Saturday, April 28, 2012

Spam Nation - Disintegrating Respect One Friend at a Time


Dear reader,

If I or one of your friends referred you to this blog, please do not be offended. The intent is to help you be the kind, considerate person it is believed you intend to be, or to help you help friends who do not realize they have been deceived into spamming others.

If Facebook was a country, with a population of over 840 million users it would be the third largest nation in the world, and Facebook, more than any other nation in the world, has embraced Orwellian doublethink http://en.wikipedia.org/wiki/Doublethink.

In the Facebook doublethink nation, “like” may mean you want to tell a group what idiots they are, but to have a voice in their forum you engage in a practice called “liking” to tell them you hate them. “Like” may mean you want to get something free and if you click a little button that says “like” you will get something free from an organization you don’t even care about. This is like saying you “like” someone you don’t give a damn about to get laid, except if six months of free antivirus is as good as getting laid, you’re doing it wrong, not that lying to get laid is ever right.

“Friend” frequently means “someone you have never met, you have talked to very little, and you know virtually nothing about.” The dictionary definition of friend applies to a small percentage of what Facebook defines as “Friends”. That said, most everyone on Facebook does have some friends who fit the traditional definition and many of these people have become quite rude to their real friends because “Sharing” is doublethink for spamming on Facebook.

Would you consider it kind, friendly, or considerate of me to sign you up for spam that relates to something you have no interest in? Is it fair for me to force you to opt out of something you never expressed any interest in that I didn’t even actively post to your newsfeed? I’m not talking about posting something you disagree with, I am talking about allowing a business to advertise on YOUR newsfeed because I gave them permission to without asking you if that is what you wanted. Fundamentally it is absolutely no different than me signing you up for email spam, except in the rude nation of doublethink called Facebook.

Specifically, this rude behavior is a by-product of the spammy world of Facebook apps. Facebook apps re-wrote the dictionary entries for deception and rudeness.

Let’s take a look at what you agree to and we change the marketing lies and deception into truth and disclosure.

You see where it says “Okay, Watch Video”? That means that you have just agreed to become a spammer on behalf of the company that makes the Viddy app. It means that you agree to let Viddy post any action you take on Facebook, including sharing private messages between you and others.

“This app may post on your behalf, including videos you watched, people you liked and more” means that “and more” is not defined or limited. Facebook may claim they have policies that would prohibit this kind of information sharing abuse, but Facebook’s terms of service are subject to change and Facebook itself has consented to 20 years of government auditing for privacy abuses. The company claiming the rights to post on your behalf has just tricked you into becoming their unpaid spammer and spamming people you call friends. Do you really trust them to do what is right?

Do you really want to tell your friends every video you watch? Do you really think they want to hear about every video you watch? Do you understand it isn’t at all about what you watched, it is all about spamming the name “Viddy” in as many people’s newsfeeds as is possible, and using you as the unpaid spammer.

This activity is not limited to teeny-bopper fads like Viddy. The Washington Post is a major spammer in the Facebook Nation and is all too happy to turn you into a spammer as well.

Now, you see where it says “Who can see posts this app makes for you on your Facebook timeline”? Let’s get rid of the deception. What this means is who are you going to sign up for spam. By default you sign up your friends, relatives, basically all of Facebook for spam when you enable an app that posts “on your behalf”. By the way, it is not on your behalf it is for the sole purpose of selling product and using your Facebook account to spam the world. This is the place where you can choose not to become a spammer and limit the posts to yourself or a selected group of people if you use lists.  Below is a list of the choices. Be kind and change the default. If Facebook had a person with a conscience in charge, the default would always be “only me”, but decency must be an active choice and is never a default.


Don’t be fooled though, if you limit it to just you, it may be temporary. You see, you also agree to the Viddy terms of service which explicitly state that “Any updates, new services or any modifications of an existing service will be governed by the TOS, which may be modified or updated from time to time in our sole discretion. The continued use of the Site or Services following the posting of changes to the TOS constitutes your acceptance to such changes. We strongly encourage you to regularly review this TOS.”

In other words, at any time Viddy can change who they spam back to everyone again.

There are worse apps than the ones that at least let you choose to limit the audience when you sign up. Some of the apps do not offer a choice at sign up. Let’s look at the app “Words with Friends”. Yes, that right, the app for those who wish to emulate the self-centered Alec Baldwin. I don’t know if Words with Friends will let you call your 11 year old daughter a “thoughtless little pig”, but it will let you spam your friends. From the screen below, it doesn’t appear that limiting the audience is an option.

For the sleazy apps like Words with Friends and Farmville, you have to go into your app settings after you agree to be a rude spammer and then change into a respectful person by changing the auto-spam settings.

There are thousands of apps on Facebook and many of them start spamming as soon as you start using them. If you have 100 friends, then you have just opted 100 people into spam who then have to learn how to opt out if they happen to figure out that they can get rid of the spam. You clicked once and signed 100 people up for spam without asking them if that is what they wanted.

If you signed up for 10 apps (yes angry birds and bejeweled are apps) then you have signed each person you call a friend up for 10 spam feeds without asking them if that they want that spam. That is 10 separate apps that you have forced people you call friends intro having to unsubscribe from to get out of the spam. Their other option is to simply unfriend you or ignores all but “important posts”. Does anybody know how to make a post “important? Seeing as it is Facebook, I haven’t looked into what makes a post “important”, but it sure as heck isn’t Bejeweled Blitz spam!

 So you signed up for an App on Facebook and didn’t quite understand how rude the app provider was going to make you be to your friends. I don’t take it personally, you weren’t intending to be rude or insensitive. My friend, you were played like a violin… too bad the tuba player was the one playing you.

In the computer security industry a zombie is a computer that is infected with a bot. One of the nefarious things that zombie computers do is send spam from the infected computer. In the Facebook Nation, app providers make you into a spambot zombie. For your own security and privacy I recommend turning off ALL Facebook apps, but I will teach you how to cure yourself of the zombie infection and even still be able to use apps if you want to. For those of you who don’t mind looking around a little bit, it’s in your privacy settings under apps and websites. If you happen to be a zombie and are proud of it, please don’t bite off my head.

To begin, go to the upper right portion of your Facebook screen and click the little down arrow by the word “Home” and choose privacy settings.










Next, you are going to choose "Edit Settings" from "Apps and Websites". You may have to scroll down a little to find "Apps and Websites", depending upon your screen.


Now you can click on each app and disable its ability to spam the world all the while abusing your fine name!

If you don’t want the app to ever post anything then click remove where it says “Post on your behalf” in the top section where it says “This app can:”. This really would read “Post on the advertiser’s behalf if Facebook required honesty in Facebook advertising. If you do want some people to see what the app posts, then do not remove the post on your behalf feature.

Continue to the “Public” button and change that setting to something considerate of your many friends. This is where lists can be handy. Suppose you have a group of friends who play “Words with Friends” and they really do want to know what words you play, then make a list and let the app post status to that list. For most people I think “Only Me” is the correct option.

 
If you choose custom it appears to allow you to specify people, but I haven’t tested it.

Now you know how to use the apps you want without being a rude zombie spammer and eating your friends!

I would encourage you to share this each time someone allows an app to spam your newsfeed to help them be a kinder, more considerate friend on Facebook.

Copying this blog and even translating it for non-commercial purposes is explicitly allowed IF you let me know where it is being posted and how to contact you. You can leave a comment as I moderate all comments and I won’t publish notes directed to me with personal information.

Commercial organizations wishing to republish this blog must make arrangements with me.

Randy Abrams
Independent Security Analyst
© 2012

Tuesday, April 24, 2012

Asking for a Facebook Password – Malice, Ignorance, or Incompetence?


Recently some governments and businesses have gone the extra mile to distance themselves from the decent and intelligent members of their communities. The growing practice of asking employees or potential employees for their social networking account passwords is being embraced by the ignorant, incompetent, and the malicious at such a rate that laws banning the practice are becoming a necessity. The legislature of Maryland recently became the first state legislature to approve such legislation and Michigan doesn’t appear to be far behind.

Aside from the obvious fact that it is an affront to anyone who ever fought for any country to protect and preserve freedom, there are several reasons why only an incompetent or ignorant business (or government agency) would engage in such a practice.

Legal Liability

At least in the United States, there are some questions that an employer does not ask a potential employee. There are laws against discriminating against people who are members of certain groups. In most cases, asking a potential employees age is not allowed. Asking a person’s sexual orientation or religious beliefs is generally not allowed. By accessing a person’s Facebook account an employer may see information that the employee or potential employee can claim was used to discriminate against them. The employer who asks for a Facebook password lacks the intellect to seek legal advice before doing so, has incredibly poor legal advisers, or lacks the wisdom to accept competent advice.

Security Implications

As I have often written about before, there are two types of people who ask you for your password… thieves and idiots (http://randy-abrams.blogspot.com/2011/12/two-rules-you-damned-well-better-know.html). The reason for this advice is that it is a really bad practice to give out your password to anyone. The employer who asks someone to share their password is encouraging truly horrendous security practices within their organization. The employer who requires a Facebook password also requires that employees be less than competent at security. You might want to carefully consider doing business with another business that engages in such practices as they lack the basic knowledge of security required to keep confidential dealings with you or your business confidential. The core of the company’s culture is the least intelligent security practices. The employer who asks for passwords for personal accounts failed to ask their head of IT for advice, or has an incredibly inept IT “expert”, or simply ignores good advice.

Character Implications

Facebook, Google, and virtually all online services have user agreements that explicitly state that the user agrees not to share their password with anyone. The employer who requires employees or potential employees to share their password is the employer who categorically rejects any employee that keeps their word. The core of that organization’s ethical culture is dishonesty. The employee who stands by their legal agreements is deemed to be unfit for employment. Does this sound like an organization you want to do business with?

Social Implications

The organization that asks for the password to social networking or email accounts is an organization that thumbs their noses at the heroes of their country. This is the organization that tells the family members of soldiers who have died fighting to protect freedoms that they truly do not appreciate the sacrifice and that their lives were wasted fighting for principals that the organization holds as worthless. These are the employers who would tell today’s soldiers that their sacrifices are completely unappreciated.

The Tiny Intellect

One of my all-time favorite sayings is “If you only see one solution, you probably do not understand the problem”. The employer who asks for passwords does not understand much at all. Unless the goal is to violate privacy, there are other ways to approach the problem that the employer is trying to solve using the least intelligent solution.

The Dumbest Argument of All

This is the one that set the ignorant apart from the truly, pathologically stupid. The argument is… “If you have nothing to hide then it isn’t a problem”. This argument assumes that failing to abide by an agreement isn’t a problem, but also demonstrates extreme short-sightedness in another area. Although I may not have anything to hide, it does not mean that I am acting morally, ethically, or even just plain decently by showing emails and messages that others may have sent to me in confidence. While Facebook may arguably not be a great place to send a confidential message to someone, people do share private information and trust that the person they share it with will respect their privacy. The argument “If you have nothing to hide then it isn’t a problem” completely ignores the very real fact that the employee or potential employee has agreed not to share someone else’s information.

Thieves and Idiots

It may be that the employer asking for the password isn’t a thief… I can buy that. It may be that the person isn’t an idiot, but if they are neither a thief nor an idiot, they are so painfully ignorant that it isn’t safe to give them your password and you certainly don’t want to do business with companies where such gross ignorance is embraced by management. In the case of city officials engaging in this behavior, it is a danger to society to have such civil irresponsible people in positions of authority. 

Randy Abrams
Independent Security Analyst

© 2012

Check for DNS-Changer Before July 9th


Hundreds of thousands of people are going to find that they can’t get their email or browse the web on July 9th, 2012. This isn’t part of the alleged Mayan prediction that the world will end in 2012, this is the fallout of a cybercriminal operation.

Perhaps you have heard of the malware called “DNS-Changer”. If you don’t know what malware is, it is short for “Malicious Software”. If you aren’t sure about “malicious software” then you would probably call it a computer virus.

If your computer is infected with the DNS-changer malware then you are surfing on borrowed time. I’ll explain the problem and what you need to do about it.

Every computer on the internet has an IP address. Think of it like the address for a house. Each computer has an address, and all web pages are housed on computers. When you want to go to Google, you can type in www.google.com like in the example below.

 
 
The reason you can type in Google.com is that there are special computers on the Internet called Domain Name System Servers, or DNS Servers. When you type in a web address the information is sent to a Domain Name Server and then translated to the actual address of the computer you are looking for. You actually can type in the address of the web site you want, if you know it. For example, Google is at 173.194.33.46, so, as you see in the address bar below, I can type the address in instead of the friendly name www.google.com.





Usually you use a DNS server that your Internet Service provider supplies when you are at home, or when you are traveling the access point (often Wi-Fi) will also provide that information to your computer. You can choose your own DNS server if you want to and know how to. This is where the malicious software (malware) we call DNS-Changer comes into the picture.

When computers got infected with DNS-Changer it made changes to the computer or router that would force the computer to use DNS Servers that were controlled by the criminals. The FBI, in conjunction with the government of Estonia and others caught the criminals and took control of the bad DNS servers. The problem is that if they simply shut down the servers, the Internet would have stopped working for millions of infected computers. The FBI enlisted the help of the good guys at the ICS (Internet Systems Consortium) to maintain the DNS servers until people’s computers could be fixed. Initially the ISC was supposed to stop providing assistance in March, but there were still so many infected computers that it was decided they would keep the systems in place until July 9th, 2012. As of April 2012 there are still over 300,000 computers that are infected and nobody but the owners of the computers has the right to fix them. If your computer is one of the infected computers then on July 9th you will no longer be able to receive email or surf the Internet until your computer is fixed. The DNS-Changer malware appears to have affected Macs as well as PCs, so don’t make the mistake of thinking that your Mac is immune.

Fortunately, it isn’t very hard to test to see if your computer has the DNS problem.

You can simply go to http://www.dcwg.org/ to check and see if your computer is affected and then fix it if need be. Don’t wait until July 9th to do this because if your computer is affected then you won’t be able to get to the web site to test or fix it!

Recently http://www.dcwg.org/ has been unavailable at times, so http://www.dns-ok.us/ and http://dns-changer.eu/ are also safe sites to help you test for the problem.

There is also another potential problem. If you have a router and you did not change the default administrator password when it was installed, the malware could have changed the DNS settings in the router. To check the DNS settings on the router you will need to refer to the owner’s manual for your router. If you don’t know where you put your owner’s manual then you can almost certainly download a new one from the vendor’s web site.

If you have a business, you might want to share this information with your customers. Although your computer may be healthy, if your customers have the problem they will not be able to email you or reach your web site after July 9th until they get their computers fixed!

There are a couple of other side effects of the DNS-Changer malware. If your computer is infected then Windows Update has not been downloading security updates. Go to Windows Update and make sure you have all of the security updates. Your antivirus software will not be functioning properly if DNS-Changer is present. Make sure your anti-virus software is up-to-date as well.

It is a great idea to set reminders to verify that your antivirus software is updating properly and that your computer is up-to-date with security patches as well. I recommend checking this every week, but even once a month would be fine. You also need to make sure other software is current, but I’ll save that for another blog!

If you can’t connect to the Internet on July 9th and you call your ISP for assistance, they’ll probably actually know what the problem is... Perhaps that is why the Mayans thought the world is going to end this year!

Randy Abrams
Independent Security Analyst
© 2012