Selling You on Facebook

Selling You on Facebook‘ is a great and timely article in the Wall Street Journal on how (Facebook) apps aggressively hoover up personal data. And not just your data – it’s your friends’ and family’s too…

Not so long ago, there was a familiar product called software. It was sold in stores, in shrink-wrapped boxes. When you bought it, all that you gave away was your credit card number or a stack of bills.

Now there are “apps”—stylish, discrete chunks of software that live online or in your smartphone. To “buy” an app, all you have to do is click a button. Sometimes they cost a few dollars, but many apps are free, at least in monetary terms. You often pay in another way. Apps are gateways, and when you buy an app, there is a strong chance that you are supplying its developers with one of the most coveted commodities in today’s economy: personal data.

Mining networks for sensitive personal information used to be the domain of virus and Trojan-makers. Now, apparently, it’s a multi-billion dollar business model…

Whether you know it or not – or even care – you’re selling another little bit of yourself every time you download and activate these so-called ‘free’ apps, and many of your ‘friends’ may unwittingly be passing on stuff you thought you were only sharing with them. As the author says, “don’t be surprised if details about your religious, political and even sexual preferences start popping up in unexpected places.”

Posted in Facebook | Leave a comment

Facebook down? Houston, we have a problem…

facebook down

facebook down

I thought there was something odd going on this morning, when I found I couldn’t sign up using the e-mail address / username / password option to a site that offered a Facebook sign-up option – not that I’d ever use Facebook that way.

The Facebook bit looked broken, and a quick check in Internet Explorer confirmed it – facebook was DOWN!!!!

Oh dear.

Not reassuring.

Single point of failure, anyone?

Time to think a bit more carefully about the ‘eggs in one basket’ problem, methinks. And it makes this spoof from last month look semi-prophetic. Well, almost.

Posted in Facebook | Leave a comment

Facebook gangsterism

If a representative of an organisation came to you and said, “We know who you are – your name, where you live, what you like, what you look like, what you believe. And we know who your friends are too. Not only who you talk to, but what you share with them – including your secrets, which we store indefinitely. We monitor your common interests and beliefs, and we encourage your friends to inform on you in a whole bunch of ways. Oh and by the way, we know your family too – including your kids, who we’re indocrinating even as we speak…”

Would you trust them?

Would you fear them? Would you question their motives?

Would you feel in control, or ‘controlled’?

Would you ask yourself, “What could they do to me?”

Would you want to do something about it?

Would you be willing to pay the price?

Posted in Facebook | Leave a comment

What is the digital equivalent of…?

…a gun?

“What is the digital equivalent of…?” is a thought experiment I have been playing myself and with various other people since the early 90s. It asks about the nature of things in the new digital / information world we are creating.

Things are what they do, not what people say they are or how they sell them to you.

So, for example, Dropbox is sharing and synch with version control – it is NOT secure cloud storage and never can be. It has been engineered as inherently insecure because its trick is built on synching the diff, which it can’t do without being able to decrypt your data.

And Facebook is not a social network, it is a proto-identity authority, an anti-controversialist walled garden but ultimately little more than a massively centralised public forums system with over-engineered (and highly dangerous) profiles. The clue is in the ‘social graph’…

Google is likewise a proto-identity authority. It has evolved way beyond search and its ‘mission’ – “to organize the world’s information and make it universally accessible and useful” – once personalised / socialised puts it in prime position to become an arbiter of identity.

What is the core ‘behaviour’ of a system?

That is what it is.

Posted in Facebook, Google, identity | Leave a comment

It’s not ‘hacking’ if you guess someone’s PIN

I do wish people would stop giving hackers and hacking a bad name.

Hackers, in my experience, are extremely competent people who often have a pretty acute if not always ‘comfortable’ or mainstream sense of ethics. Unlike ‘script kiddies’, certain private investigators and other wannabes who often seem to lack – or fail to understand why it might be worth earning – the knowledge required to build or understand the tools they use.

To the ignorant, amongst whom we unfortunately must count the majority of our elected representatives, civil servants, the press and (I suspect) the judiciary, ‘hackers’ are in a similar broad category as ‘viruses’ – i.e. bad things that they can’t understand that make bad things happen with computers… which they dont understand.

The reality is that the majority of fraud / computer crime is perpetrated by insiders. I’ve seen figures around the 70% mark, but whatever – it’s certainly more than half.

Most competent systems administrators – which doesn’t necessarily include the police, the military or (all of) the spooks, folks – change the default passwords and patch the known ‘back doors’ in their systems.

Many exploits characterised as ‘hacks’ are actually little more than exercises in social engineering, or the application of common sense to a little bit of publicly available information… in the absence of any reasonable constraint.

If I were to have, say, a list of telephone numbers and wanted to listen to the voicemails for as many of those phones as possible, would I need to ‘hack’ the phones? No. I could just, say, pay someone to do the very boring but utterly simple job of calling up the numbers one by one and plugging in the default PIN for each network. Apart from pressing a few buttons, the entire exercise might require software no more complicated than a spreadsheet to note down the successes or victims or idiots – depending on how you look at it.

If you want a sense of what a proper ‘hack’ is, take a look at http://rfidiot.org/ – which required thought and effort, knowledge and expertise. And which was done to demonstrate a wider danger.

What I found quite shocking at the time – but I guess less so, with hindsight – was how desperate the journalists were to engage the services of the chap who did this when (while we were demonstrating how easy it was to steal the data from the chip on the passport, even from inside the sealed envelope it was originally sent in) he showed them just how easy it was to take over their phones via Bluetooth. He wouldn’t do it, of course.

Some people know where to draw the line.

Posted in privacy | Leave a comment