I found out, just now, that I have a Facebook email address. “matthew.pemble@”, guess what, “facebook.com”. I can’t remember asking for one, they didn’t go out of their way to tell me about it and I’m not sure how to access it, control spam to it or what interesting tricks one might play with it.

You probably are on facebook, so are likely to have your own version.

Not, often, a popular suggestion. Visceral over-reaction appears to be the flavour of the day. As with the iFree app “Girls Around Me”. “This Creepy App“, indeed:

These are all girls with publicly visible Facebook profiles who have checked into these locations recently using Foursquare. Girls Around Me then shows you a map where all the girls in your area trackable by Foursquare area. If there’s more than one girl at a location, you see the number of girls there in a red bubble. Click on that, and you can see pictures of all the girls who are at that location at any given time. The pictures you are seeing are their social network profile pictures.

The moral of the story is simple – if you don’t want people to know stuff, don’t make it public. Or allow your friends to. Don’t get distracted by scares about how good this would be for stalkers – they don’t want “anybody”, they are after, for whatever reason, a specific person. And if you are that person and you are making stuff publicly available on social media, then you’ve got a serious problem – one that ragging on i-Free won’t solve. Don’t even be distracted by wondering what use this might be to “pick-up artists” – the decent ones already know which bars or clubs to go to to look for a one-night stand. (Note that the cynic in me assumes that the one group of people this would be ideal for is the guy who has just had a row with his steady girlfriend and is out to make a point. And the girlfriend in the blogpost had one of the stronger reactions. She knew.)

As the original Cult of Mac blogpost said – use this story, now the app is no longer available, as an education tool. All this was was just mashing freely available (in both the ‘free as in beer’ and ‘free as in speech’) data. “Open source intelligence collection” – on people or companies – is a big business and is remarkably easy to do.

Anecdata 1: On a recent evening, a bloke was (perfectly reasonably but without announcement) added to the list of users in a closed, business online group I am a member of. One of the other members flagged this up to me, and the list admin – neither of us had never heard of him. A moderately unusual name. In 5 minutes, I’d got his job, his community volunteering, his hobbies. For £1, I’d have had his address and telephone number. And, as his hobby was photography, I’d got a crude joke (he’s Welsh. There were photos of sheep) but, more seriously, in his (publicly accessible) flickr account, there is both sensitive personal data and some interesting photographs. And he is a computing professional.

Anecdata 2: Wendy was collecting information for a talk on social media security – with the permission of the victims. One of the victims has a young niece, who cropped up in the searches and was being about as secure as you’d expect of a pre-teen. That is “not”. Via the aunt, some security advice, mostly “friends only” was passed on.

There has been a bit of a backlash – I only heard about this because the BBC picked it up. Cult of Mac has updates here and, addressing the underlying issues really quite well, here.

Just what HR departments think they can get away with. I appreciate that this is in the “land of the notionally free but at-will employed” and probably wouldn’t pass muster here, but I know that a lot of US banks operating in London, for example, simply import all of their home-grown dodgy practices and rely on people not complaining.

When Justin Bassett interviewed for a new job, he expected the usual questions about experience and references. So he was astonished when the interviewer asked for something else: his Facebook username and password.

For some time, with the ever increasing use of social media, it has been reasonably common for employers to check out prospective employees profiles online (even though the German parliament aren’t too happy about it.) I’ve personally rejected a job applicant because, having vaguely recognised his name, a quick search brought up the BBC News report of his conviction for hacking offences*. Which wasn’t mentioned on his application form (and, no, it wasn’t spent and I did ask him if he had mysteriously failed to remember when applying.) I’d not be too surprised about being asked to identify my profile (particularly if I was David Smith or similar, rather than Matthew Pemble – there aren’t that many of us.) But to ask for login details?

Very, very strange. And quite rightly, somewhat unpopular.

All I can suggest is that, if you are asked, you adopt a phrase from another American initiatve and “Just Say No”.

Kim Schmitz, aka Kimble, aka Kim Dotcom, aka a lot of other things but most recently (and once again) “the accused” is not a sympathetic figure. Pretty much since I have been actively involved in the security industry (as opposed to hidden away in concrete or steel boxes doing government security), he has been hovering in the zeitgeist, occasionally leaping up into the full glare of high-octane (but not always favourable) publicity. See here and some ‘total-suspension of critical faculties’ fawning here for examples. Keep reading »

Embarrassing, isn’t it? Even when it is just the wait on a busy Saturday while the machine is in a queue awaiting the eventual authorisation. Because we all know what it means – you’re broke. And ignorant. Or even a fraudster. Although, in most cases, all you have done is miss paying a bill or been slightly over-extravagant at the sales.

So, on my way out for my recent trip, I was, indeed, embarrassed to find my Maestro card declined when I filled the hire car up with petrol. Luckily, I had more than enough cash in my wallet (I had been warned that my destination had only recently discovered the joys of Chip’n'Pin) and escaped from the garage with nothing worse than a slightly bruised ego. A quick check of my bank account showed more than enough money to pay the bill. Hmm, well, errors do happen. So, I went on my trip, actually managed to spend some money on my Maestro card, and came back. Keep reading »

There is a lot of moral outrage on the internet at the moment. Well, to be honest, there has always been quite a lot of it, but with the fights against ACTA, Protect IP and SOPA, Wikileaks versus Stratfor and 25 putative members of the Anonymous collective under arrest, it is a busier time than usual just at the moment.

So this came as a bit of light relief:

Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen.

If there is a moral to this story, rather than just a cheap laugh on a Friday afternoon, it seems to be this. No matter how righteous you think you are being in your use of the internet, you always need to be careful downloading executables (and, he feels he has to add, anything which contains executable code or might be an executable pretending to be something less dangerous.)

As a society, we are getting more and more reliant on computers and on the data they transmit and display. Often, reality is assumed to have to fit in with what the computer says it should be – whether this is incorrect information in a database, which you have no way of having changed; computer models causing mis-valuation of complex financial products; or the endless and bitter arguments about weather and climate predictions.

We’ve seen this happen – the first time I tried to submit an on-line tax return, many years ago now, I couldn’t get the digital certificate required because the certificate provider wouldn’t accept that my mobile phone was provided by (what was then) 1-2-1. Of course, I had the phone in front of me, and hadn’t recently changed it but, no, their data said something else. So I printed out the online form and posted it. Or the adult son of the previous occupants of our current house, whose dividend cheques were sent to us for nearly five years. That was complicated by us not actually knowing where he lived now, the cheques being sent out on behalf of rather than by the company whose shares he owned and the usual misunderstanding of the Data Protection Act.

Anyway, on a much, much lighter note. Keep reading »

Apropos of concluding a business agreement, I came across the following within a third-party “Terms of Use”:

XXX Inc is committed to being Seriously Secure. Our servers are housed in state-of-the art SAS 70 Type II secured datacenters with redundant power and internet connectivity, and our security systems have been fully certified by Salesforce.com.

Okay, let’s start. SAS 70 is deprecated, not a security certification nor evidence of datacentre compliance with TIA-942. Even the Level II report only says that you are running the controls you say you are running. And, frankly, it’s not XXX Inc’s security controls – it is their data centre service provider. The racks may be in a superbly secured environment and the servers and code utterly insecure. So, in all likelihood, utterly misleading.

Salesforce.com? As a security certification body? Apart from the checks they run against apps you want to host on their cloud infrastructure (and this service integrates with salesforce.com so this may well be what they are talking about, this is the first I, or Google, have heard of it. So, in all likelihood, utterly misleading.

2 strikes? Do they want to try for the third?

Well, it had to happen. And it had to be the media “industry” and their crowd of vultures.

“Defendants failed to adequately secure their Internet access, whether accessible only through their computer when physically connected to an Internet router or accessible to many computers by use of a wireless router,” Liberty Media claimed. “Defendants’ negligent actions allowed others to unlawfully copy and share Plaintiff’s copyrighted Motion Picture, proximately causing financial harm to Plaintiff and unlawfully interfering with Plaintiff’s exclusive rights in the Motion Picture.”

Keep reading »