Hundreds of Facebook Groups Hacked

By | November 22, 2011
19 Comments

 image

(Update UTC 2100: I’ve received a reply from Erik Hjort af Ornäs, the registrar of the site itself, and have included his statement below and in the comments, as well as that of Facebook. Both deny any hacking took place)

A hacker, or group of hackers, has found a back door into taking over Facebook groups, and is now doing so, claiming it to be a public service. It has taken over up to 300 different Facebook groups so far.

This is an example of one:

image

On each of them the group name is changed to Control Your Info, the group logo changed and its description is altered to

Hello, we hereby announce that we have officially hijacked your Facebook group.
This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly.
For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights”. But have no fear – we won’t. We just renamed it Control Your Info. Because this is really all we want:
Think about the safety in your social media life to the same extent you do in your real life.
Watch the videoclip for more information or check out www.controlyour.info for more tips soon!
We promise to restore your group name and leave the group by the end of next week. Don’t worry – we won’t mess anything up.
Best regards
/controlyour.info

A message is then sent to all members of that group.

The method is explained on the hackers’ website:

Facebook Groups suffer from a major flaw. If a administrator of a group leaves, anyone can register as a new admin. So, in order to take control of a Facebook group, all you really have to do is a quick search on Google.

When you’re admin of a group, you can basically do anything you want with it. You can change it’s name, and the groups members won’t even get a notification of it. You can send mails to all members and edit info. This is just one example that really shows the vulnerabilities of social media. If you chose to express yourself on the internet, make sure the expressions are your own and not a spammers. This isn’t some kind of scare tactics, nor is it a hack, it’s a feature that can be used, and is being used, in bad ways. Remember, control your info! Also, this project is strictly not for profit and done for a good cause.

It’s not clear to me how they search on Google for recently departed admins, but I’m sure it’s relatively easy.

Neither is it clear who is behind the website itself. The site is registered to one Erik Hjort af Ornas of Stockholm. I’m emailing him to seek more information. Here is his statement:

Our main goal is to draw attention to questions concerning online privacy awareness.

We have seen too many examples where friends and relatives of ours have suffered from their lack of in-depth knowledge concerning their online presence. After some research we discovered  this is a wide spread problem. People have even lost their jobs over Facebook content. So we wanted to do something about this.

Our method of choice only serves the purpose to prove our point and put emphasis on how easy it is to lose track of a part of your online presence. If we wouldn’t have communicated this way, our message would probably have fallen into oblivion the moment it got out.

So, what exactly did we do and how?

We discovered that many groups on Facebook are left without an administrator. All we needed to find these groups was one quick Google search. The search results also revealed many groups that already had been hijacked by various people. Their intentions remain unclear.

So we simply joined 289 open groups and made ourselves administrators. We did not hack anything. Once we were administrators we owned the groups and could have changed any setting. We chose to change the picture, the name and the description of every group. Our intention was and is to restore these groups to their original form and find a suitable admin among the members. To be able to do this, we first backed up all the data we wanted to replace.

During the process we broke the terms of service, as defined in the Statement of Rights and Responsibilities of Facebook, and were rightfully banned:

§ 4.1  “You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission”.

We created fictive accounts for one reason: we wanted to put focus on our message rather than our persons. It also eased the process of joining and administrating this large number of groups.

Facebook is apparently not aware of this bug in their software. In response to an emailed query, .Facebook claims there is no bug in their software, that any hacking took place, nor, apparently, that there was any mass takeover of groups. According to a spokesperson:

There has been no hacking and there is no confidential information at risk.  The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group.  Group administrators have no access to confidential information and group members can leave a group at any time.  For small groups, administrators can simply edit a group name or info, moderate discussion, and message group members.  The names of large groups cannot be changed nor can anyone message all members.  In the rare instances when we find that a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups.

My comment on this: 300-odd Facebook accounts hacked—or usurped, or hijacked, or whatever you want to call it—is not a ‘rare instance’. What’s more, the groups I checked were very much still active. I frankly don’t find the Facebook response particularly helpful or reassuring.

It’s hard to see how this public service helps—the group, or individual, should be approaching Facebook and helping them plug the hole. This tactic is likely to sow confusion and fear among the Facebook populace, and possibly lead to the erasure of some treasured data on those defaced groups.

SideWiki’s Wish Fulfilment

By | November 22, 2011
2 Comments

A piece in today’s Guardian attracted my attention–“SideWiki Changes Everything”—as I thought, perhaps, it might shed new light on Google’s browser sidebar that allows anyone to add comments to a website whether or not the website owner wants them to. The piece calls the evolution of SideWiki a “seminal moment”.

The column itself, however, is disappointing, given that SideWiki has been out six weeks already:

Few people in PR, it seems, have considered the way that SideWiki will change the lives of beleaguered PR folk. In time, this tool will significantly change the way brands strategise, think and exist. SideWiki is going to challenge PR by providing the masses with the tool for the ultimate expression of people power, something uncontainable that will need constant monitoring.

The author, one Mark Borkowski, offers no examples of this happening, so the piece is very much speculation. In fact, I’d argue that SideWiki has been something of a damp squib:

image

A, by the way, marks the launch, so the interest fell off dramatically almost immediately.

So who is right? I can find very little evidence that people are using SideWiki in the way that Borkowski suggests. A look at top 10 U.S. companies (not the top 10, but a cross section) indicates that only one company has ‘claimed’ its SideWiki page, and that few users, so far, have made use of SideWiki to express their views about the company:

Company Entries Claimed Comments
Walmart 2 No Even
Exxon Mobil 0 No
Chevron 0 No
GM 0 No
Apple 20+ No Even
Monsanto 0 No
Starbucks 0 No
White House 2 (blog posts) No
Blackberry 2 Yes Even
Microsoft 20+ No Negative

Now I’m not saying that SideWiki isn’t going to be an important way for people to get around websites’ absence of comment boxes or lack of contact information. I’d love it if that was the case. I’m just saying there’s very little evidence of it so far, so to argue that is premature at best, and poor journalism at worst.

And here’s the rub. Mark Borkowski is not a journalist. He doesn’t claim to be; he’s a PR guy. But how would you know that? The Guardian page on which his comment sits does not clearly indicate that; indeed, the format is exactly the same as for its journalist contributors:

image

Only at the bottom does one find out that he “is founder and head of Borkowski PR.”

image

I have no problem with PR guys writing comment pieces for my favorite newspaper. I just want to know that is who they are before I start reading. (I can hear the argument being made that Borkowski is a well-known name in the UK, so this shouldn’t be necessary. But that doesn’t hold water. The affiliation of all writers should be clearly indicated.)

The problem? Anyone who is not a journalist—and many who are–has an interest, and that interest should be clearly declared. In Borkowski’s case, he works in PR, and is clearly suggesting that PR agencies need to work harder in this space:

The social media world encloses our personal and professional actions – the only answer for PR folk is to take a more active role in being brand custodians, representing a higher degree of brand and reputation management.

In other words, he’s indirectly touting for business. Once again, nothing wrong with that if the piece is clearly tagged as an opinion piece—which it may be, in the print version. But here, online, there’s no such indication.

Of course, one should also check that the writer does not have a financial or business interest in the product and company being written about, in this case Google. I can find none on his website, but that I have to check—that it’s not clearly flagged on the piece itself—is not something I or other readers should have to do.

Bottom line? The Guardian isn’t alone in this. The Wall Street Journal does it too. But I don’t think it helps these great brands to, wittingly or unwittingly, dismantle the Chinese Walls between content by its own reporters and those outsiders who, however smart and objective they are, have interests that readers need to know about.

SideWiki changes everything | Mark Borkowski | Media | The Guardian

Is Microsoft Censoring Windows 7 Tweets?

By | November 22, 2011
4 Comments

image

Intrigued to see that Microsoft has turned a page of its website over to “What people are saying about Windows 7”:

image

The page is designed a bit like twittefall: a cascade of seeminlgy “live” tweets (their dates and times of posting cleverly removed from the cascade.)

Amazingly, 99% of the comments are positive, or at least neutral:

image

So I thought I would check to see whether the feed has some filtering. The feed seems to include comments going back several days (the one above is six days old), so I thought it fair to search over that same period. A more nuanced picture emerges. “Windows7 sucks,” for example, throws up at least 20 tweets in the past week, none of them visible in the cascade.

So clearly some sort of filtering is going on. To check I sent out this faux tweet from an unused account and haven’t, 30 minutes on, seen anything:

#windows7 win7 is a disaster. uninstalling it right now

As Lydia Pintscher points out at Amarok Blog, this filtering and pseudo-conversation is all quite unnecessary. It’s clear the majority of people actually quite like Windows 7 (though I’d be interested in their reactions in a few months; my experience down the track has been less impressive.)

The point is that Microsoft would be foolish to allow an unfettered feed—people would quickly cotton on and put all sorts of rubbish in there.

But if it tries to pretend that the page is somehow live, and that it’s a conversation, then they also need to be smarter about reflecting the full range of views out there.

They also need to understand the organic nature of hashtags. The Microsoft website asks users to “join the conversation” by including hashtags #win7 or #windows7 in their tweets—which many were already doing, it’s an obvious step to make—but they also asked those who had bought Windows 7 to include the hashtag #igotwin7.

So far, the number of people who have is, er, two; one of them is Microsoft itself:

image

Social media lesson #4: You can start a conversation but you can’t control it. Try and you look silly. 

Hoodiephobia, Or We Don’t Lie to Google

By | November 22, 2011
6 Comments

Boris johnson the knight

Does what we search for online reflect our fears?

There’s a growing obsession in the UK, it would seem, with ‘hoodies’—young people who wear sports clothing with hoods who maraud in gangs. Michael Caine has just starred in a movie about them (well, a revenge fantasy about them.) This Guardian piece explores the movie-making potential of this phenomenon.

Recently a female documentary film maker was saved from a group of iron bar-wielding “feral girls” by the bike-riding mayor of London (I’ve always wanted to write the headline for the story).

So is this “growing fear” reflected online?

Well, yes, it is.

Here’s what a graph of British people searching for ‘hoodies’ looks like:

image

As you can see, it’s been a growing interest, more than doubling in the past five years.

But it’s also showing a weird seasonal element. Interest drops off in the summer months, and then rises towards the end of the year. Every year for the past five years, searches have peaked in either December or November. The lowest point each year is June or July.

I don’t know why that is. One guess would be that in the summer attacks tail off. It would be interesting to see if there’s any correlation there with the actual figures on attacks. (Update: Commenters have rightly pointed out that the seasonal interest probably has more to do with online shoppers. Thanks, and sorry for not thinking of this.)

The Guardian piece quotes research by the group Women in Journalism back in March as finding that, among other things, 79% of adults are more wary of teenage boys than they were a year ago, and that the most commonly used descriptions of such boys in the UK press were ‘yobs’ and ‘thugs’ followed by ‘sick’, ‘feral’, ‘hoodies’ and ‘louts’ (PDF version of the report is here.)

Online, however, the trend is clearer: ‘Hoodie’ (light blue) is the preferred search term, and has been since late 2006, replacing the ‘thug’ and ‘scum’ of the mid 2000s:

image

I don’t know whether this is meaningful, but another word used to describe this perceived underclass of British use is ‘chav’, a term of obscure origin. Compare searches for the words ‘chav’ and ‘hoodie’ and you see this:

image

Clearly the word ‘chav’ (in red) was most popular—or one that people were hearing but not familiar with, and so needed to look it up—in late 2004. It has been in decline since then and has indeed been overtaken by ‘hoodie’ (in blue):

image

I don’t know whether this is meaningful or not. Wikipedia cites ‘chav’ as common parlance by 2004 (unfortunately Google’s data does not go further back than that, but the rise in 2004 is clear.)

I tend to believe that Google searches are as revealing as anything else about what people are interested in, or worried about—indeed more so than surveys, because people don’t lie to Google.