A few days ago, Brian Krebs wrote a blog post that details a method of obtaining the LinkedIn e-mail addresses of its existing users. The method exploits the way LinkedIn connects people. When you make a new LinkedIn account, you are allowed to upload a list of e-mail addresses, and if any of those e-mails matches the e-mail of a LinkedIn user, LinkedIn will show you the profiles of those users.
The problem is that LinkedIn has no way of knowing if you actually know the individuals on your list. This allows spammers to harvest e-mails by uploading a list of e-mail addresses that potentially belong to celebrities. Because many people user their real names in their e-mail addresses, it isn’t surprising that at least some guesses are correct.
This exploit clearly highlights the danger in Continue reading LinkedIn Feature Exposes E-Mail Addresses
Facebook is testing yet another feature that allows users to set a time for their status updates to disappear after a certain period of time. The feature is currently only available for certain people using the iOS app. Unlike Snapchat, which allows users to set a time limit of only up to 10 seconds for a photo, this new Facebook feature has a range of 1 hour to 7 days.
As Schneier argues, ephemeral messaging is very hard to get right. Thus, until we see evidence to the contrary, I would treat this new feature with as much skepticism as similar apps like Snapchat. This isn’t to say that ephemerality is inherently bad. The article does point out that “We need ephemeral apps, but we need credible assurances from the companies that they are actually secure and credible assurances from the government that they won’t be subverted.”
Until we do have secure ephemeral messaging, the best way to keep private information private is probably to refrain from posting or sending it in the first place. In the meantime, regardless of the security of ephemeral messaging, some messages just shouldn’t be posted at all. For example, unless you absolutely trust everyone on your friend list, a status update such as “I’m heading to Italy for a 2 week vacation” could be an invitation to burglarize your home. Does it matter that such a message disappears after 1 hour? The cat’s already out of the bag.
Apple has released a statement in which it has denied that the recent celebrity photo hack resulted from a breach of iCloud or its Find My iPhone service. The company instead faults “a very targeted attack on user names, passwords and security questions.” Although Apple hasn’t yet detailed all the types of attacks that were used, at least one seems clear based on its statement: hackers likely guessed the answer to poorly chosen security questions.
A well-chosen security question can Continue reading Apple Provides An Update on Celebrity Photo Hack
The “Secret” app is supposed to allow people to share their secrets with friends, friends of friends, and the public. Clearly, if secrets are being shared, they are no longer secret within the group to which it was revealed. However, the app claims to keep the identity of the sharer secret. According to founder David Mark Byttow, “You know who’s on the guest list, but you don’t know who is saying what.” But just how secret are posters’ identities? Continue reading 42 Vulnerabilities Found in “Secret” App So Far
Facebook has just introduced a feature that allows advertisers to track the behavior of users across devices (e.g. laptop, iPhone, desktop). The feature will allow advertisers to get a better picture of user behavior prior to a “conversion” (e.g. a purchase). According to Facebook’s Conversion Measurement page, other types of conversions can include “checkouts, registrations, leads, key page views, or customers adding items to a cart.”
Facebook has been Continue reading Facebook Introduces Cross-Device Tracking of Users
Google has revealed the identity of a Gmail user suspected of sending explicit pictures of a child, leading to his arrest.
In this case, a predator may been caught, but the incident also indicates that your e-mail is not as private as you might like it to be. Google recently failed to have a potential class action lawsuit alleging that it wiretaps Gmail dismissed.
As Google itself has said, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties”. These words serve as a sobering reminder that whenever you place any kind of information into the hands of Gmail, webmail providers in general, or any third-party service, even for completely legal purposes, you can expect that the information may be seen by humans other than your intended recipient (or at least scanning bots). This includes apps such as Snapchat, which, as I wrote in an earlier post, Bruce Schneier does not think we can rely on to protect our privacy.
The 3 Threats
Last week, a group of researchers released a paper detailing 3 major new threats to online privacy:
1. Canvas fingerprinting: This basically involves telling your browser to draw an invisible image. It is done in such a way that each browser is likely to draw the image slightly differently. This allows the site to identify your browser.
2. Evercookies: The site uses data stored in alternative vectors to respawn deleted http cookies. Such vectors include Flash cookies, localStorage, and IndexedDB.
3. Cookie Syncing: This is the practice of two or more sites sharing a user identifier with each other, allowing the sites to combine their respective databases with each other to build a more detailed profile of their users’ browsing history.
These methods are far more difficult to defend against than the use of traditional http cookies, which are easily deleted. Continue reading 3 Major New Threats to Online Privacy
Remember the controversy over Facebook’s psychology study of its own users? Dating site OkCupid has risen to Facebook’s defense, claiming that it too runs similar experiments on its own users.
OkCupid claims that such experiments are necessary for testing out products and features. Testing and obtaining user feedback in an effort to improve a service is one matter, but outright lying is quite another. One example of the kind of experiment OkCupid ran on its users was to tell people they were good matches when in fact they weren’t, leading them to send more messages. This kind of deception bears a remarkable similarity to Facebook’s manipulation of user news feeds.
As with Facebook, OkCupid has significant clout due to Continue reading Like Facebook, OkCupid also Experiments on its Users
Update (September 7, 2014): Today, I updated a computer to Java 8 Update 20. This time, I know for a fact that the boxes that lead to installation of an Ask program and change my home page settings were checked by default. Here’s what the installer for Java 8 Update 20 pops up:
Guess what? They changed the word “Toolbar” to “Search App”. Is that supposed to make the program more palatable? Giving the program a different name doesn’t change its nature. Nor does it change the fact that it’s an opt out, rather than an opt in third-party program.
My original post (July 26, 2014):
Last week, I was updating Java on a computer when I got the following pop-up. Although I’m not 100% certain, I believe the box next to “Install the Ask Toolbar in Internet Explorer” was checked, thus installing a toolbar into the browser of any unwary user. This situation is not news; Oracle has been doing this for over a year already. Nevertheless, I thought I’d take a moment to remind everyone not to click those “next” buttons in program installers without reading what you’re agreeing to.
Many companies, including large and well-known ones, bundle third-party programs into the installers for their own software. When you’re updating a program, how often do you read through every prompt Continue reading Watch Out for Bundled Third-Party Software
In recent years, a question has been raised: Who should have access to your online accounts after your death? Apparently, a group of lawyers are trying to make it easier for your loved ones to get access. The article notes that “the plan is likely to frustrate some privacy advocates.”
However, I had a partially opposite reaction. Given Facebook’s recent record, I think I would hesitate before labeling Facebook the champion of user privacy. As a society, have we really gotten to the point where the secrets we share with companies like Facebook are more intimate than the secrets we share with our loved ones? Personally, I think if you have secrets stored on Facebook that you would hesitate to share with your loved ones, you should consider the possibility that you might be confiding in (e.g. sending private messages, making wall posts, giving biographical details) Facebook just a little bit too much.
That said, I said that my reaction was only “partially” opposite because everyone has secrets, and there may be other online services that do contain information that the deceased would wish to keep from their loved ones. For the sake of my privacy, though, I would hope if there are such secrets, the service in question is one that is worthy of my trust.