Tag Archives: Atlanta

Why Social Network Sites May Fail

Look at a social networking site lie Yaari and you can see where the social networking phenomenon may fail, simply by abusing the trust of its users.

Sites like LinkedIn, Plaxo etc rely on expanding quickly by offering a useful service: trawling your address book to find friends and contacts who use the same service. We’ve gotten used to this, and it’s a great way to build a network quickly if you sign up for a new service.

But any service that uses this needs to stress privacy, and put control in the hands of users. Plaxo learned this a few years back. Spam a user’s contact list without them realising and you invite a firestorm of opprobrium on your head.

But surprisingly some services still do it. And in so doing they risk alienating users from what makes Web 2.0 tick: the easy meshing of networks—your address book, your Facebook buddies, your LinkedIn network—to make online useful.

Take Yaari, a network built by two Stanford grads which has for the past two years abused the basic tenets of privacy in an effort to build scale.

What happens is this.

You’ll receive an email from a contact:

 image

It’s an invitation from a “friend” which

  • gives you no way to check out the site without signing up. The only two links (apart from an abuse reporting email address at the bottom) take you to the signup page.
  • neither link allows you to check out your “friend”  and his details before you sign up.

If you do go to the sign up page you’ll be asked to give your name and email address:

image

Below the email address is the reassuring message:

Your email is private and will stay that way.

But scroll down to below the create my account button and you’ll see this:

By registering for Yaari and agreeing to the Terms of Use, you authorize Yaari to send an email notification to all the contacts listed in the address book of the email address you provide during registration. The email will notify your friends that you have registered for Yaari and will encourage them to register for the site. Yaari will never store your email password or login to your email account without your consent. If you do not want Yaari to send an email notification to your email contacts, do not register for Yaari.

In short, by signing up for Yaari you’ve committed yourself, and all the people in your address book, to receiving spam from Yaari that appears to come from your email address. (Here’s the bit from the terms: “Invitation emails will be sent on member’s behalf, with the ‘from’ address set as member’s email address.”)

You should also expect to receive further spam from Yaari, according to the terms:

MEMBERS CONSENT TO RECEIVE COMMERCIAL E-MAIL MESSAGES FROM YAARI, AND ACKNOWLEDGE AND AGREE THAT THEIR EMAIL ADDRESSES AND OTHER PERSONAL INFORMATION MAY BE USED BY YAARI FOR THE PURPOSE OF INITIATING COMMERCIAL E-MAIL MESSAGES.

In other words, anyone signing up for Yaari is commiting both themselves and everyone else in their address book to receiving at least one item of spam from the company. Users complain that Yaari doesn’t stop at one email; it bombards address books with follow-up emails continually.

Needless to say, all this is pretty appalling. But what’s more surprising is that Yaari has been doing this for a while. I’ve trawled complaints from as far back as 2006. This despite the company being U.S.-based. I’m surprised the FTC hasn’t taken an interest.

So who’s behind the site? This article lists two U.S.-born Indians, Prerna Gupta and Parag Chordia, and quotes Gupta as saying, back in 2006, that to preserve the integrity of the network access is restricted to the right kind of Indian youth. I’m not young, I’m not Indian, and I’m probably not the right kind, so clearly that goal has been abandoned.

Here are some more details of the two founders.

Gupta, who is 26, is an economics major who graduated in 2005, was working for a venture capital firm in Silicon Valley called Summit Partners until 2005. Her facebook profile is here; her LinkedIn profile is here. According to this website she once won the Ms Asia Oklahoma pageant (her hometown is listed as Shawnee in Oklahoma, although she lives in Atlanta.

Chordia, chief technology officer at Yaari, has a PhD in computer music, and is currently assistant professor at the Georgia Institute of Technology, according to his LinkedIn profile. His facebook profile is here.

There’s a video of them here. An interview with Gupta last year indicates that they’re going hell for leather for size:

We are focused on growing our user base and becoming India’s largest social networking site within the next two years. Our goal for the next year is to become one of India’s Top 10 Internet destinations.

What’s interesting is that nearly every site that mentions Yaari and allows comments contains sometimes angry complaints from users. In that sense Web 2.0 is very effective in getting the word out. Unfortunately if Yaari and its founders continue to commit such egregious abuses of privacy, we can’t be sure many people will trust such websites long enough for the power of networking sites to be properly realised.

(I’ve sought comment from Gupta, which I’ll include in this post when received.)

Is That a Virus on Your Phone or a New Business Model?

This week’s WSJ.com column (subscription only) is about mobile viruses — or the lack of them. First off I talked about CommWarrior, the virus any of you with a Symbian phone and Bluetooth switched no will have been pinged with anywhere in the world.

CommWarrior isn’t new: It has been around since March 2005. But this isn’t much comfort if you find yourself — as a lunch companion and I did — bombarded by a dozen attempts to infect our phones before the first course had arrived. So is CommWarrior just the thin end of a long wedge? Yes, if you listen to the Internet-security industry. “I can personally assure you that mobile threats are reality, and we have to start taking our mobile security seriously,” says Eric Everson, who admittedly has a stake in talking up the threat, given that he is founder of Atlanta-based MyMobiSafe, which offers cellphone antivirus protection at $4 a month.

But the security industry has been saying this for years about viruses — usually lumped together under the catchall “malware” — and, despite lots of scare stories, I couldn’t find any compelling evidence that they are actually causing us problems beyond those I experienced in the Italian restaurant.

For reasons of space quite a bit of material had to be dropped, so I’m adding it here for anyone who’s interested. Apologies to those sources who didn’t get their voices heard.

Symantec, F-Secure Security Labs and other antivirus companies call FlexiSPY a virus (though, strictly speaking, it’s a Trojan, meaning it must be installed by the user, who thinks the program does something harmless). “In terms of damaging the user, the most serious issue at the moment is commercial spyware applications such as FlexiSPY,” says Peter Harrison, of a new U.K.-based mobile-security company, UMU Ltd.

Not surprisingly, however, Mr. Raihan isn’t happy to have his product identified and removed by cellphone antivirus software, though he says his protests have fallen on deaf ears. “We are a godsend to them,” he says of the mobile antivirus companies. “They are fear-mongering as there is not a significant problem with viruses in the mobile space.”

Technorati Tags: , , , ,

The Big Credit Card Theft

Trying to make sense of the massive theft of credit card numbers at CardSystems, ‘a leading provider of end-to-end payment processing solutions focused exclusively on meeting the needs of small to mid-sized merchants’, in which information on more than 40 million credit cards may have been stolen.

CardSystems itself has issued only a brief statement on its website (no permalink available) saying it had identified

a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident. CardSystems immediately began a remediation process to ensure all systems were secure. Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security.

Notice the careful language: It talks only of ensuring all ‘systems were secure’ — in the security industry this is like checking all the locks work while watching all the horses bolting off down the street. (And don’t the FBI work on Sundays? Why wait a day to let them know?)

Then there’s the question: Why wait almost a month to let us know? A separate story by AP quotes CardSystems as saying that

it was told by the FBI not to release any information to the public. The company says it’s surprised by MasterCard’s decision to go public.

Actually, not so, say the FBI: Another AP story quotes an FBI spokeswoman, Deb McCarley, as denying

that the agency told CardSystems not to disclose the existence of the intrusion. McCarley says the FBI told CardSystems to follow its corporate policies without disclosing details that might compromise the ongoing investigation.

In fact, a MasterCard statement suggests that it was they, not CardSystems, who first identified the breach:

MasterCard International’s team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants.

Through the use of MasterCard fraud-fighting tools that proactively monitor for fraud, MasterCard was able to identify the processor that was breached. Working with all parties, including issuing banks, acquiring banks, the processor and law enforcement, MasterCard immediately launched an investigation into the breach, and worked with CardSystems to remediate the security vulnerabilities in the processor’s systems.

In the meantime CardSystems was pretending it was business as usual, including an announcement on June 14 of a move into check processing, and posting job-ads for a ‘Software Quality Assurance Analyst’ to cover, among other things, ‘troubleshooting from operations, production, and outside vendors’ who can work ‘in a very fast-paced, high-visibility organization where priorities often change’. Indeed.

Anyway, the scale of the thing is pretty awesome: Softpedia quotes experts as saying

that this is the worst case of data theft in IT history. “In sheer numbers, this is probably one of the largest data security breaches,” said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.

And just how did the theft happen? Details are sketchy, probably because no one yet knows (the MasterCard software which identified the fraud did so by monitoring transactions, not the actual breach. In other words, they observed the stolen goods being peddled, not the actual break-in). According to another AP story, MasterCard has identified CardSystems as being ‘hit  by a viruslike computer script that captured customer data for the purpose of fraud’, but hasn’t given any more details. CardSystems itself is not talking:

CardSystems’ chief financial officer, Michael A. Brady, refused to answer questions and referred calls to the company’s chief executive, John M. Perry, and its senior vice president of marketing, Bill N. Reeves. A message left for Perry and Reeves at the company’s Atlanta offices was not returned.

Both Perry and Brady have been with CardSystems a little over a year.

Google News Discovers There’s A Reason Why Journalists Exist

Here’s an interesting take on Google News I hadn’t thought of before, from Dana Blankenhorn, an Atlanta-based writer. He’s mad at Google for apparently allowing in to its news trawl clearly partisan sites that aren’t news, but opinion. At the same time, he says. Google is separating out blogs from its news searches — possibly because it may launch a separate search engine, as part of its buyout of Blogger, former host to loose wire. So anything that uses blogging software is out, sites that don’t, but have some kind of ‘news’ on, are in.

As Dana points out, this leaves a very skewed picture of the news at a sensitive time in American politics. With so many candidates and activists running blogs — especially among the Democrats — the apparent decision to leave blogs out but others in is being used by Republican webmasters to push political views into what is a news site. “Given the current intensity of American politics, this has a real effect, and seems to give Google a real ideological bias,” Dana writes.

I haven’t explored this allegation more fully: It will be interesting to see what Google have to say. I guess the broad lesson from this is that Google News is a news site, and therefore has to abide by certain rules whether it likes it or not. But Google is not a news site, in the sense that it has journalists, editors and photographers out there making editorial decisions about what is news and what isn’t, since it automates its news searching and presentation. Indeed, it proudly acknowledges there are no humans involved.

So Google will have to make a choice: include everything in its news trawl to avoid accusations of bias (at the moment it numbers 4,500 news sources), restrict the news to only bona fide news outlets, or install a team of editors to ensure the material that appears on the website, and the way it appears, are balanced.

In the end, of course, news is not something computers do well. I know: I’ve seen big news agencies try to do it. Even simple stock market reports require some human distillation to make them meaningful (and not look silly). Google, perhaps, is just finding out that there’s no really cheap way to enter the news business.