Google is about to hit Facebook in the pocketbook. Google is launching a social gaming network that may cost developers less than the traditional 30% it costs them to play in the Facebook and Apple App store universes.

Facebook probably isnt' quaking in their boots about the prospect of a Google+ gaming network just yet, but they have to be eying the possibility with some concern. Google+ has over 18 million users now, and that number is growing at an amazing rate. But that fast early growth could be misleading. The vast majority of Google+ adopters are male, and it seems a large percentage are in technology industries. The real test of Google+ will come when it starts gathering a more diverse group of users. Google+ is a strong offering in the social networking arena, but it's coming relatively late into the game. Will it be able to appeal to a wider audience, one that is used to just putting everything in the open on Facebook? Will most people be willing to make the effort to move to a new social network and sort their friends into circles? Will they opt to use similar, but mostly ignored, functions in Facebook instead of joining Google+. Or just opt to keep using Facebook as they always have and pass on google+?

Facebook saves lives, too.

Originally posted 07/15/2011 on lubbockonline.com

Deborah Copaken Kogan is a successful photographer, author and mother. On MSNBC yesterday she recounted how Facebook saved her son's life. Last Mother's Day her 4 year old son woke up with a rash. Over the next three days there was trip to the doctor and steadily worsening symptoms. Also during the three days she put photos of her sick son on Facebook. While the doctors were trying to figure out what was wrong some of her Facebook friends, including 2 pediatricians, urged her to go to the hospital and get him checked for Kawasaki disease.

Long story short, her son did have Kawasaki disease. Her family pediatrician had begun to suspect it, but Facebook beat him to the punch. There are a lot of problems with social media, but there are pluses, too. One of those pluses is the almost instant access to the combined experience of dozens, hundreds or even thousands of people. As Deborah Copaken Kogan learned, that experience can be very powerful.

Note: There is a children's author with a similar name, Deborah Kogan Ray.

Facebook Friday: Teacher trouble

Originally posted 07/08/2011 on lubbockonline.com

People never learn. Facebook is not a private place. You have more privacy in the local pub than on Facebook. Assuming no one posts they saw you there on Facebook. Or tweets it. But people still insist on treating it as a private forum. Winnie Hu of the NY Times tells us that a teacher in New Jersey is on (paid) administrative leave after complaints that she posted that she felt like she was a warden over future convicts on Facebook.

I wish I could say this was the first time, or at least unusual. But for some reason teachers seem to be particularly susceptible to the keyboard equivalent of loose lips. From teachers posting questionable pictures to detailing their religious conflicts with their students, teachers are the epitomy of too open on Facebook.

This is a situation that will only get worse unless something changes. Privacy and the control of individuals personal and identifying information will continue to move from the individual to third parties who may have no interest in protecting the individual or his data. That is something we should all be up in arms over.

How do search social media?

Originally posted 07/07/2011 on lubbockonline.com

Last Friday Nick at the Police-Led Intelligence blog posted "Social Media Search Tips for Cops & Law Enforcement Analysts." It covers the basics of social media searching, from kurrently, a search engine for Facebook and Twitter, to Google hacking to Facebook's search engine.

I don't know about the usefulness of kurrently. It only found 1 out of 5 people I searched for. I was one of the people it didn't find. But Google hacking and the Facebook and Twitter search tips are great. On the downside, these same tips work for stalking. But if you're looking for long lost friends and relatives - or a socially networked perp, these tips are a big help.

Thursday, August 9, 2012

Google tries privacy friendlier attack on Facebook

Originally posted 006/29/2011 on lubbockonline.com

Yesterday on the Official Google Blog a new social networking experience was announced. Dubbed Google+ it's similar to Facebook and Myspace in some ways, but if it works as advertised, it will give more control over privacy. You will be able to segment your friends the way you do in real life in 'circles' that won't have any connections you don't want them to have. At this point Google+ is invite only, so it's too early to tell, but it looks like it has the potential to be a winner.

Here are links to a more indepth stories by people who have already been invited into Google+:

The Epicenter Blog at Wired.com

News & Opinion at PCMag.com

The New York Times Inside Technology

Wednesday, August 8, 2012

Felon updates Facebook while police trash room next door

Originally posted 006/24/2011 on lubbockonline.com

He fought the law

Jason Valdez was in a standoff with police. It was so intense he took time to update his Facebook page. I saw the story when it first came out and pondered how his status updates didn't seem to bear up the claims that he was holding a hostage. Police claim the woman with him initially was with him willingly, but once she expressed a desire to leave, she became a hostage. Reports like this one from TechDirt also indicated that some of his Facebook friends could be facing obstruction of justice charges for telling him what police were doing.

A report on Fox13 in Utah covers the aftermath of the standoff. Mr. Valdez is looking at 20 years for attempted murder (he shot at two police officers), and the police department has egg on it's face for the shape it left two hotel rooms adjacent to Mr. Valdez after the standoff:

SWAT's rescue team was in the neighboring motel rooms where gas, power and water had been cut off. After police safely rescued Jensen, there was considerable damage to the motel rooms, holes in the walls, bottles filled with urine. The residents returned home to a mess that was never cleaned up.

I'm not sure who's the actual bad guy in this story, the felon or the cops.

Tuesday, August 7, 2012

Facebook Friday: Plan a party, good. Plan a murder, Bad

Originally posted 06/17/2011 on lubbockonline.com

Chad Pradelli of ABC6 News of Philladelphia reports that London Eley posted, "I will pay somebody a stack to kill my baby father," on her Facebook Wall.

That's poor judgement, but perhaps more surprising is that Timothy Bynum offered to do it. Their plan fell apart when Miss Eley's "baby father" logged into Facebook, saw the exchange and contacted police.

Police looked at the respective Facebook pages and rushed to arrest the conspirators. At the home of Mr. Bynum they found him with a 22 calibur pistol - with the serial number removed. Even if a lawyer could get him off of the conspiracy charges he's looking at hard time for the 'anonymized' pistol.

There are a lot of things Facebook is good for. Planning murder isn't one of them.

Bonus Link: 9 crucial steps to protecting yourself online

Facebook recognizes you

Originally published 06/10/2011 on lubbockonline.com

On Tuesday the Facebook Blog's Justin Mitchell announced that to make tagging work better Facebook is using face recognition technology. The idea that Facebook is using face recognition on all the photos uploaded by all of it's 600,000,000 users concerns me. That Facebook is automatically opting us all into it annoys me. It should annoy you, too.

Facebook has created a huge database of unchangeable identifying information on it's users. If that doesn't bother you, think about how many databases get breached every year. If you want a worst case scenario, look at the Sony breach timeline at attrition.org. That's an average of a hack about every 3 days. Now think about the science of special effects makeup, a breach at Facebook, and your face being available on the black market.

Today this isn't a big deal, but what about 5 years from now? Then again, maybe it is a big deal today. Just about any scenario we can come up with sounds like something from Mission: Impossible, but what happens if a terrorist organization gets ahold of facial recognition data from Facebook. I'm not talking about pictures with your face tagged with your name. I'm talking about the data and algorithms Facebook uses to identify your face in pictures. With that data it could be possible for a terrorist to become anyone in Facebooks database, if only to get into the country. But what happens if they disguise themselves with your face and use it to buy bomb parts? Place a bomb while allowing your face to be seen by security cameras?

It's not very likely at this point, but do you want information that can identify you - information that cannot be changed, or not cheaply or easily, at any rate - being gathered by anyone, let alone, Facebook?

update:Michael Santarcangelo reports on the Security Catalyst blog that Google may be getting a very similar technology and does an excellent job of explaining the dangers.

Facebook in your car

Originally published 06/09/2011 on lubbockonline.com

Chevrolet and other automakers are integrating Facebook updates into new cars. Reading the website for the Chevrolet Cruze I saw this gem:

Hands-free Facebook®
Stay connected to your social network on the go. Now you can update your Facebook status (emphasis mine) or check your newsfeed without taking your eyes off the road with your current OnStar® subscription(17).

Now if even hands free cell phone conversations are a serious distraction, can hands free Facebook updates be a good idea? Seriously.

Saturday, March 24, 2012

New Mac Malware on Facebook, New Mac Defender bypasses Apple fix

Originally posted 06/02/2011 on lubbockonline.com

It's been a busy couple of days in the malware world.

New Mac and PC malware reported on Facebook

F-Secure reported "a significant malware" affecting both Mac's and PC's circulating on Facebook, then reported that Facebook finally blocked it. I'm not sure how significant it really was - by the time I checked the Openbook link in F-Secures initial post there were only two examples of the bogus links popping up, and the good folks at F-Secure couldn't manage to get infected by it even though they were trying. But if you should see messages or updates with the following subjects, don't click on the links:

At 17:00 GMT the attack changed subject line to:
one more stolen home porn video ;) Rihanna and Hayden Panettiere and…
Rihanna And Hayden Panettiere !!! Private Lesbian HOT Sex Tape stolen from home archive of Rihanna! Hot Lesbian Video - Rihanna And Hayden Panettiere !!

Apple in escalating war with Mac Defender?

On Tuesday, 05-31-11 Apple released Security Update 2011-003 for Mac OS X 10.6.7 and Mac OS X 10.6.7 Server. The update warns users when they download a known variant of Mac Defender and scrubs the malware from systems that have already been infected. It also has a daily update function to download definitions of new Mac Defender variants (and presumably other malware that may pop up).

It's a good thing Apple had the foresight to make their fix upgradeable. On Wednesday, 06-01-11 a new variant of Mac Defender that bypasses the Apple fix appeared. I'm sure that by the time you read this, or no later than Friday, 06-03-11 an update will take care of the new variant, and a day or so later a 'fixed' Mac Defender will appear to bypass Apple's update. And so on, and so on, and so on. That's not a knock on Apple, it's just the way these things work. The attacked company, in this case Apple, cannot ignore the malware, and the malware authors aren't going to let Apple beat them. Not for a while, anyway.

I'm glad Apple has built a fix for the latest version of OS X, but I wonder if Mac Defender runs on earlier versions. Not just earlier versions of Snow Leopard, but Leopard and Tiger, too. There are a lot of people still using them, but Apple's just leaving them in the cold. Hopefully Apple will release a version for Leopard, at least.

Tuesday, March 20, 2012

Facebook Friday: Sex offender busted for surfing at Apple store

Originally published 05/27/2011 on lubbockonline.com

Bob Cuddy of the San Luis Obispo Tribune reports that a known sex offender, Robert Nicholis McGuire was arrested at the San Luis Obispo Apple Store for violating his probation. In a perfect example of going to the wrong place at the right time, Mr. McGuire was recognized by sherrif deputies as he went into the Apple Store. He proceeded to log into Facebook on a display computer. A deputy went to the computer next to McGuire's. According to the SLO Sherrif's department press release:

San Luis Obispo County Sheriff's detectives, including the Sexual Assault Felony Enforcement (SAFE) team spotted a known sex offender in downtown San Luis Obispo on Wed afternoon. One of the SAFE team detectives recognized the man from a previous child pornography case. As one detective followed the man, another checked the probation terms of the registered sex offender. They followed the man to the Apple store on Higuera St. where he entered and began to log on to the internet from a display computer. Another detective went to the computer next to the man and logged on to the Megan’s law website. At about the same time the probation term information was received that clearly indicated McGuire was prohibited from using the internet. McGuire had logged on to his Facebook page. McGuire was taken into custody without incident after he left the store. McGuire made a statement to detectives that he thought he was being followed after the man standing next to him logged onto the Megan's Law site. McGuire is being held without bail at the San Luis Obispo County Jail.

Obviously Mr. McGuire is a "mind your own business" kind of guy. Otherwise he would have noticed someone logging onto the California Megan's Law sex offender tracking website on the computer next to him. He would have noticed that it was the private law enforcement version with full info about sex offenders, not the limited info public version. He probably would have not opened a web browser or closed it if it was open. But he didn't notice, and he did open a web browser and log onto Facebook, and now one more predator is off the streets thanks to his own stupidity.

Sunday, March 18, 2012

Will Facebook ever get privacy right?

Originally published 05/12/2011 on lubbockonline.com

Nishant Yoshi reported on Symantec's official blog that third party Facebook applications have had accidental access to much more of Facebook users info and pages than anyone knew:

Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.

Symantec's researchers estimate that over 100,000 apps may be leaking data. Over 600,000,000 people have Facebook accounts. Because of an oversight, 100,000 third parties, both known and unknown, may have had access to their information, no matter how tightly they had controlled the privacy settings. The only saving grace of this news is that few, if any, of those third parties may have realized the treasure they were sitting on.

Facebook has to start taking privacy more seriously. But they never will if users don't demand it because the Facebook business model is to get as many users as possible and encourage them to put as much data as possible, as openly as possible, on the site so Facebook can sell access to it. As it turns out, Facebook had actually given away the keys to the kingdom, but fortunately, nobody seems to have noticed.

Friday, March 16, 2012

Should your employer care about your (off time) privacy?

Originally posted 4/7/2011 at lubbockonline.com

Have you ever thought about how the things you do online when you're not at work could affect your job? I'm not talking about a careless rant on Facebook or an ill-considered tweet about your boss. I'm talking about all the information you put up online. Even if all you do is use Google to find information you've probably put far more than enough information online to identify you.

In 2006 AOL released "anonymized" search data that was used by the New York Times to identify several searchers. For an idea of the kinds of things available in search data, look at the Consumerists post on AOL User 927. I'm sure he didn't want anyone knowing what he was searching for. Just to make sure we understood how much we tell about ourselves online, around the same time Netflix released anonymized data that ultimately outed gay and lesbian members, or would have if the researchers had publicly released the data. An in-the-closet lesbian mother sued Netflix over their release of the data. The researchers who were able to determine sexual preference were also able to determine political affiliations. All based on the movies people rented and rated.

If so much can be discovered from supposedly anonymized data, imagine what can be learned from your Twitter and Facebook accounts. It's not uncommon for people to post their full name, birthday, all the schools they attended, the names of most of their family, pets past and current, favorite everything, first everything, and just about everything else. How many of those things are used as security questions to recover you password for your online banking? How many of those things, or some permutation of them, are used for passwords by people? How many of them are used for passwords related to work?

But even if you use randomly generated passwords all of that information is useful to bad guys. It is the ammunition for the weapons used in social engineering attacks. With the information on many peoples Facebook pages a skilled social engineer can gain trust, either from you or from someone you know. After all, if he knows so much about you he must know you. Using that trust he (or she) will get information a person would normally never give someone they barely know. It works better than you might think. A lot better. But if a salesman has ever sold you something you didn't really want or need, or if you've ever watched John Edwards on "Crossing Over" you know that.

Without privacy you can't have security, and many of us don't even think about privacy while we're online. It's bad enough when I think about all the individuals exposing themselves to all the bad guys on the internet. Then I think about the CSO's who are trying to protect data hidden behind passwords and relationships tied to all that data being published on Facebook, Twitter and the rest of the web and I wonder that we manage to keep any data secret at all.

Saturday, December 10, 2011

Teacher ridicules 7 year old student on Facebook

Originally published 4/05/11 on lubbockonline.com/glasshouses

Andre Yoskowitz at Afterdawn.com reports that a teacher at a school in Chicago faces discipline for making fun of a students hair on Facebook. This was bad enough when I assumed it was a teacher making fun of a middle or high school student. But it wasn't. The student was a 7 year old who asked her mom to do her hair like a picture in a magazine. It looked cute, so mom tied Jolly Rancher candies to her daughters hair. Other teachers complimented the child for her colorful hairstyle, so why should a teacher wanting a picture make a 7 year old suspicious? The teacher posted the picture on her Facebook with some rude comments. Inevitably, someone who knew the parent and was friended with the teacher saw the photo and the comments. The parent complained and the teacher is facing discipline.

In one sense this is such a normal Facebook occurrence it's not even worth mentioning. But this has a few unusual - and to me troubling - elements. There's been a lot of talk about cyber-bullying lately. Most cases have been between children, usually of similar age. This is a case of an adult, a teacher, making fun of a 7 year old. A teacher should know better. Of course, this isn't the first time teachers have been burned by their Facebook postings. Another teacher damaged her career last week - a first grade teacher who allegedly referred to her students as "future criminals" and said she felt like a warden.

The problem with Facebook isn't that teachers speak their minds - although speaking without filters is almost always a problem - but that they think they're speaking in a walled garden where they control who sees it. Facebook does nothing to correct this error, talking about concern for users privacy even as new privacy settings make it harder to keep things private on Facebook.

Edit: Changed title to better reflect story

Monday, August 1, 2011

Encrypt your Facebook sessions to protect data when it takes the scenic route through China

Originally published 3/25/11 on lubbockonline.com/glasshouses

CIO Online reports that Facebook traffic coming from AT&T servers was accidentally routed through China and North Korea. This might not be a concern, but unless you're connecting to Facebook using an encrypted connection everything that you do can be monitored by network operators. China is known for spying on it's users, and once your data is on the Chinese network, it's just like any Chinese users data. Any data you look at on Facebook could be monitored and/or saved for later analysis as it goes through China.

But if you encrypt your data, the network operators can't see it. Encrypting your login to Facebook is easy. Just make sure your Facebook bookmark is set to "https://www.facebook.com" and everytime you login your username and password will be encrypted. But once you login Facebook defaults back to an unencrypted connection. Facebook does realize that you may want to have everything you do on Facebook encrypted, and have a setting to allow that. Go to the 'Account' menu,select 'Account Settings' and scroll down to 'Account Security' then click on 'change'. Check the "Browse Facebook on a secure connection (https) whenever possible" box.

It's almost always a good idea to use encryption on the web. It doesn't use much processing overhead and protects your information as it goes from point 'A' to point 'B'. If you use Firefox there's even an add-on called "https everywhere" that will use https to connect to any website that support https.

Sunday, July 31, 2011