Archive

Archive for the ‘privacy’ Category

Google+ spotted in the wild

16 November 2011 Leave a comment

When Google plus hit in typical Google beta-fashion, some people put up an “I’ve moved” profile picture on Facebook, and left, or so their status update said.

Everyone that I saw do this is still active on Facebook. The trouble is that they have 300 contacts on Facebook, 200 on LinkedIn, and ten on Google+. (Actual values may vary, contact your friends for details.)

Forgetting the personal/social point of view, from a fan/corporate point of view, there are lots of “follow us on Twitter” or “like our Facebook page” links on websites, but none that say “Join our circle on Google+.” Until, that is, today, when my favourite motor racing team, Force India (I’m not sure I should put the sponsor’s name in front of that) *tweeted*

Join our circle on Google+ to share even more plus.google.com/i/1x6CO0EiYkI:…

This is the first time I’ve seen this in the wild. And the irony that they used another social media to inform us of their circle is not lost on me. I’m pretty sure that there will be no extra content for me, only extra work for the admins that run the team’s social media, as they now need to tweet, post on Facebook, possibly update blogs or websites, and now update Google+ as well. I’m not sure that Google+ is worth that effort at the moment.

The thing is, that I get overloaded with info. To me, there is no point in liking your Facebook page, if I get all your updates via RSS. And if I get your data from Facebook, I don’t need to see it in Google+.

One thing that really annoys me about messages from Google+ are that they don’t give a useful subject. Instead of saying “Alistair McDonald shared a post entitled ‘The red mist descends'” they just say “Alistair McDonald shared a post with you.” I’m NOT going to click that link, ‘cos I’m pretty sure if it was important, I’ll find out eventually. But, if the subject piqued my interest, then I might click. But clicking into a black hole – no way.

Another way I’m really going off Google is that now so many services require a unified email address/ID. I’ve stopped putting any information into YouTube (Favourites, subscribing to channels, etc.) because they want a Google ID. I already have one – well actually three – but I don’t want to join my email to my videos to my news page, maps page, or news alerts. (I know that Google can, and probably do, track my usage of these sites via cookies or embedded scripts, the point here is not privacy, but convenience for me. For example, I set my home location on maps.google.co.uk to be a zoomed in shot of my home. But since I needed to “unify” my Google accounts, now when I visit maps.google.fr or maps.google.lu, my home page is *still* in the UK. If you are viewing a UK map, then your searches default to the UK – so you get Birmingham, West Midlands, not Birmingham, Alabama. That’s a good feature. BUT, if I’m visiting the French map site, why on earth would I want to start from the UK, where all my searches are crazily misinterpreted. So, to work around this, I end up first searching for Paris, or Luxembourg, so that Google maps displays the correct country so that my searches will work. [Google pay for bandwidth and processing power, I don’t, so I lose time and they lose money. ] )

Getting back to the subject of Google+, as I said before, they need to get some client apps out there – there are dozens of Twitter clients – and that means that they need to stop trying to be so controlling over data and APIs. Part of the problem is that they are playing catch-up, and many competing services (this is business, it makes money, and so there is a real competitiveness to it) are much more free with, and, remember, Google see the usage data it collects as the most important thing that they have.

Why not take part in a little experiment: inspect the cookies that the browser(s) you use have collected. Maybe even try to delete them and see (a) how many similar ones reappear without you visiting the sites mentioned, and (b) see just how many services you can use after a single login.

Hacked email

26 October 2011 Leave a comment

I get emails from people who have had their online email accounts hacked, and spam email is issued. Normally, I just send them an email and hear nothing of it. But today I got a message (via another mechanism) that they were going to trash their email account.

The rest of this post is my message back to them. On reflection, I should have considered that their password was leaked internally from their email provider (one of the “big few” – i.e. google, hotmail or yahoo). And that this could happen from a rogue employee ($0.10 per email, here’s a text file) or from hackers getting illegitimate access.

But here goes:

I don’t think you need to discard the email account, but there are a couple of things to consider

How did you get hacked? Was it malware on your PC (you can pick up malware infections just from things like Adobe Flash-based adverts if there’s a security problem in the flash plugin, for example) or was it someone picking up a session cookie if you were using unencrypted WiFi (coffee shop/hotel) (read this post on cookie hijacking to see how it works). Or did you use someone else’s computer (colleague, internet cafe?) These are the three main categories (I’m discounting you turning into a spammer.)

No matter how it happened, visit https://browsercheck.qualys.com/ on a weekly basis – or more frequently – to check your browser(s) and plugins are up to date – you need to do this for each browser that you use, on each computer that you use.

So, how do you tell which one happened to you? I’d get some anti-virus and scan your PCs and see if they detect anything. If you’re technical enough, then the SysInternals “autoruns” tool tells you *everything* that starts when you start your PC and log in. You can google the various process names shown in Task Manager and ensure they are benign too.

So, if you have malware, the only totally secure thing to do is to wipe and reinstall your OS and applications – although you might want to trust antivirus to detect and repair, it’s not guaranteed. And if you can, try more than one anti-virus product (free versions available for several) but you might have to install one, scan your PC, uninstall it and then install another – they might not co-exist nicely.

If you’re PC is clean, but you use public Wifi, chances are that you have been victim of a cookie hijack. The solution is to either always use HTTPS (which is encrypted so no-one can “sniff” your cookie.) (Most sites now offer it, and I expect your email provider is one of them; google is now offering HTTPS for searches, let alone email/calendar/etc.), OR, if you have one available, *always* use a VPN (Virtual private network), which encrypts everything (including normal unencrypted http traffic, although your VPN provider can “sniff” stuff). Maybe your employer has a VPN, otherwise you can buy the service, I believe. And, best of all, if it was a cookie hijack, you can just log on and change your password, the hijacked cookie will be invalid afterwards. Maybe ask where you were accessing the net in the days immediately before the spam started – can you correlate a location with the date/time.

And if you think you’re the victim of a keylogger, it should appear as malware. Let me tell you that one thing I do when I’m using someone else’s computer is to *not* enter my password in one go. I use the *mouse* to move the cursor between keypresses, and build up my password. So if my password was 12345678, I might start by entering “56” then click (don’t use the keyboard, keystrokes might be logged, including the cursor keys) at the beginning and add “23”, then at click the end and add 8, then between the 3rd and 4th character and add the 4. It takes a bit of mental juggling, and I rarely use a PC I don’t trust.

So, depending on how you were hacked, is anything else at stake? If it’s malware, chances are that a keylogger has been installed, and so every keypress might have been recorded and then might have been transmitted. If you use the same password for many things, e.g. online email, work email, online banking, then you are at greater risk than if you use a different one for each service – even if the usernames are different, your identity might be linked to an account via publically available search info.I use a three-tier system – one password for sites I really don’t care if someone impersonates me on, a second for a few other things (access to my server, and email, and so on), and a third tier, where I use a different password for each system – things like online banking, the UK Government Gateway, etc.

So, the bottom line is that
1: Stopping using the account might not be enough
2: Stopping using the account might not be neccesary

And that’s what I sent. Did I miss anything apart from the password-leak-from-provider?

Update: I added
3: change all your important passwords anyway. Consider a 2/3-tier system.

Categories: online, privacy, Real Life, Software