loose wire blog

Here’s another appearance on Radio Australia’s Breakfast Club which is pretty much every Friday—around 1.15 GMT—and here are some links to the things I talked about this week.

Here’s the audio of the segment (about 10 minutes’ worth).

• Facebook’s move to be more like Twitter. As I said on the show, Facebook fears that its network lacks room for growth; when was the last time you added a friend?
• Marketers find Twitter. Australian company uSocial will go out and get followers for you, for a price. This isn’t underhand, but already twitter is becoming a place for spammers (from Habitat to the sleazeballs who won’t get out of my twitter stream.) As I mentioned on the show, Facebook is going to try to be more like twitter, while twitter may have to be more like Facebook.
• Meanwhile Rupert Murdoch sees Facebook as a directory, MySpace as a place to share common interests. If that’s the case, then twitter actually trumps them both because it’s a real time search engine for both. (I didn’t have time to talk about this, but it’s an interesting point.)
• (From last week) Researchers in Italy have been going around nightlcubs in Chieti asking people for cigarettes. Turns out if you ask them in their right ear, you’re more likely to be successful. It’s called the right ear advantage (via the Daily Telegraph.)

I don’t get overly excited about plug-ins but I think Xoopit may have shifted us into a new gear.

As part of a course I teach on journalist tools I do a demo of Gmail. I talk about it being the new desktop. But I’m only showing the bare bones of the thing: labels, filters, colors, stars.

For a lot of them, that’s an eye-opener in itself.

But it’s once you start talking about gadgets where you can access your calendar, your documents, your chat, then it really makes sense.

All good, but not really anything different to Outlook. Just lighter and accessible from anywhere.

But the arrival of an updated version of the plugin Xoopit, I think, really pitches webmail, well Gmail, into a new zone.

It has some basic stuff which is kinda useful. At the top is a row of picture attachments from recent emails:

Not that useful for me, but useful.

There are also links to videos and files: click on one and it takes you to a full listing of attachments, listable by type, date received, etc. You can even search by sender: 

But still that’s not what impressed me, and convinced me we’re on the threshold of something brand new.

Read an email thread and Xoopit will pluck out those people involved in the conversation. It will display them on the right hand side of the thread. Not only that; it will try to grab their Facebook profile and image—even if you’re not connected to them on Facebook:

At a stroke I can now see who I’m talking to (in this case avoiding the catastrophe of misidentifying a woman as a man) and also see who we have in common:

To me this raises all sorts of possibilities. Suddenly my networks are beginning to talk to each other, to mine each other for data and work to close the gaps in them. I’m suddenly much better informed about the people I’m dealing with, without having to do lots of legwork.

Of course, this would be better if it was also searching LinkedIn (or maybe instead searching LinkedIn, in that I’d rather connect that way to a professional contact first.)

But it’s still the first time I’ve seen leveraging like this done in such a simple and unobtrusive way. It fits into my way of working rather than a lot of these network leveragers I’ve seen, which add to the clutter or try to automate things which should  be manual.

More on that anon.

For now, congratulations Xoopit. I count this as the first step in a bright dawn of social networks and contact lists working for me rather than the other way around.

And I think it’s further proof that Gmail—or Yahoo! Mail, or any of the rich featured webmail offerings—are actually a workplace in themselves, around which can be built all sorts of useful tools mining our other networks.

Think twice before you agree to recommend someone on LinkedIn. They may be a logic bomber.

You may have already read about the fired Fannie Mae sysadmin who allegedly placed a virus in the mortgage giant’s software. The virus was a bad one: it

was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae’s computer monitoring system and then cutting all access to the company’s 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying “Server Graveyard.”

From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.

Luckily the virus was found and removed. But what has yet to be removed is the suspect’s LinkedIn page which shows that since he was fired he has been working at Bank of America, something I’ve not seen mentioned in news covering the alleged incident.

(Apparently this piece mentions this fact but the information has since been removed. This raises other interesting points: What way is there for a company to police claims by people on networks like LinkedIn that they indeed worked at that company? Why was this information removed from the story or comments?)

What must also be a bit awkward is that the suspect, Rajendrasinh Makwana, has a recommendation on his LinkedIn profile from a project manager at AT&T, who says that

he was much more knowledgable at the subject matter than I was. He demonstrated leadership at times of crisis. He helped me learn the ropes. I would love to work with Raj again.

The recommendation is a mutual one; the person in question gets a recommendation from Makwana as well. But what adds to the awkwardness is that the recommendation was posted on October 25, 2008, which was, according to an affidavit filed by FBI Special Agent Jessica Nye, the day after Makwana’s last day of work—which was when he allegedly planted the virus:

"On October 24, 2008, at 2:53 pm, a successful SSH (secure shell) login from IP address 172.17.38.29, with user ID s9urbm, assigned to Makwana, gained root access to dsysadmin01, the development server. ... IP address 172.17.38.29 was last assigned to the computer named rs12h-Lap22, which was [a Fannie Mae] laptop assigned to Makwana. ... The laptop and Unix workstation where Makwana was able to gain root access and create the malicious script were located in his cubicle."

Ouch. If the FBI is right, the suspect was buffing his CV, seeking recommendations from former colleagues right after planting a script that could have deleted all of Fannie Mae’s data.

Lesson: Think hard before you recommend someone on LinkedIn. How well do you know this person?

(Update: Facebook have confirmed the flaw—although it’s not as serious as it looks—and have fixed it. See comments.)

The complexity of Facebook makes it likely there are holes in its privacy. But this one, if I’m right, seems to suggest that it’s possible to access someone’s private data by a social engineering trick outside Facebook.

Today I received an email invite to join Facebook from someone I’ve never heard of. Weird, firstly, because this was not someone I think I’d have known. Weird, also, because I’m already on Facebook.

Just to make sure, I clicked on the link to sign up for Facebook and took the option there to sign in with my existing account.

That took me to my usual Facebook page. No more mention of the dude wanting to be my friend. At no point was I given any option to let this person into my life or not.

So I Googled the guy’s name and, lo and behold, I find I’m already on his list of friends:

Slightly freaked out, I went back to my account to see if this person was included in my list of friends. He wasn’t.

In other words, this guy can now see all my account details, and I can’t see his. Moreover, at no point have I accepted anything. All I’ve done is click on a link that said: To sign up for Facebook, follow the link below.

What I guess has happened is what happens if you click on the profile of someone who is not a friend but has sent you a message, or asked you to be a friend. In either case, I believe, that person then gets a week’s access to your profile.

I think this is dumb. But I think it’s dangerous that anyone can email me and, if I then click on a link to check out who they are, I now cede access to my information without being able to block it, or to be able to access his Facebook profile to see what kind of person can now access my data.

Facebook may have just won a theoretical warchest from a spammer, but it’s not put its house in order when it comes to scams. Indeed, I suspect they’re getting worse. Now you can get infected without even having to visit your Facebook account.

What happens is that, if you have set your profile to receive email updates when someone sends you a message on Facebook, these trojan scams actually make their way direct into your inbox. Facebook is just the vector:

Here’s a message, as it looks in Gmail:

Click on that link and it takes you, not to the Facebook message page, but straight to the dodgy website. In this case the website is still active. It will have a name like YuoTube:

and a YouTube-like interface:

The message in the ‘player’ says “Your version of Flash Player is out of date.” Without you doing anything the download window will appear:

Of course, if you install that you’re in trouble. But are you in trouble if you’ve already visited the page? I’m still working on that.

I’m intrigued, and slightly depressed, at how social networking sites deteriorate so quickly into what are little more than scams. I think it started about a year ago, when a number of sites started pulling the stops out to build up membership.

Now, it seems, it’s all about the money. Take Quechup, for example, which has never had a very good reputation, though some say it’s undeserved. I don’t think anyone would try to argue that now.

I opened an account at Quechup about a year ago, and left it, with no friends. no connections, no activity (a bit like my real life.) I didn’t get anything until last month. In the past month I’ve received more than 30 messages. All of them from people I don’t know; all of them, from the subject line, spam:

So what’s the scam, then?

Well, if you’re fool enough to open one of these messages, that’s your limit. Suddenly your inbox looks like this:

The message is basically that you can’t open any messages until you upgrade your membership:

Upgrading, of course, costs. Not a lot, but if you’re curious to find out who’s been scamming you, sorry, flirting with you, you have to cough up:

My question is this: Who is behind the spam in my inbox?

Admittedly, my profile is a bit provocative:

Still. One can’t help feeling that either the spam is being allowed by Quechup as a money-making exercise, or, the only other explanation I can think of, it’s spamming its members with silly messages in the hope they’ll be curious enough to upgrade and read them.

Either way, it’s a social network that’s dead from the neck up.

Sad, really.

I’m a big fan of Google Talk (Gtalk) but hadn’t come across this before: Videochat inside the Google Talk widget inside Gmail. Does it get any better than this? (Probably, but this works pretty well. Great for those guys not using Windows, and therefore unable to use the great Gtalk client.)

It’s not for me, but there’s a certain unerring logic about SocialMinder: instead of leaving your social and business relationships to be tended by natural forces, why not automate them?

SocialMinder offers just that, by mining your LinkedIn and Gmail address books and notifying you when you last contacted that person. (This is called monitoring the health of your relationships.) It not only does that; it will dig out some news item related to the person in question—or from the organisation they work for, and prepare an email for you. Something like this:

which reads:

Hi Wicak;

I was thinking about  you the other day, and then I saw this and had to ask how/if this impacts you..

ACES Int'l Certification Programs: Certified Utility Locator ...
Here is the link:
http://www.acesinternational.org/

Hope that you all are well...

Talk with you soon...

Needless to say, should I send this to Wicak he would be highly surprised as that’s not the way I talk to him (not enough insults and expletives), and the fact I’m pointing out his organisation’s own website to him might give him pause to wonder whether continuing our friendship is a good idea.

Some early thoughts:

This kind of thing occupies an odd space in the social/business networking pantheon. On the one hand, we all know there’s a lot of dodginess about networking. It’s all about back-scratching, and what-can-you-do-for-me about it all. But it still needs to be civil, and at least a pretence maintained that there’s more to it than naked mutual exploitation (actually, put like that it sounds quite fun.)

So how to monitor and nurture those relationships without putting in the effort that real relationships require? Hence SocialMinder (I suspect a better name would be SocialMiner without the ‘d’.) It’s pretty well executed, of course, and perhaps there are instances where this kind of approach might be useful.

But all SocialMinder really does is to remind you that relationships aren’t about quantity, they’re about quality. Even business ones.

Everyone on LinkedIn knows—I assume—that they’re on there because they want to make use of other people’s networks. These networks, actually, don’t really exist. They’re just a bunch of names, loosely tied, as Mr Weinberger might put it. It’s not that LinkedIn is not useful, but it’s not because we’re constantly sending our LInkedIn buddies emails about their company’s activities. It’s because we can use those loose connections to hear about jobs, or put out requests, knowing that it’s going to people who accept such emails as part of the networking process. Call it a kind of ‘business spam opting in’.

So, sadly, I don’t think SocialMinder will catch on. Indeed, you might argue it marks the apogee of the social networking trend. If we need to rely on software to direct our relationships then, I suspect, we’ve either entered another dimension from which there’s no turning back, or we’ll realise the limits of the medium and start to focus on the people behind the nodes.

Further to my earlier piece about the scamming potential of Web 2.0, here are a couple more examples of why social engineering is a bigger problem than it might appear.

First off, governments and organisations are not as careful with your information as you might expect them to. There are plenty of examples of CD-ROMs and laptops going missing, but often even that doesn’t need to happen. Some governments openly publish such information on the Internet. Indonesia’s minsitry of education, for example, has published the names, addresses, age, date of birth, school and education number of 36 million Indonesian students in easily downloadable XLS format.

Who might use such information? The mind boggles at the possibilities. But one hint might be found in this Straits Times article from neighboring Singapore, which reports a growing wave of faux kidnappings: Gangs phone someone with enough information about their loved one—child, spouse, or whatever—to convince them they’ve been kidnapped and the mark must pay the ransom immediately. In the past six months employees at one bank alone have foiled 14 such attempts—merely by alerting the victims trying to withdraw large amounts of money that they’re being conned.

In the first half of this year, according to the newspaper, 21 people have been scammed out of S$322,000 ($216,000) in this way. Such scams rely on having access to just the kind of information contained in the ministry of education’s database: Knowing kids’ names, their class, their home address, their school chums—all would be invaluable in doing a scam like this. Or any other number of scams.

The point is that we need to think beyond the narrow confines of single channels of data. Scammers don’t: They use a combination of techniques to build up enough information about their mark to be able to either impersonate them or convince them of something. In the above case, it’s that they have kidnapped a relative. In this (still ongoing) Hong Kong-based scam, it’s that they are their bank.

I’m not suggesting Web 2.0 is going to breed a different kind of scam, it’s just going to breed a new kind of opportunity. Social engineering relies on gathering just the sort of data that social networking and presence tools base themselves on.

Been watching the veep debates on Livestation, which has an interesting feature: a live chat connected to the program with some LiveStation folks guiding the discussion.

It works pretty well: It’s great to be able to watch TV with a bunch of other people, though I had one eye on that chat, and one eye on some Skype, Google Talk, twitter, Facebook and FriendFeed chat windows too.

This makes all sorts of sense, and I commend Livestation for doing this kind of thing. The IRC format is a bit old school; it would be nice to see something beyond the noisy chat format. Or, even better, being able to drag our other communities into the window to watch together.

But that’s down the road. This is a good way to share information—live and visual—and I think this is an exciting way forward.

Update: Livestation points out that the chat is directly connected to Al Jazeera via Russell Merryman, Head of New Media, who was feeding comments through to the studio to guide the post-debate discussion.