Another Facebook Hole?

By jeremy | November 22, 2011

(Update: Facebook have confirmed the flaw—although it’s not as serious as it looks—and have fixed it. See comments.)

The complexity of Facebook makes it likely there are holes in its privacy. But this one, if I’m right, seems to suggest that it’s possible to access someone’s private data by a social engineering trick outside Facebook.

Today I received an email invite to join Facebook from someone I’ve never heard of. Weird, firstly, because this was not someone I think I’d have known. Weird, also, because I’m already on Facebook.

Just to make sure, I clicked on the link to sign up for Facebook and took the option there to sign in with my existing account.

That took me to my usual Facebook page. No more mention of the dude wanting to be my friend. At no point was I given any option to let this person into my life or not.

So I Googled the guy’s name and, lo and behold, I find I’m already on his list of friends:

Slightly freaked out, I went back to my account to see if this person was included in my list of friends. He wasn’t.

In other words, this guy can now see all my account details, and I can’t see his. Moreover, at no point have I accepted anything. All I’ve done is click on a link that said: To sign up for Facebook, follow the link below.

What I guess has happened is what happens if you click on the profile of someone who is not a friend but has sent you a message, or asked you to be a friend. In either case, I believe, that person then gets a week’s access to your profile.

I think this is dumb. But I think it’s dangerous that anyone can email me and, if I then click on a link to check out who they are, I now cede access to my information without being able to block it, or to be able to access his Facebook profile to see what kind of person can now access my data.

The Big Chill Hits Google

By jeremy | November 22, 2011

1 Comment

So is Google, like, the new Yahoo?

Google is closing some of its services, or at least no longer supporting them. Which for me is a tad sad, since I’ve always loved prodding around inside the Googleplex, convinced that one day all these disparate services would come together in the same way Google Docs, Calendar and Gmail have. I thought Chrome would be the centerpiece of all this. Now, maybe not.

But no. Jaiku is now open source, meaning it’s not going to become Google’s competitor to twitter or anything like that. For me Jaiku had tons of potential because it seemed to understand that many of us work from our cellphone as much as our laptop. Anyway, it’s not going to happen.

Google Notebook is also on the deathlist. Another shame: While I never used it as much as I should have done, I have been busy divining a catch-all answer to everything, and the Notebook app, and its Firefox extension, was a key part of it. Google has said it’s no longer supporting it, but existing users will be able to continue to add and access their material.

The other thing they’re dumping is Google Video. It always took a back seat to Youtube, but for me that was a good thing. No inane comments, and no restrictions on file size. The result was a mostly classy collection of videos. Gone.

So what should we use instead? Well much of what you do in Google Notebooks could as easily be done in Evernote, while others recommend Zoho Notebook. Jaiku? Well, Facebook and twitter, and I guess FriendFeed, have already moved into the space that Jaiku looked so likely to dominate, once upon a time.

I feel sorry for the guys who started Jaiku. They were an impressive and fun bunch, when you could understand them. I hope they walked away with a decent stash.

Directory of Distraction-free Writing Tools

By jeremy | November 22, 2011

7 Comments

(2009 June: added two no delete editors)

Editors

A working list of tools to reduce writers’ distraction. I’ve been using some of them for a while; I was inspired by Cory Doctorow’s latest post on the matter to collect what I could together. All are free unless otherwise stated.

No backspace/delete editors

Typewriter “All you can do is type in one direction. You can’t delete, you can’t copy, you can’t paste. You can save and print. And you can switch between black text on white and green on black; full screen and window.” Freeware, all OS.

Momentum Writer Same idea, really. “Momentum Writer is the ultimate tool for distraction-free writing. Like a mechanical typewriter, users are prevented from editing previously written text. There are no specific formatting options, no scrolling, deleting, or revisions. Momentum Writer doesn’t even allow you to use the backspace key. Momentum Writer forces you to write, to move forward, to add new words. It halts the temptation to linger, revise, and correct. Momentum Writer is a typewriter for your PC.” Freeware, for Windows.

Multiplatform

JDarkroom (works on Windows, Macs and Linux, thanks. Tris): “simple full-screen text file editor with none of the usual bells and whistles that might distract you from the job in hand.”

Windows

TextEdit (there seems to be a Mac product of the same name. The Windows website is under reconstruction so I can’t grab a description, but downloads are available.)

NotePad ++ “a generic source code editor (it tries to be anyway) and Notepad replacement written in c++ with win32 API. The aim of Notepad++ is to offer a slim and efficient binary with a totally customizable GUI.”

EditPad “a general-purpose text editor, designed to be small and compact, yet offer all the functionality you expect from a basic text editor. EditPad Lite works with Windows NT4, 98, 2000, ME, XP and Vista.” Lite is free; Pro is $50

PSPad code editor

And some so-called ‘dark room apps’ which blank out the outside world:

WestEdit “a full screen, old-school text editor and typewriter. No fuss, no distractions – just you and your text.”

Dark Room: “full screen, distraction free, writing environment. Unlike standard word processors that focus on features, Dark Room is just about you and your text.”

Q10: “a simple but powerful text editor designed and built with writers in mind.”

Mac

TextMate: “TextMate brings Apple’s approach to operating systems into the world of text editors. By bridging UNIX underpinnings and GUI, TextMate cherry-picks the best of both worlds to the benefit of expert scripters and novice users alike.” ($54)

The Mac dark room is WriteRoom “a full-screen writing environment. Unlike the cluttered word processors you’re used to, WriteRoom is just about you and your text.” ($25)

GNOME etc

gedit

Distraction reducers

Write or Die: “web application that encourages writing by punishing the tendency to avoid writing. Start typing in the box. As long as you keep typing, you’re fine, but once you stop typing, you have a grace period of a certain number of seconds and then there are consequences.”

Another Online Banking Hole

By jeremy | November 22, 2011

0 Comment

(Update: corrected a few things. You can’t see the person’s bank account number. But you can see anyone’s phone bill, whether or not they’re a customer of that bank.)

—

Here’s a hole in Internet banking that allows anyone with an account at a bank to look up other ~~customers’~~ people’s bills–tax, water bill, Internet bill, landline, cellphone—so long as they have that person’s account or phone number.

This means, for example, I can enter a telephone number and—so long as that person ~~pays their phone~~ has an unpaid bill ~~at that bank~~—I can find out their name. Think of it as a reverse phone book.

~~Not only that: I get their bank account number.~~

It needn’t stop there. If I was the social engineering type, I could then call up the phone company and give them enough information—the name, phone number and bill amount—and persuade them to send me the itemised bill.

The same is true, I’m told, of all bills that can be paid at that bank.

In short, this kind of access gives me enough personal information to socially engineer all sorts of attacks. The mind boggles.

The bank is a well-known Indonesian one—making this sort of attack particularly dangerous–but it’s probably not alone in failing to ensure a validation procedure for its customers. I’ve not had the chance to explore it; most banks, I believe, would require not a phone number but a bill reference number to access this kind of information.

The problem here is that the people who set up the service didn’t imagine that someone might enter a telephone number or bill number that wasn’t their own. Techies need to think like thieves and real people when they set these things up.

Us ordinary folk? We need to stay on our toes and yell at banks that compromise our personal data in this way. I believe the bank in question knows of this breach but as of the time of writing, it’s not yet fixed.

Technorati Tags: banking,security,social engineering,breach

The Conflict of Interest of CO2

By jeremy | November 22, 2011

4 Comments

Quite a hoo ha over one of those weekend type stories whose headline in the Times of London says it all:

Revealed: the environmental impact of Google searches

Physicist Alex Wissner-Gross says that performing two Google searches uses up as much energy as boiling the kettle for a cup of tea

The article liberally quotes Wissner-Gross “a Harvard University physicist whose research on the environmental impact of computing is due out soon.” Lower down the storiy It also says “Wissner-Gross has submitted his research for publication by the US Institute of Electrical and Electronics Engineers and has also set up a website www.CO2stats.com.”

True. Though what it doesn’t say is that the website—and Wissner-Gross–directly benefits from this kind of research. C02Stats offers clients plans, ranging from $5 a month to $100, to calculate their websites total energy consumption, make it more energy efficient, and then neutralizes their carbon footprint by buying renewable energy from wind and solar farms.

The startup is funded by Y Combinator, which specializes in giving modest funding—about $10,000—to small startups. Indeed, Wissner-Gross, an environmental fellow, has set up four such companies.

Now, the research may well be right. (Some doubt it.) And the idea of certifying websites is not a bad idea. But I guess what troubles me is that an academic is able to publish research which tries to prove a point which would benefit the same academic’s business which offers green certification which depends upon a service which the business sells.

I’m sure it’s not the only example, but it strikes me as quite a compromise going on there.

Technorati Tags: green tech,environment,co2,co2stats,google