Sunday, June 10, 2012

Facebook Lists – The Respectful Way to Use Apps

Back in April I posted Spam Nation - Disintegrating RespectOne Friend at a Time  in an attempt to help people reduce Facebook spam and treat one another with more respect. Some people “got it” and made changes to their app settings, but other people, people I like and respect, still are spamming their friends with notices about Bejeweled Blitz, videos they saw on SocialCam or Vimmy, stories they read on the Washington Post Social Reader, or what song they are listening to on whatever music spamming app they use to listen to music on.

I wondered why these normally polite people were still allowing their apps to spam all of their friends and I came up with three possible answers. It’s possible they didn’t understand the post. I try to make these things as understandable to as wide an audience as I can, but individuals often learn differently and maybe for some I wasn’t really clear. If that’s the case, please let me know so I can be a better educator. The second reason, and the one I think is probably the least likely, is that they really don’t care who they spam about what. I don’t think that most of my friends are like that though. The third reason, and the one I suspect is the most common one, is that they have friends that they want to share this stuff with and that they want to see. If I’m playing Words with Friends, I might want to know what other friends who play are doing too.

If you are one of those friends, or a friend of yours referred you here and this is true for you, then today I will teach you how to share with your friends who want to know while respecting the rest of your friends enough to not let your apps spam them.

The little trick here is something called lists. Of course there isn’t a link on your home page called “lists”, but it’s easy to make one. Once you make a list you can tell the apps to only send notifications to that list. This is really easy and here is how you do it!

On the left side of your newsfeed you have a grouping called “Friends”. If you hold your mouse over the word “FRIENDS” then on the right you see the word “MORE”. If this step isn’t working for you, ask me for help!

When you click on “MORE” you will see a screen like the one below, only it is probably longer. See at the top where it says “Create List”? Click that!

Now you get to the Create New List screen. Choose a name for your list and then start typing in the names of the friends you want to be on your list. As soon as you have a letter or two the friend’s name and icon will appear.

See (below) how I only had to type in two letters to get a list of friends whose names start with those two letters? I just click on the friend and move on to the next friend. It is really fast and easy.

Now when you go to add an app notice the part that says “Who can see posts this app makes for you on your timeline. This really should say “Control whose newsfeed we are going to spam”. In the picture below, see where I have circled “FRIENDS” in red? That is where you select who the app talks to.

Many apps default to everyone or friends. I’m going to change this to my new list that I titled “App Lovers Anonymous”.

Now all the app chatter only is seen by the people I put on my “App Lovers Anonymous” list, and not in the news feed of my friends who couldn’t care less if I play bejeweled or not.

We aren’t quite done yet. There is still the issue of the apps you already installed. It’s time to fix their spammy behavior problem!

Go to that little down arrow by the word “Home” in the upper right corner of your screen and choose “Account Settings”.

The next thing is to click on “APPS”.
On the right you will see a list of your installed apps.

Next to each app click the “Edit” link. You have to do this step for each individual app.

Now you see in the lower corner where this app is set to spam "Everyone"? I’m going to click on “Everyone” and change it to my new list “App Lovers Anonymous”.

Repeat this step for each app and now you will share with those who want the information and stop spamming the rest of the world!

Seriously, these apps don’t post all that stuff to save you the effort, they post to your timeline because it is free spam-vertising. These App publishers know that they can leverage you to spam all of your connections if you don’t limit their audience by choice. Please be considerate of your friends and only share the app messages with those who want to know it. Most of your friends probably don’t want to know what video you just watched, what songs you listen to all day, or what game you have been playing.

You can create separate lists for music, games, videos and social readers, or put them all in one or two lists. You really can share with your gaming buddies and stop annoying the rest of your friends!!!

If you want to use lists and I haven’t explained this well enough, leave me a comment here or contact me at Facebook ( and I will happily assist you!!!

Remember, it’s up to all of us to make Facebook a kinder, more respectful place by reducing the unwanted spam we can control! Share this with those who need the information, and use the information if you use apps!

Special thanks to my awesome friends Anders Nillson, Christina Ho, Kenneth Bechtel, Lisa Wolfenbarger-Wagner, Larry Bridwell, Mary Donovan, Natalie Moreno, and my sister (If I say awesome sister she’ll report to the FBI, again, that my identity was stolen by an imposter) for allowing me to use them as research guinea pigs for this article. I learned that you can’t use a group for app notifications, it has to be a list. Also, if you name a group “App Lovers Anonymous” Facebook with tell your friends that you added them to a group called “Lovers Anonymous”.

You may republish, or translate and republish this specific blog posting at no cost as long as you don't charge others for it. It would also be nice if you let me know if you republish. Thanks!

©2012 Randy Abrams - Independent Security Analyst

Friday, June 8, 2012

Fighting the BMW Spam Machine – Part 4

Filing an Online FTC Complaint is Easy, Fun, and Socially Responsible

Previously I emailed copies of my correspondence and complaint to You can pass along any spam messages there. Now I will show you how to file a complaint against a company online. Note that the FTC will not take an action on behalf of an individual, but as the number of complaints mount, the offender gets noticed by the FTC and action will be taken if there are enough complaints. This isn’t just for spam either, it covers a wide range of consumer protection complaints.

To start, go to and click on the consumer complaint link.

This actually takes you to when you click on the complaint form link to start the complaint.

Page 1 you should be able to fill out without my help and page 2 asks if you are a member of the armed forces. I do not know how that information is used.

The next screen looks like this

As soon as I checked “Email Spam” it progressed to the next screen.

I selected both “I am getting spam e-mails and I want them to stop” and “I can’t opt out of receiving e-mails from this company” because both are true. In addition to the fact that BMW of Mt. Laurel’s opt out page doesn’t work if you don’t allow client side scripting (that means let them run a program on your computer), but even when they tell me they will stop spamming me they keep doing it anyway.

Next you let the FTC know if you know anything about the company you are complaining about. I’m going to say yes.

Most of the information I need to fill out the next page is at, although some of it came from their spam.

Here I click “+ Add another company” because I am also naming The Holman Automotive Group and BMW of North America. For the Holman Automotive Group the Better Business Bureau had some contact information even though the business is not accredited. The process was even easier for BMW of North America as their contact page has all of the details.

The next step is easy enough

Step 4 is to confirm your contact information so you don’t need a picture of that.

In step 5 you can provide additional information, but it is a bit scary that the FTC’s spell checker doesn’t know the words “spam” or “spamming”

One final confirmation of all of the information and you get your very own case number!!!

The beauty of social networking is that you can reach out to others who are getting spammed or otherwise cheated by companies and organize a complaint campaign to get the bad guys on the FTC’s radar.

So far still no word from BMW of Mt. Laurel, BMW of North America, or BMW AG, but I’m pretty sure they know there’s a disturbance in the force!

Now to move on to filing complaints with State Attorney Generals and to let you know how you can do that too!

For background see:

Part 1 - Fighting the BMW Spam Machine

Part 2 - An Open Letter to BMW AG

Part 3 - How to Get A the Attention of a Global Corporation

Part 5 - Using the Internet Crime Complaint Center (The IC3)

©2012 Randy Abrams - Independent Security Analyst

Fighting the BMW Spam Machine – Part 3

How to Get A the Attention of a Global Corporation

In Part two I wrote an open letter to BMW AG, but like a tree falling in a forest with nobody to hear it, you don’t know if an unread letter made a sound or not. The trick is how do you get the attention of company like BMW?

The answer is you do a little research and you use some leverage.

It didn’t take long for me to find, and that gives me the email addresses of several BMW employees in Germany who can either address my concerns or make sure they are addressed.

I decided to start with MS Christel Reynaerts, Head of International Corporate Sales. It is important not to include everyone in the same email as that may trigger some spam filters. Additionally, you want to change the text, at least a little, in each message or multiple duplicate messages may trigger spam filters and the recipients will not know that there is a problem they need to deal with.

You might message them and ask what they are doing to stop BMW spam!

In this case, since BMW is a German company and their Distributor is operating in the USA, I can also contact the German Ambassador to the US to let him know how poorly his countrymen are representing Germany and ask for assistance in getting BMW to stop allowing a US company to use their logo in spam runs. I suspect the Ambassador has more important things to do and will make sure someone else makes sure that this isn’t going to be a distraction any longer.

Additional steps on the “to do” list include:

File a complaint with the Attorney General for Washington State.
File a complaint with the Attorney General in New Jersey.
Check with the FBI to see if there is a potential criminal harassment complaint since BMW of Mt. Vernon refuses to stop emailing me,
Research legal options for a civil lawsuit against BMW of Mt. Laurel, Holman Automotive Group, and BMW of North America.

Time to send a bunch of emails to BMW employees now. The firstname.lastname format of employees at tells me there is a reasonable chance that I can also email senior management at the company as well!

I’ll post more as I learn more or take more actions.

For background see

Part 2 - An Open Letter to BMW AG

Part 4 - Filing an Online FTC Complaint is Easy, Fun, and Socially Responsible
Part 5 - Using the Internet Crime Complaint Center (The IC3)

©2012 Randy Abrams - Independent Security Analyst

Fighting the BMW Spam Machine – Part 2

An Open Letter to BMW AG

Dear BMW,

The fact that you have successful business is not an excuse to abandon basic human decency. Relentlessly harassing people in order to peddle products in not acceptable behavior and tends to indicate that you believe it is necessary to cajole people into buying your products because your products lack sufficient quality to sell themselves.

Going into another country and setting up a legal corporation to encourage local businesses to flaunt the laws of the land is not being a responsible world citizen. Your authorized representative “BMW of Mt. Laurel” has been engaging in a spam campaign for more than a year now. I have repeatedly asked them to stop spamming me and they refuse to honor legitimate requests or comply with US legislation against unwanted commercial emails. BMW of North America appears to be completely supportive of the illegal tactics and refuses to take any actions to stop BMW of Mt. Laurel from continuously spamming me. At this point it would be reasonable to assume that BMW AG approves of BMW of North America’s support for illegal and unethical spamming, but If I am wrong, feel free to reply and let me know how you intend to put an end to the spamming and to force BMW of Mt. Laurel to compensate me for the relentless harassment.

I do understand that BMW of North America is technically a separate legal entity, and that BMW of Mt. Laurel is a separate legal entity, however, they cannot use the BMW trademark if you do not allow them to represent you as common spammers, like they currently do. If you cannot revoke their licensed representation for failing to abide by the laws of the country they do business in, then you need to hire competent legal representation to write our contracts for you.

If you will not put an end to the spamming then I must assume it is how your company chooses to operate and continue to shed light upon your lawlessness and lack of basic human decency.


James “Randy” Abrams

Part 1 - Fighting the BMW Spam Machine

Part 3 - How to Get A the Attention of a Global Corporation

Part 4 - Filing an Online FTC Complaint is Easy, Fun, and Socially Responsible

Part 5 - Using the Internet Crime Complaint Center (The IC3)

©2012 Randy Abrams - Independent Security Analyst

Thursday, June 7, 2012

Fighting the BMW Spam Machine – Part 1

In this series I will take you along on a fight against a sleazy, unrepentant, relentless spammer. Together we will discover if the US canned spam act, and or any state laws have any real teeth in fighting a known spammer doing business in the United States of America.

The spam story starts back in May of 2011 when I receive spam from BMW of Mt. Laurel, an a dealer in New Jersey that is a part of a company called  Holman Automotive. Why a BMW dealer in New Jersey is spamming a guy in the State of Washington is beyond me, but I asked them to stop.

In November 2011 I received more spam from BMW of Mt. Laurel. I contacted BMW of Mt Laurel again and they said they would remove my name from their list. In December 2011 I received more spam and again requested that they remove me from their spam list.

In January 2012 Wendy Morgan of BMW of Mt. Laurel continues her relentless spamming and blatant disregard for federal legislation and so I contact BMW of Mt. Laurel, Holman Automotive Group and BMW USA and demand that the spamming stop. Wendy Morgan assured me that the spamming would stop. BMW USA will not intervene or sever their relations with a dealer who violates federal laws. BMW USA did ask for my number so they could contact me, and I did provide it, but they did not follow up.

Come May 2012 and BMW of Mt. Laurel is spamming me again. Holman Automotive, and BMW of Mt. Laurel refuse to respond to demands to stop spamming me and BMW USA refuses to do anything. This time BMW USA did call to let me know they would not do anything.

In part 2 of this posting I will guide readers through the process of filing an online complaint with the FTC. After that I will continue with walking readers through how to file a civil suit against spammers who refuse to comply with federal legislation.

Let’s see if an individual can take a stand against sleazy spammers like BMW of Mt. Laurel and perhaps see if BMW USA does have an obligation to assist in preventing their affiliates from spamming.

Part 2 - An Open Letter to BMW AG

Part 3 - How to Get A the Attention of a Global Corporation

Part 4 - Filing an Online FTC Complaint is Easy, Fun, and Socially Responsible

Part 5 - Using the Internet Crime Complaint Center (The IC3)

©2012 Randy Abrams - Independent Security Analyst

The LastPass LinkedIn Password Checker

LastPass has put up a web page for users to check to see if their LinkedIn password was one of the ones whose has was leaked. As you know if you read my blog “Dumb, Dumb, and Dumber, I don’t think it’s a good idea to give someone else your LinkedIn password. The catch here is that LastPass, in case you don’t know, is a password management program. In other words, you already trust them with all of your passwords, so why not type in your LinkedIn password on their web site? Let’s add one more item to this discussion, LastPass got it right in that the web page uses SSL, the hash of the password is encrypted when it is sent over the web.

It may seem logical that there is no problem, but this is not the case. To start with, you don’t trust LastPass to know your passwords, you trust them to provide a program that helps you to manage your passwords. LastPass is not supposed to know any of your passwords other than the master password that allows you to access your passwords. I will concede that this is a very fine distinction, but if LastPass does not honor that explicit trust then they cannot be trusted. I do believe that LastPass is legitimate and does not access your passwords.

Here is the reason why you still do not enter your password, even at the trusted, properly implemented website. The reason is because you do not need to make an exception to The Two Rules You Damned Well Better Know and if you do it for no good reason because you think it is safe, you’ll probably do it for something that seems like a good reason, but is really a phishing attack.

In the case of LinkedIn, we know that 6.5 million password hashes were leaked, we don’t know if more were accessed and not leaked. Change your password. It doesn’t matter what a web site tells you, change the password to be safe!!! Now, since you need to change it anyway, why do you need to know if someone thinks it may or may not have been compromised? I know, the same reason I entered mine in…. curiosity. I only used my LinkedIn password in one place and I changed it BEFORE I checked to see if it had been leaked, so it was not my password when I entered it! I would never give anyone a password I was using or planned to ever use again at any time.

©2012 Randy Abrams - Independent Security Analyst

Wednesday, June 6, 2012

Dumb, Dumb, and Dumber

LinkedIn recently had a bit of a security problem that allowed people to access about 6 million user passwords. Actually they were unsalted hashes of passwords and that is technically different, but effectively about the same in this case. That was dumb. The passwords hashes should have been salted.

For the non-technical user a password “hash” is a code that the password is translated to. If I know the code I can figure out any coded password from the “hash”. A process called “salting” adds randomness to the hash, so knowing the code doesn’t let me crack all of the passwords from the hash.

On to the next “Dumb”. As an attempted “Public Service” Mr. Chris Shiflett (  put up the website so that users can check to see if their password was one of the ones that was compromised. In order to do this you have to type in your LinkedIn password. Sorry, but despite good intents by Mr. Shiflett, this is a dumb idea. You should never type your LinkedIn password anywhere other than at LinkedIn. If you are concerned that your password may have been one that was compromised, it is time to change it.

Now for the dumber… is not using SSL, or in other words it does not start with https. When you go to a website that starts with http nothing is encrypted. If you use public Wi-Fi then all of your data can be captured (unless WPA2 encryption is used). For this reason any reasonable web site that asks for a password uses https (encrypted) for at least the part where you send your password. LeakedIn uses http and that is really bad.

So, LinkedIn failing to use best practices when encrypting passwords was dumb. Asking users to type in their LinkedIn password anywhere other than at LinkedIn is dumb. Asking a user to you in their password on a non-SSL site is even dumber!

For the more technical users who have looked at the code on the web site, yes it is the hash and not the password that is returned to, but the problem LinkedIn has is that the unsalted hashes were leaked and LeakedIn is having users send their unsalted password hashed in plaintext across the web.

©2012 Randy Abrams - Independent Security Analyst