Here’s what we talked about today:
- Steve Jobs: how bad is it for him and for Apple?
- The future of games: the opertoon ?
- French parking meters snitch on overstayers.
Another Facebook Hole?
(Update: Facebook have confirmed the flaw—although it’s not as serious as it looks—and have fixed it. See comments.)
The complexity of Facebook makes it likely there are holes in its privacy. But this one, if I’m right, seems to suggest that it’s possible to access someone’s private data by a social engineering trick outside Facebook.
Today I received an email invite to join Facebook from someone I’ve never heard of. Weird, firstly, because this was not someone I think I’d have known. Weird, also, because I’m already on Facebook.
Just to make sure, I clicked on the link to sign up for Facebook and took the option there to sign in with my existing account.
That took me to my usual Facebook page. No more mention of the dude wanting to be my friend. At no point was I given any option to let this person into my life or not.
So I Googled the guy’s name and, lo and behold, I find I’m already on his list of friends:
Slightly freaked out, I went back to my account to see if this person was included in my list of friends. He wasn’t.
In other words, this guy can now see all my account details, and I can’t see his. Moreover, at no point have I accepted anything. All I’ve done is click on a link that said: To sign up for Facebook, follow the link below.
What I guess has happened is what happens if you click on the profile of someone who is not a friend but has sent you a message, or asked you to be a friend. In either case, I believe, that person then gets a week’s access to your profile.
I think this is dumb. But I think it’s dangerous that anyone can email me and, if I then click on a link to check out who they are, I now cede access to my information without being able to block it, or to be able to access his Facebook profile to see what kind of person can now access my data.
The Big Chill Hits Google
So is Google, like, the new Yahoo?
Google is closing some of its services, or at least no longer supporting them. Which for me is a tad sad, since I’ve always loved prodding around inside the Googleplex, convinced that one day all these disparate services would come together in the same way Google Docs, Calendar and Gmail have. I thought Chrome would be the centerpiece of all this. Now, maybe not.
But no. Jaiku is now open source, meaning it’s not going to become Google’s competitor to twitter or anything like that. For me Jaiku had tons of potential because it seemed to understand that many of us work from our cellphone as much as our laptop. Anyway, it’s not going to happen.
Google Notebook is also on the deathlist. Another shame: While I never used it as much as I should have done, I have been busy divining a catch-all answer to everything, and the Notebook app, and its Firefox extension, was a key part of it. Google has said it’s no longer supporting it, but existing users will be able to continue to add and access their material.
The other thing they’re dumping is Google Video. It always took a back seat to Youtube, but for me that was a good thing. No inane comments, and no restrictions on file size. The result was a mostly classy collection of videos. Gone.
So what should we use instead? Well much of what you do in Google Notebooks could as easily be done in Evernote, while others recommend Zoho Notebook. Jaiku? Well, Facebook and twitter, and I guess FriendFeed, have already moved into the space that Jaiku looked so likely to dominate, once upon a time.
I feel sorry for the guys who started Jaiku. They were an impressive and fun bunch, when you could understand them. I hope they walked away with a decent stash.
Directory of Distraction-free Writing Tools
(2009 June: added two no delete editors)
Editors
A working list of tools to reduce writers’ distraction. I’ve been using some of them for a while; I was inspired by Cory Doctorow’s latest post on the matter to collect what I could together. All are free unless otherwise stated.
No backspace/delete editors
Typewriter “All you can do is type in one direction. You can’t delete, you can’t copy, you can’t paste. You can save and print. And you can switch between black text on white and green on black; full screen and window.” Freeware, all OS.
Momentum Writer Same idea, really. “Momentum Writer is the ultimate tool for distraction-free writing. Like a mechanical typewriter, users are prevented from editing previously written text. There are no specific formatting options, no scrolling, deleting, or revisions. Momentum Writer doesn’t even allow you to use the backspace key. Momentum Writer forces you to write, to move forward, to add new words. It halts the temptation to linger, revise, and correct. Momentum Writer is a typewriter for your PC.” Freeware, for Windows.
Multiplatform
JDarkroom (works on Windows, Macs and Linux, thanks. Tris): “simple full-screen text file editor with none of the usual bells and whistles that might distract you from the job in hand.”
Windows
TextEdit (there seems to be a Mac product of the same name. The Windows website is under reconstruction so I can’t grab a description, but downloads are available.)
NotePad ++ “a generic source code editor (it tries to be anyway) and Notepad replacement written in c++ with win32 API. The aim of Notepad++ is to offer a slim and efficient binary with a totally customizable GUI.”
EditPad “a general-purpose text editor, designed to be small and compact, yet offer all the functionality you expect from a basic text editor. EditPad Lite works with Windows NT4, 98, 2000, ME, XP and Vista.” Lite is free; Pro is $50
PSPad code editor
And some so-called ‘dark room apps’ which blank out the outside world:
WestEdit “a full screen, old-school text editor and typewriter. No fuss, no distractions – just you and your text.”
Dark Room: “full screen, distraction free, writing environment. Unlike standard word processors that focus on features, Dark Room is just about you and your text.”
Q10: “a simple but powerful text editor designed and built with writers in mind.”
Mac
TextMate: “TextMate brings Apple’s approach to operating systems into the world of text editors. By bridging UNIX underpinnings and GUI, TextMate cherry-picks the best of both worlds to the benefit of expert scripters and novice users alike.” ($54)
The Mac dark room is WriteRoom “a full-screen writing environment. Unlike the cluttered word processors you’re used to, WriteRoom is just about you and your text.” ($25)
GNOME etc
Distraction reducers
Write or Die: “web application that encourages writing by punishing the tendency to avoid writing. Start typing in the box. As long as you keep typing, you’re fine, but once you stop typing, you have a grace period of a certain number of seconds and then there are consequences.”
Another Online Banking Hole
(Update: corrected a few things. You can’t see the person’s bank account number. But you can see anyone’s phone bill, whether or not they’re a customer of that bank.)
—
Here’s a hole in Internet banking that allows anyone with an account at a bank to look up other customers’ people’s bills–tax, water bill, Internet bill, landline, cellphone—so long as they have that person’s account or phone number.
This means, for example, I can enter a telephone number and—so long as that person pays their phone has an unpaid bill at that bank—I can find out their name. Think of it as a reverse phone book.
Not only that: I get their bank account number.
It needn’t stop there. If I was the social engineering type, I could then call up the phone company and give them enough information—the name, phone number and bill amount—and persuade them to send me the itemised bill.
The same is true, I’m told, of all bills that can be paid at that bank.
In short, this kind of access gives me enough personal information to socially engineer all sorts of attacks. The mind boggles.
The bank is a well-known Indonesian one—making this sort of attack particularly dangerous–but it’s probably not alone in failing to ensure a validation procedure for its customers. I’ve not had the chance to explore it; most banks, I believe, would require not a phone number but a bill reference number to access this kind of information.
The problem here is that the people who set up the service didn’t imagine that someone might enter a telephone number or bill number that wasn’t their own. Techies need to think like thieves and real people when they set these things up.
Us ordinary folk? We need to stay on our toes and yell at banks that compromise our personal data in this way. I believe the bank in question knows of this breach but as of the time of writing, it’s not yet fixed.