Every few months I delete my Facebook account citing lack of ethics in their business model and the way it's being executed. The FTC agrees with me, Austrians and Germans agree with me, and the Privacy Commissioner of Canada agrees with me. Facebook consistently seeks to undermine the illusion of privacy they present to us, and to violate laws and the rights of its users to perpetually maintain a "social graph" that contains mind-bogglingly detailed information about each and every person on the service including what websites you visit (that have a like or connect button installed), and what actions you do and personal information you share on many of these sites. I then inevitably sign up again to access their API in order to stay current as a developer where clients need to access people, and if their target audience is on Facebook; the client needs to be on Facebook too, and I better know how to give them that access.

What does Facebook have to do with identity? There's a new feature in Facebook's account settings that allows you to link your Facebook account with what are considered other identity providers (ie: Google, Yahoo) using OpenID. This means you can log into Facebook with credentials from these other services; and/or if you happen to log out of Facebook and into say Google a Like button on someone's blog would still recognize you as logged into Facebook. So what's in a username when a username is only weakly linked to your identity?

An email address is strongly linked to your identity; I can send you an email, but because email addresses are easy to spoof I cannot be sure an email is really from you without extra layers of security that aren't for the average user, or a really good Turing test which is unfeasible especially in the age of social networks where relationships are just as easy for anyone to discover and spoof. An email address is analogous to a driver's licence. Underage people create accounts with fake birthdays to get around COPPA just as they get a fake licence to buy beer. It's unfeasible for the average person to create fake driver's licenses as it is for them to hack into someone's email account; but fairly trivial for people to acquire the knowledge to use both technologies for identity theft or spoofing.

In the real world your identity is a culmination of the information that resides in other people's brains and in 'the system' about you. You are the impact you have on the world. In a court of law where identifying you can mean the death penalty or not, the only thing more convincing than DNA is DNA plus photo evidence plus eye-witness testimony plus a trail of other evidence. It is fairly trivial to plant some DNA as it is to hack into someone's online accounts; it's easy to brute force, phish, or Firesheep an account and gain access to credentials. In a digital world gaining access to and duping the bits used as a digital passport is easy, it's hard to post a thousand status updates, photos, and blog posts over a period of years as someone else while over those years interacting with other real people in that person's life. Because identity is a culmination of the impact you have.

People get upset when they can't access the first of their ten thousand tweets; no matter how trivial it was; because it's perceived as a part of their identity. Our history and our breadcrumbs are our identity. Our interaction with the world is accumulated validation that we are who we unconsciously present ourselves to be. When logging into online banking or anything else that requires extra security we set up secret questions and answers about our identity; and symbiotically depending on what parts of my life history is exposed to a given observer the nature of their perception of my identity is accordingly changed —Yet I wouldn't go so far as to say that we have multiple identities because of it. If two people are looking at the same sculpture from two different angles, then there are not two sculptures; only two representations of the same sculpture. There are no two people in my life who have the exact same account and there is no person including me who has the full account of my identity. The vast majority of our lives are forgotten or not known even to us. For example if someone found an old journal that belonged to your great great great great grandfather, reading it would add to your knowledge of your identity; it would uncover a part of your identity. There is no reason why a computer program could not be one of the mediums to store and retrieve parts of your identity, but your identity follows and remains attached to you.

Your family impacts your identity and so does your social interaction, as well as your knowledge and experience acquired. Identity rubs off and is transient. I am who I am because of who everyone else is. It's not just attached to my consciousness or my physical body, but both, and everything else those two things have together or individually interacted with either physically, digitally, or vicariously. Identity is a culmination of the impact you have on the world. Any website where you make an account wether strongly or weakly tied to your identity is merely a representation and thus an extension of it.

There are no social networks. There are only tools and services with social features. Google+, Facebook, and Twitter are all broadcasting and link discovery tools, and they are all ways to waste time. Forget about the motives and business models of the companies and their inherent overlap. Google+ gives you more finely tuned and personal search results, Twitter allows for trends to be easily sparked and monitored, and Facebook exposes your breadcrumbs to help you find people and discover parts of their identity that would otherwise be hidden to you. None of these things are inherently good or bad in theory and none of them are a complete picture of you.

The idea of only using one social network, or only having one ultimate online identity is not only silly (because they are all merely representations of your identity), but it leaves you vulnerable to exploitation. You should have many online accounts and many places where you publicly aggregate and maintain a list and links to those accounts so that if one goes out of business you still have breadcrumbs, and so that if one gets hacked you can mention it on all the others. You should use different login credentials so that it's totally unfeasible for anyone to gain access to the majority of them, and so that the patterned imprint of your identity on the web becomes easy to tell apart from what a given hacker would do with your account if they gained access to one of them. You should treat everything you post as public because it ultimately is and consider it to be public domain. The notion that these companies respect what's in their TOS is a marketing gimmick, although you can still use tools given to differentiate these public parts of your identity it is and should be seen merely as a form of curation rather than any form of security; and you should seek to maintain aspects of your identity privately, offline, and between close relatives and friends.

Dropbox has been getting a lot of flack recently for misleading users. Their attempt to address these issues on their blog is ridiculous; their marketing department spinning nuance into very serious security claims leaves them with a permanent stain on their brand, one of being utterly untrustworthy and incompetent. They tried to walk the line of ambiguity and it's come back and ruined what was once a shining example of a consumer brand done right.

Here's a link that highlights that incompetence, and here's an excerpt from a recent post on the Dropbox blog illustrating how full of shit they are:

For example, one help article formerly stated that “files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” We were explaining that there are multiple safeguards on your data: that the files are stored encrypted and in addition, protected by your access credentials. However, a security professional could incorrectly infer that the encryption key comes from the user’s password, so we’ve separated the two points for clarity.

Another statement read “Dropbox employees aren’t able to access user files.” That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this.

In summary, anything you put in Dropbox should be considered public, just like Facebook and Twitter. While all your data in Dropbox is "encrypted" the keys to decrypt all your data is accessible and stored with Dropbox in the cloud, not with you. Meaning the encryption is totally meaningless. Aside from the fact that Dropbox now openly co-operates with anyone who makes a request to peak at your files, any hacker that gains access to the Dropbox servers or codebase can easily get your encryption key and your data is compromised.

I recently started using Facebook and Buzz along with Twitter as public publishing tools. Facebook still sells itself as being for your friends and people you know, which is still completely false. Everything you post on Facebook is public-regardless of your privacy settings, and permanent-regardless of whether you delete it from your wall, but that's besides the point.

The issue I'm writing about today is one where Facebook allows any website to post to your wall as you without your consent (ie: identity theft), as long as you're signed into Facebook. Most people are permanently signed in even when all Facebook tabs and windows are closed by means of a session cookie your browser saves for weeks. Today in my newsfeed there was a link to a video of the tsunami in Japan.

When you click on the link you get taken to a fake youtube page, and are told to verify your age to watch the video. Clicking on the "Verify my age" link takes you to an annoying ad for a malware toolbar, while secretly using your Facebook account to post the link to your own wall and like it. Clicking anywhere else takes you to other sites that infect your computer with viruses and malware.

This malware spreading site happens to be using a live analytics service called amung.us and if you look at the ping response you can see that there are constantly around 10,000 people on the site over the five minutes I kept hitting refresh.

The fake youtube site isn't hacking Facebook or your account, it's simply taking advantage of a gaping security hole in Facebook's API. Any website can embed a hidden Like button, and if you happen to be logged into Facebook on that computer that website can post anything to your wall.

How does it work?

A website loads a hidden Like button on their page, which is just an iframe calling http://www.facebook.com/plugins/like.php with some GET variables. The website uses Javascript to trigger the click action of the Like button posting anything they feel like to your profile without your consent or knowledge. Your friends see the link, trust you, click on it and begin spreading it themselves.

How can Facebook easily prevent it?

Liking a 3rd party webpage should popup a little box that asks for your pin number. Your pin number should be set in your Facebook account settings and be a 4 digit number separate from your password that you're prompted to change every month. This way posting content is a conscious effort on your part, and 3rd parties can't use hidden Like buttons to post to your wall.

The French National Institute of Computer Science just published a study, where they analyzed over 10 million usernames from various websites and social networks, finding that many people use the same or similar enough usernames across services allowing malicious bodies to build pretty comprehensive profiles of you. They released a tool to analyze the uniqueness of your online usernames. You can read the study here as a freely downloadable PDF.

The take away is to use distinct usernames for different services, and make sure you only use your real name if you want all that account info to be associated with the real you.

via [TorrentFreak] via [Cornell]

There's a new trojan worm(a self replicating malware program; think computer virus) calledStuxnet. It infects all versions of Windows back to Windows NT and 2000 and possibly earlier versions as well. It also affects Windows Server, so many of the websites you visit may be leaking your personal information and/or unknowingly infecting your computer just by visiting the website.

It hides itself on usb sticks inserted into infected systems, the simple act of viewing files on an infected usb stick infects your computer. It's also been discovered that it can infect your computer from website favicons in web browsers, email, office documents, cds, via webdav, ftp, etc.. So anywhere on a Windows system where you see any kind of shortcut icon, the act of viewing that icon will infect your computer - assuming the shortcut is malicious. The bug is in the heart of Windows; the function where Windows parses a shortcut icon to display it to you, will instead install the worm if parsing a malicious icon.

The worm once installed contacts home(the hackers) and can be used by the hackers to run any code on your computer they want. They can steal your passwords and see everything you type or is displayed on the screen, they can transmit files, they can erase your whole system or crash your drive. anything. They have total control of the system.

It's already been found infecting Siemens industrial systems and it could easily target core network infrastructure like your ISPs. There are reports that 9000+ newly infected systems are being discovered every day and that the number is skyrocketing. It is currently undetectable by anti-virus software. The exploit has been demonstrated and published for over a week now, so aside from Stuxnet there could be tens of thousands of other related worms and viruses taking advantage of the same security hole.

Microsoft is unlikely to fix this until the second Tuesday of August, and it's very unlikely they'll fix it in unsupported versions of Windows like 2000 or NT - which constitute millions of computers especially in the corporate world where proprietary information leaks can seriously affect the stock market and national defence. For regular users it means identity theft, system crashes, all your computer activity being monitored and broadcast, your email or Facebook account being used to send the virus to your friends, family, and colleagues, and more.

Microsoft has released a dirty patch to deactivate the vulnerable part of Windows until there's an actual fix, but it's believed not to be effective at preventing the spread of the worm, AND because the vulnerability exists in such an integral part of Windows it seriously affects your ability to use Windows. To paraphrase Steve Gibson, Windows uses shortcuts as the "glue" to link things together in the OS, even within some dialogues and other places you don't realize, so running the supposedly ineffective Microsoft patch leaves you looking at a lot of white squares and unable to perform certain tasks.

Microsoft Security Advisory:
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Symantec's Breakdown:
http://www.symantec.com/connect/blogs/w32stuxnet-network-operations

Security Now(The first 30 minutes is about Stuxnet):
http://twit.tv/sn258

I've talked a lot about their unpleasantly ghostly Privacy Policy and Myspace-esk TOS, you know the ones that sign away equal rights and entitlement to your identity indefinitely just by using their site. But I haven't talked about the intrinsic insecurity of a social network like Facebook.

Fact: A significant amount of computer users exhibit insecure behaviour online. They don't use strong passwords, they don't opt for https://, they don't work on virus/keylogger free computers, and they answer spam emails(shocking I know).

Fact: Facebook contains not just a list of all your friends, but all your friends' friends, and a record of your interactions with them. Your social network and scene.

Think about it like this: If someone gains access to your email account, they can see your contact list, and they can see how you talk to your contacts. If they have a lot of time on their hands they can read huge volumes of emails and piece together your relationships.

On Facebook, they can see your list of friends, family, your communication with them, but more importantly their communication with each other. A schematic of your social life heavy with descriptions of how you know each person. Assuming you've toggled your privacy settings back so only your friends can see your stuff, and did so before google indexed your profile and friends list. Every one of your Facebook friends is an attack vector for all the personal info you've posted and that your friends and family have posted that doesn't even relate to you. More clearly A is an attack vector for B, A<->B, C, and B<->C.

In addition 3rd party Facebook app developers also have access to your social circle and information. Your Buddy wants to try an app from some developer he doesn't know? Well they just grabbed your entire social network and know a LOT about you and all your friends.

On Facebook, you are not the only one responsible for keeping your information safe. Anyone you friend is. Would you trust your Facebook friends with your Facebook username and password?

It's given birth to a new breed of highly personalized spam. Imagine getting an email from someone you don't know offering you cheap Viagra and even using your first name. Sounds like a scam right? Sounds like if you clicked on the link you'd probably get a virus or some kind of malware installed on your system right? Right.

Now imagine getting an email from Sarah your old girlfriend, where she talks about something you did the other night at a party (which you posted a photo of on Facebook being careful to only let your friends see) and then telling you she wants you to see a funny youtube video. You click on the link and guess what? It wasn't Sarah at all! "What?!", you say? How's that possible?

The Spammer, we'll call him Spammer, gains access to Jim(your buddy)'s Facebook account because a) he accidentally typed in FaceBack.com without realizing it and tried to login. His credentials were phished and the Spammer was in his account within 30 seconds, or b) Jim(same Jim) adds an application where the 3rd party developer wrote a bunch of code that scrapes all of Jim's and your information and emails it to him(the Spammer) as a .zip file when it's done. The Spammer goes ahead and looks through Jim's friends list, then through yours. Looks through your photos and descriptions of each of your contacts. Looks at Sarah's profile and write's down her email address, attaches the photo to an email, the email spoofs Sarah's email address(this is astoundingly easy without her login credentials from any computer connected to the internet) and adds an html link that looks like this in code:

<a href="http://sitewithavirus/silentkeylogger"> http://youtube.com/v=harmlessvideo</a>

and to you looks like this:

http://youtube.com/v=harmlessvideo

Clicking on the link will obviously take you to the virus and not to youtube and if you use Internet Explorer, or the Spammer is using a zero-day exploit for one of the other browsers, you're fucked due to arbitrary code execution.

A site that gives anyone other than you access to a super detailed schematic of your social circle is inherently insecure. Facebook should not expose your real life social circle to anyone even other people in that circle. But they do and will because a large part of their user retention plays on social needs for acceptance/approval/jealousy/etc. which requires exposing that information to people you normally wouldn't and in a permanent public manner that you normally wouldn't.

You probably found this because you're trying to make a socket connection from Flex/Flash and getting the following error:

SecurityError: Error #2123: Security sandbox violation:

Adobe went through a number of phases making the rules for serving and checking Policyfiles stricter. There are different security sandboxes. If you publish your flex/flash application on domain.com, and the application attempts to load content from domain2.com, it will look for a Cross Domain Policy File at domain2.com/crossdomain.xml to get permission. It does this automatically, however you could specify the location of the Cross Domain Policy File in your flex application using the following method:

Security.loadPolicyFile("http://domain.com/remote_content/crossdomain.xml")

A Cross Domain Policy File only has authority to grant access to content below it in the folder hierarchy. So a policy file in /remote_content/ can't grant access to content in the root folder, and in addition a Policy File at the domain root can override any other policy file. It has maximal authority. Subdomains are considered separate domains - which as a side note most search engines see subdomains that way too.

Now that's Cross Domain Policy Files, In general Adobe Air applications operate in one of the local system sandboxes and has thus have access to content on any domain. This post is about Socket Policy Files. When you access regular web content you're generally connecting to your server on port 80 and being served content by Apache or whatever web server you happen to be running. When you do this you're using http protocols under the hood and never have to deal directly with that crazy stuff. If you want to make a raw socket connection to your server you will need to serve up a Socket Policy File on a specific port.

First I just want to stress the difference between a Cross Domain Policy File and a Socket Policy File. For some reason my dyslexia and the ton of misleading, vague, and now out of date and incorrect information I kept thinking they were the same thing. Second there is no way as far as I'm aware to serve a Socket Policy File with Apache.

The default port for flex/flash to search for a socket policy file on port 843. There are several places on the web that talk about being able to connect to higher port numbers without a Socket Policy File, well that doesn't seem to be the case anymore. Just assume that any raw socket connection from a flex/flash client requires a Socket Policy File.

You can serve the Socket Policy File from the port you're connecting to, but this is tricky considering the manner in which Flex/Flash goes about loading the Socket Policy File and rewriting the service to serve this up, especially if you're using server software built by someone else, means it's just better to keep the Socket Policy File Server as a separate always running entity on the system.

Now in the simplest implementations you need a process either written in python, perl, c++, php cli, or whatever. It needs to be listening on port 843. It has to wait for - very specifically - the following string<policy-file-request/> followed by a NULL byte. Upon receiving that it needs to serve up the policy file which needs to at least have allow-access-from domain set to *, and to-ports set to *. You should use the links at the end of this post to familiarize yourself with the differences between and all options you can specify in Policy Files. It's easiest to keep the Policy File as an actual file, instead of adding the text of the file to your custom server code. And that's it!, now you can go on with a better idea of what information out there is out of date or not.

Here are some important links to help you on your journey:

Adobe on setting up a Socket Policy File Server

Adobe on Policy File changes for flash 9 and 10

Adobe on the structure of Policy Files

An intro to Sockets

Working PHP Cli Socket Policy File Server