Bits are Bits…Net Neutrality

But they say we'll all be better off this way (as they cut new content, innovation, consumer choice)

But they say we’ll all be better off this way (as they cut new content, innovation, consumer choice) – Imgur.com

What is net neutrality?

At its simplest, net neutrality holds that just as phone companies can’t check who’s on the line and selectively block or degrade the service of callers, everyone on the internet should start on roughly the same footing: ISPs shouldn’t slow down services, block legal content, or let companies pay for their data to get to customers faster than a competitor’s.

In this case, we’re also talking about a very specific policy: the Open Internet Order, which the FCC adopted in 2010. Under the order, wired and wireless broadband providers must disclose how they manage network traffic. Wired providers can’t block lawful content, software, services, or devices, and wireless providers can’t block websites or directly competing apps. And wired providers can’t “unreasonably discriminate” in transmitting information. The FCC has been trying in one way or another to implement net neutrality rules since 2005.

That was in the sidebar from The Verge’s article from May 14, 2014 called GAME OF PHONES: HOW VERIZON IS PLAYING THE FCC AND ITS CUSTOMERS

So very important!

Much more in the article.

I found that when I was reading a more recent article by arstechnica called Report: Verizon FiOS claimed public utility status to get government perks:

“It’s the secret that’s been hiding in plain sight,” said Harold Feld, senior VP of consumer advocacy group Public Knowledge and an expert on the FCC and telecommunications. “At the exact moment that these guys are complaining about how awful Title II is, they are trying to enjoy all the privileges of Title II on the regulated side.”

“There’s nothing illegal about it,” Feld, who wasn’t involved in writing the report, told Ars. However, “as a political point this is very useful.”

The FCC classifies broadband (such as FiOS) as an information service under Title I of the Communications Act, resulting in less strict rules than the ones applied to common carrier services (such as the traditional phone system) under Title II. But since both services are delivered over the same wire, Verizon FiOS is able to reap the benefits of utility regulation without the downsides.

Much more in this article as well.

Bits are bits. This is the point I have been pushing. Like water companies, electric companies and even telcos. There should be no fast lanes. There should be no place where they discriminate between bits. They are the water or electric company of the Internet. they provide the pipes that the data rides through. They should be simply providing the bits and not discriminating between them.

If they start discriminating between the bits, they set themselves up as the gatekeepers of the Internet. It opens the door to invasion of privacy and discrimination. It also stifles innovation by making it easier for big business to control the industry. It makes it exponentially harder for the next “Google” or “Yahoo” or other disruptive innovation to take off. If Google or Yahoo had to pay for fast lanes for their customers in the early days of the Internet, they never would have made it out of the gate. Neither will the next innovative and disruptive technology. And we will all be the losers if that happens. It will also make it harder for small businesses in general that might have an online component to their business to provide competitive services because they can’t afford to pay for those fast lanes. This will be true of small businesses that provide remote services as well as hosting, etc.

I think it is very important to contact the FCC and submit your thoughts on this very important issue of Net Neutrality which will affect us all in one way or another. Even if we are just users of the Internet, we will also feel the monetary impact, as well as freedom and privacy impact, and innovation impact. We always do.

What Do You Want Your Representatives to Ask Chairman Wheeler About Net Neutrality? – EFF.org:

Thus, Congress has an important role to play in the struggle for a neutral Internet. We know that members of the subcommittee are planning to re-write the Communications Act, and we know that letters from Congress members aren’t taken lightly by the FCC in the rulemaking process. That means it’s time to let our elected officials and the FCC know that we will fight to protect the future of our open Internet.

Here are three ways to join the debate and have your voice heard:

  1. Today, tweet your questions for FCC Chairman Wheeler during the Communications and Technology Subcommittee hearing using the hashtag #AskWheeler.
  2. Call your representative. Let’s be clear: any rules that allow Internet providers to discriminate against how we access websites would be a disaster for the open Internet.
  3. Submit comments in the FCC official rulemaking process. We’ve made it easy with our DearFCC.org public comment tool. It’s time to fill the FCC’s Open Internet docket with our voices and our stories. After all, it’s our Internet.

There are no easy solutions. But the FCC and Congress both want and need to hear from us. So let’s give them what they ask for. Let’s defend our Internet.

Advertisements

Heartbleed, OpenSSL and Perfect Forward Secrecy

If you want to know the quick and easy way to understand what Heartbleed is, How the Heartbleed Bug Works and what it means to you in very simple and elegant terms, there’s this wonderful xkcd cartoon today:

Heartbleed Explanation: How the Heartbleed Bug Works - xkcd.com - Click on image to go to the site to see it larger

Heartbleed Explanation: How the Heartbleed Bug Works – xkcd.com – Click on image to go to the site to see it larger

And that my friends is pretty much it in the nutshell.

Due to this ‘bug’ or what could be commonly called in days gone by as a type of buffer overflow condition causing leaking of information, sometimes serious and important information.

You will or at least you should be hearing from secure websites where you have made purchases and have accounts, as well as banks you use, and many more secure websites as they update their SSL Certificates.

Many have been working on this and many have already taken care of this on their servers.

Once it is taken care of, then you want to change your password but not before.

If the website was vulnerable, they should be contacting you, or when you login you will see a notice about it. Soundcloud.com was a good example. When I logged in today, they presented a banner across the top about the Heartbleed vulnerability.

When/If a secure website was vulnerable, they will be contacting you when they get this fixed on their website server, so you can change your password.

The sad thing is that this bug has been out there for at least 2 years!

Here’s a really good article about this in layman’s terms and there are several sites for testing supposedly secure websites for your banks, credit card companies, email, etc.:

Heartbleed OpenSSL Bug FAQ for Mac iPhone and iPad users – Intego.com Blog

What CERT and others are recommending to these websites that are vulnerable is to implement Perfect Forward Secrecy like StartPage.com and ixquick.com where they have this knowledge base article:
“Heartbleed” is a security vulnerability in OpenSSL (Secure Socket Layer) encryption that permits eavesdropping on communications and access to sensitive data such as passwords. Heartbleed gives read access to the memory of the encryption functions of vulnerable servers, allowing attackers to steal the private keys used to encrypt data transmissions.StartPage’s vulnerability to this attack was limited, since we had implemented a more secure, upgraded form of SSL known as Perfect Forward Security (PFS) in July 2013. PFS is generally supported by most recent browser versions. Since PFS uses a different “per-session” encryption key for each data transfer, even if a site’s private SSL key is compromised, past communications are protected from retroactive decryption.

Security is a moving target, and we work hard to stay ahead of the curve. Immediately after the Heartbleed security advisory, StartPage’s encryption modules were updated and encryption certificates were changed.

In independent evaluation, StartPage and Ixquick outscore other search engines on encryption standards, earning an A+ rating. See Qualys’ SSL Labs evaluation of StartPage’s encryption features here:
https://www.ssllabs.com/ssltest/analyze.html?d=startpage.com&s=69.90.210.72

This problem is serious and needs to be addressed, but don’t panic. Secure websites that are vulnerable are working on the problem that was discovered this week.

Wait to hear from companies about whether they were vulnerable and that they have fixed the vulnerability on their secure webservers before changing any passwords.

Some good things to note, Apple and Microsoft have already notified that their services are not vulnerable. Here’s the Hit List from Mashable:

The Heartbleed Hit List: The Passwords You Need to Change Right Now – Mashable

Some big names that you might be happy to hear were not affected according to the Mashable article:

Apple, Microsoft, Amazon, eBay, PayPal, Target, Walmart, LinkedIn, Hulu, AOL email, Hotmail/MSN/Outlook.com emails and more.

All the Google servers have been updated:

You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine.Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this — and encourage others to report them — so that that we can fix software flaws before they are exploited.

More in the article.

More information on Heartbleed:

EDIT: Please check the comments for some additional links that are very helpful and informative about the Bleeding Hearts Club by EFF.org, the vulnerable routers from Cisco/Juniper Networks as well as some additional VPN  and other products. And some good news about 1Password.

Certificate Authoritities, DigiNotar, GlobalSign, OSes, Browsers, Adobe, more

[tweetmeme source=”franscomputerservices” only_single=false]DigiNotar Breach Affected 531 Certificates (Tom’s Hardware):

The break-in in Certificate Authority (CA) DigiNotar back in July was much worse than previously thought.

A preliminary analysis of the incident now claims that there have been 531 fraudulent certificates. The hackers may have explored DigiNotar’s servers for the first time in early June and gained control on June 17. The company detected the hack on June 19, but failed to prevent the creation of the first rogue certificate on July 2. The hacker activity apparently ended on July 22.

As a Aryeh Goretsky stated at Scot’s Newsletter Forums noted so succinctly:

DigiNotar, a company which issues digital certificates used to establish cryptographically-secure connections to web sites, was hacked, and over 500 certificates were acquired for high-profile web sites. Amongst other things, this would allow someone* to monitor what would otherwise be secure, private connections to those sites. Passwords, emails, personally-identifiable information and other sensitive data could be viewed by someone* who would otherwise not be able to see that information.

*Such as a government, ISP, or government-owned ISP.

Aryeh, I couldn’t have said it better myself.

And highlighting the fact that it could be a government, ISP, or government-owned ISP is spot on to the concerns.

There was recently an article that suggested that this has already happened in Iran.

Hackers steal SSL certificates for CIA, MI6, Mossad (Computerworld):

Criminals acquired over 500 DigiNotar digital certificates; Mozilla and Google issue ‘death sentence’

Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft’s Windows Update service.

Google has pointed fingers at Iran, saying that attacks using an ill-gotten certificate for google.com had targeted Iranian users.

Much more in this two page article where a link to Markham’s blog details more about this:

On Monday August 29th at 6.30pm BST Mozilla was informed by Google about a misissued certificate for *.google.com which was being used in active attacks on users in Iran. This certificate was chained to the root of the Dutch CA “DigiNotar”. Since that notification, I have been part of the Mozilla team working on our response.

The CNs concerned were as follows:

*.10million.org
*.balatarin.com
*.google.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.skype.com
*.torproject.org
*.walla.co.il
*.wordpress.com
addons.mozilla.org
azadegi.com
DigiCert Root CA
Equifax Root CA
friends.walla.co.il
login.yahoo.com
Thawte Root CA
twitter.com
VeriSign Root CA
wordpress.com
http://www.cia.gov
http://www.facebook.com
http://www.sis.gov.uk

So much more in Markham’s blog posting.

Delay in disclosing SSL theft put Iranian activists at risk, says researcher (Computerworld)

The delay in disclosing a theft of the digital certificates for some of the Web’s biggest sites, including Google, Skype, Microsoft and Yahoo, put Iranian activists’ lives at risk, a researcher argued Wednesday.

But I think EFF explains the issues best.

Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities (EFF)

What’s worse than finding a worm in your apple? Finding half a worm.

What’s worse than discovering that someone has launched a man-in-the-middle attack against Iranian Google users, silently intercepting everything from email to search results and possibly putting Iranian activists in danger? Discovering that this attack has been active for two months.

People all over the world use Google services for sensitive or private communications every day. Google enables encrypted connections to these services in order to protect users from spying by those who control the network, such as ISPs and governments. Today, the security of this encryption relies entirely on certificates issued by certificate authorities (CAs), which continue to prove vulnerable to attack. When an attacker obtains a fraudulent certificate, he can use it to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure.

The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today Internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden.

This latest attack was reportedly caught by a user running the Google Chrome browser in Iran who noticed a warning produced by the “public key pinning” feature which Google introduced in May of this year. Basically, Google hard-coded the fingerprints for its own sites’ encryption keys into Chrome, and told the browser to simply ignore contrary information from certificate authorities. That meant that even if an attacker got a hold of a fake certificate for a Google site—as this attacker did—newer versions of the Chrome browser would not be fooled.

Certificate authorities have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years and EFF has voiced concerns that the problem may be even more widespread. But this is the first time that a fake certificate is known to have been successfully used in the wild. Even worse, the certificate in this attack was issued on July 10th 2011, almost two months ago, and may well have been used to spy on an unknown number of Internet users in Iran from the moment of its issuance until it was revoked earlier today. To be effective, fraudulent certificates do not need to have been issued by the same authority that issued the legitimate certificates. For example, the certificate in question here was issued by a Dutch certificate authority with which Google had no business relationship at all; that didn’t make it any less acceptable to web browsers.

Much more in the article…

This problem is not only related to issues of privacy related to people who’s lives would be in danger, but also, victims of malware purveyors as well.

Cryptographic keys for SSL sites are only as good as the honesty of the holder and issuer of those keys, as well as the honesty and security diligence of the issuer, in this case DigiNotar.

They would like us to think that SSL is extremely safe, but it’s not as safe as those who issue them would like us to believe either. Anyone with money can purchase a SSL certificate, and there have been malware purveyors that have also bought them so folks would ‘feel’ secure. If you see the lock, you think, “Safe”. That’s what they want you to think.

However, just like anyone can purchase what is considered a ‘legitimate’ SSL certificate, good, bad or indifferent, there are worse things.

‘Legitimate’ SSL certificates can be created by site owners as well, good, bad, or indifferent.

The companies that sell SSL certificates and browser makers put out root certificates for their browers and show green or gold with the lock for those obtained by big name sellers of these certificates. So if you are legitimate site owner who creates their own to save money, you are automatically assumed to be ‘not legitimate’ by browsers and it shows as red/dangerous to users.

I don’t see what the solution is, but it really doesn’t matter whether you make your own, or if you buy one, you are still playing craps with SSL certificates in many ways these days.

As Corrine noted in the same topic at Scot’s Newsletter Forums:

Microsoft Security Advisory 2607712 has been updated to revoke the trust of the DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store.

The update is available via Automatic Update and applies to all supported releases of Microsoft Windows, including Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Within short order, Mozilla sent out updates to their products including Firefox, Thunderbird, et. revoking the certificates.

Opera has done the same thing yesterday, disabling the root store for DigiNotar.

Because Apple was slow to act, one researcher (thanks Corrine) rapped Apple for not blocking the stolen SSL certificates, and various places on the Internet were trying to help Mac users to take care of disabling and removing the DigiNotar certificates from the KeyChain so Safari and other browsers would be safer online on the Mac. Since then, Apple released an update to revoke DigiNotar from their trusted list:

If you are running an older Mac you can still protect yourself, but you will need to do it manually. You can follow the excellent instructions posted over at the ps | Enable blog.

And most recently, Adobe has posted instructions on how to remove DigiNotar from the Adobe Approved Trust List (AATL) for Adobe Reader.

And here we go again (thanks zlim)…

GlobalSign Stops Issuing Digital Certificates After Hack (PCWorld)

Second firms stops issuing digital certificates (CNET)

How many more will have fallen before it’s all said and done? I am beginning to wonder if we wouldn’t be better off just generating our own SSL certificates, it would likely be as safe as this fiasco has become…

Bye Bye Google Plus

[tweetmeme source=”franscomputerservices” only_single=false]Some of you may have noticed I have removed my Google Plus account today. Others may think good riddance to another person who doesn’t get it.

But nothing could be further from the truth. I was one of Google’s real endorsers. But no more. Their real name policy has turned away many real people and that was never Google’s way before. So why now?

I have to say i loved Google. I generally don’t trust corporations online or off, but Google was one I thought and even through all this i really hoped they would turn this around and once again try to ‘do no evil’.

I guess the old saying is true — especially for corporations — Everyone has their price; even Google.

Sigh…

NOTE: see my last posting entitled A wave out to all my Google+ friends.

A wave out to all my Google+ friends

[tweetmeme source=”franscomputerservices” only_single=false]And other Google+ users who might soon be wondering where I went…

EDIT 9/6/2011: In the comments, I continue to add articles. I hope to have this be a pretty inclusive list of articles on this issue. If you know of one I have missed please feel free to leave a comment with the link. Thanks!

I have found that as much as I absolutely love Google+ the ‘social network’ — now known to be an ‘identity service’, I am leaving on 9/9 along with some others that have identified 9/9 as the day to leave. Hopefully it will have some impact even if it’s only a small overall number of users. But more than anything, I hope it will have a lasting impression regardless on how dangerous ‘identity services’ appearing to be ‘social networks’ can be.

Google has determined that Google+ aka Google Plus or G+ is to be an ‘identity service’ and that Google/Google+ require your real/common name not a pseudonym, pen name, stage name but only western style two name real/common names apparently.

Some may say so what. But others will know that this is a major issue and has been since Facebook started this trend. Here‘s my Google+ posting on this and this one reshared from Tom Anderson both which will be gone after 9/9.

Not to mention the fact that Google+ is linked to things like your GMail account, Google Search, Picasa, Youtube, Google maps/location data, Android apps purchases, and so much more — and even more of Google’s offerings as time goes on (and boy do they have a lot of social types of offerings or apps). And if you don’t like that and decide to leave G+, you are prompted to remove all, what they call connections to their ‘social apps’ linked to your G+ GMail account.

“Just go somewhere else” is a fallacy. The name policy stretches far beyond Google+, and here’s why. (Todd Vierling on Google+)

Here’s just a couple early articles the weekend when Google started arbitrarily disabling accounts:

Google+ and the loss of online anonymity by Matthew Ingram (GigaOm)

Update: Complaints mount over Google+ account deletions by Juan Carlos Perez (Computerworld)

Dutch researcher downloads 35 million Google Profiles (State of Search)

So what’s the big deal? First, it’s a great security risk for users. Especially normal/average users since many business users already have their ‘real’ name out there and it’s part of their branding. I actually am one who has done just that. Fran Parker is Fran’s Computer Services and this posting is on my Fran’s Computer Services blog. And technically Fran Parker is a common variation on my real name, but that is ‘allowable’ on G+ because it is how I am commonly known. Also, there is some arbitrariness about it all too. If disabled users can ‘prove’ who they are, or can ‘prove’ that they have a ‘valid’ reason for allowing the ‘pseudonym’ to those at Google/G+ who handle complaints or vetting of those who want to try to get reinstated, you can be back in their good graces.

However I am leaving Google+ — and don’t get me wrong — it would certainly benefit me to stay on G+ and let their new service benefit my business networking online. Instead, I am leaving Google+.

My name is Clo | My Name Is Me

My name is Albatross | My Name Is Me

Why? I am leaving because Google has decided to build G+ as an identity service — in some ways like Facebook, but not really since G+ is a public profile server — yes, you can hide nearly everything but your public posts or responses to public posts, your +1 (think: Facebook Like), AND you can’t hide your real/common name because they make that public — and Google has changed the rules on their services so they can now link you, by name, and even by what you put in the field for ‘also known as’, or ‘nicknames’ field, on every one of their services and boy do they have a lot of services. And if you don’t believe me, try this. Especially if you are a member of Google+, search on your name, particularly your Google+ profile name.

Will cyberthugs exploit Google Plus ‘identity service’ for spear phishing attacks? by Darlene Storm (Computerworld)

What’s the big deal, you say? Oh, nothing much accept that by doing this, they have made each and every one of us a bigger phishing, actually more like spear phishing, and/or unethical hacking/cracking target by linking everything we do or say online. For business users whose names are linked to their branding, they live with that day in and day out and it’s a major pain, but they made that decision to deal with that consciously at some point. But the average user? I don’t think the average or normal user needs or wants those types of hassles. OK, so maybe you say, So what? It’s a greater security risk for users. You can be targeted so much easier by linking so much about yourself online. And there is this to think about:

Google fined in Brazil for refusing to reveal bloggers’ identities (TheNextWeb)

OK, and if that wasn’t bad enough. By limiting the ability to use pseudonyms, stage names, pen names, non-English Western civilization name standards, etc., Google is cutting of their nose to spite their face. And some folks have been known by nothing else but a pseudonym, pen name or stage name online for as much as 20+ years, by the way. But that’s OK, they don’t really want to be everyone’s Google+ friend, they obviously just want to make more money.

Why do I say that? Because all of this linking is data they can market with, sell to others in corporations, governments, highest bidder, whatever — in aggregate form of course, like Facebook does. Facebook makes a bundle on this already and Google apparently wants a piece of that action…well a bigger piece. Besides they already know you. Now they are getting your permission to basically track you further, and use more of your data that you share with them….errr, enter on their services, like Google+.

Also, but many of us have been working against abuse of marketing crap since Steve Gibson created OptOut when he became aware of the crap that was going on in the early days of computing online on the Internet. Marketing which was more like spyware than benign advertising in the newspapers or magazines where they can’t track you!

OK, enough about that side of things. Now on to the other side. The discrimination, the arbitrary decisions to disable accounts and require proof of who they are or the changing of their ‘name’ to something more western or 1st world or whatever you want to call it … two name (first and last name) like western countries do. Which is not at all like real/common names in other parts of the world.

Also, some folks really do need to use a pseudonym, or alternative name, stage name, pen name …whatever you want to call it. And many people in this type of situation would rightfully feel this is a discrimination against women. Many women have been stalked, have had abusive spouses or coworkers/bosses or have spouses or jobs where it would be ‘inconvenient’ (like they could lose their job or their spouses job for them or their position), if they were not able to speak out anonymously through a pseudonym.

There are so many angles on this issue. It was wrong when Facebook did it and it’s even more wrong (if there is such a thing) for Google to do it. Why is it more wrong for Google? Because we have higher expectations of Google. They have always tried to ‘do no evil’ in the past and now they will be right in the middle of it. Was ‘do no evil’ only to get people to trust them? Like Apple with their ‘think different’ and revolution anti-big brother stance in their 1984 commercial? But all the time they had other plans?

If you are not familiar, and it would likely be easy not to be familiar if you are not on G+ aka Google Plus service or have friends that are. Since it is an invite only ‘field test’ at the moment anyway, many would be not involved. But many geeks, technicians, artists, artisans, journalists, etc. are on it to help improve it and try it out as the new kid on the block in social networking. I have been one of these folks for some time now. First with a pseudonym which was quickly squashed through either someone turning me in for having a pseudonym or their algorithm bot got me because the name was obviously not a real name, and after that was disabled, I decided to come back as my business name.

Here are some, and just a few really of the articles that address the issues better than I could ever do:

Understanding the Nym Wars (BoingBoing) with several links and some great commentary


A Case for Pseudonyms (EFF.org)


Google+ Identity Crisis: What’s at Stake With Real Names and Privacy (Wired.com)

Violet Blue: just one of her many postings about Pseudonyms on G+ and she has a legitimate gripe and one of her articles on ZDNet


“Real Names” Policies Are an Abuse of Power (danah boyd blog)


Tracking the Nym Wars (G+ Insider’s Guide)

On Pseudonymity, Privacy and Responsibility on Google+ – Kee Hinkley

Why It’s Important To Turn the Tide on Google’s Real Name Policy (Botgirl’s Second Life Diary blog)

Who is harmed by a “Real Names” policy? (GeekFeminism – Wikia.com) (and related Pseudonymity article).

Who is harmed by a “Real Names” policy?

This page lists groups of people who are disadvantaged by any policy which bans Pseudonymity and requires so-called “Real names” (more properly, legal names).

This is an attempt to create a comprehensive list of groups of people who are affected by such policies.

The cost to these people can be vast, including:

  • harassment, both online and offline
  • discrimination in employment, provision of services, etc.
  • actual physical danger of bullying, hate crime, etc.
  • arrest, imprisonment, or execution in some jurisdictions
  • economic harm such as job loss, loss of professional reputation, reduction of job opportunity, etc.
  • social costs of not being able to interact with friends and colleagues
  • possible (temporary) loss of access to their data if their account is suspended or terminated

The groups of people who use pseudonyms, or want to use pseudonyms, are not a small minority (some of the classes of people who can benefit from pseudonyms constitute up to 50% of the total population, and many of the others are classes of people that almost everyone knows). However, their needs are often ignored by the relatively privileged designers and policy-makers who want people to use their real/legal names.


Nymwars – Wikipedia

The icing on the cake was Eric Schmidt the recent but former CEO of Google stating this (guess he can say anything now, eh?):

Eric Schmidt: Google+ Is An Identity Service; User Your Real Name Or Don’t Sign On (Huffington Post)

Schmidt: G+ ‘Identity Service,’ Not Social Network by David Gerard (slash dot or /.):

David Gerard writes
“Eric Schmidt has revealed that Google+ is an identity service, and the ‘social network’ bit is just bait. Schmidt says ‘G+ is completely optional,’ not mentioning that Google has admitted that deleting a G+ account will seriously downgrade your other Google services. As others have noted, Somewhere, there are two kids in a garage building a company whose motto will be ‘Don’t be Google.‘”

And here’s one I missed that I just saw over at Google+ on Nom DeB‘s profile posts:

Google+ Can Be A Social Network Or The Name Police – Not Both by Bob Blakley at Gartner Blogs

Really all you need to do to find out more about this is to search on Google or any other search engine for any number of combinations of words in this article.

Now we even have a place for Google Refuges to be able to link up after they leave Google+.

EDIT: grammer/clarity and to add Bob Blakley’s Gartner blog article. Also almost forgot my TWEETMEME link, and Added Todd Vierling’s “Just go somewhere else” is a fallacy. The name policy stretches far beyond Google+, and here’s why.”

We love you Facebook but privacy and security are important

[tweetmeme source=”franscomputerservices” only_single=false]UPDATED 5/22/2010*, 5/23/2010**: EDIT: Added additional links

Yes, most of us do love our Facebook, or at least we enjoy the feature set and keeping in easy contact with our friends and family, but some of us feel that it is not worth the expense of our privacy and security and potential malware infections due to rogue apps on our own or others’ accounts. But Facebook privacy concerns are heating up. Or the risks from other sites getting at our data:

New security hole in Facebook through Yelp (here on our blog last week, apparently fixed now)
, or having our chats exposed to people other than those we are talking to, even if they are our friends.

So, you think Facebook is safe? Hmmm. Really?

* Hackers can delete Facebook friends, thanks to flaw (By Robert McMillan at ITWorld May 21, 2010):

A bug in Facebook’s Web site lets hackers delete Facebook friends without permission.

The flaw was reported Wednesday by Steven Abbagnaro, a student at Marist College in Poughkeepsie, New York. But as of Friday morning, Pacific time, it had still not been patched, based on tests conducted by the IDG News Service on a reporter’s Facebook friends list.

* Fake joke worm wriggles through Facebook (By John Leydon at The Register May 21, 2010)

Shifty sorts have created a new worm which spread rapidly on Facebook on Friday.

The malware, for now at least, does nothing more malicious than posting a message on an infected user’s Facebook wall that point to a site called fbhole.com. Nonetheless, the speed of its spread on the social networking site has net security experts worried.

* Facebook Fixing Embarrassing Privacy Bug (by Robert McMillan at NYTimes on May 19, 2010):

Facebook is fixing a Web programming bug that could have allowed hackers to alter profile pages or make restricted information public.

Facebook Violates Privacy Promises, Leaks User Info to Advertisers (by Tim Jones at Electronic Frontier Foundation May 21, 2010):

A Wall Street Journal article today draws attention to yet another unexpected way in which Facebook’s privacy practices have not complied with its public statements and have disregarded users’ privacy rights. Just last week, when asked about Facebook’s privacy practices with advertisers, Facebook executive Elliot Schrage wrote:

We don’t share your information with advertisers. Our targeting is anonymous. We don’t identify or share names. Period.

As the Wall Street Journal report shows, this was not true. In fact, Facebook’s architecture at the time allowed advertisers to see detailed personal information about some Facebook users.

Much more in the article! Must read.

** Facebook privacy: Zuckerberg overruled? (By Richi Jennings at Computerworld IT Blogwatch May 19, 2010)

** Facebook Leaks Usernames, User IDs, and Personal Details to Advertisers (By privacy advocate Ben Edelman at BenEdelman.org on May 20, 2010):

Browse Facebook, and you wouldn’t expect Facebook’s advertisers to learn who you are. After all, Facebook’s privacy policy and blog posts promise not to share user data with advertisers except when users grant specific permission. For example, on April 6, 2010 Facebook’s Barry Schnitt promised: “We don’t share your information with advertisers unless you tell us to (e.g. to get a sample, hear more, or enter a contest). Any assertion to the contrary is false. Period.”

My findings are exactly the contrary: Merely clicking an advertiser’s ad reveals to the advertiser the user’s Facebook username or user ID. With default privacy settings, the advertiser can then see almost all of a user’s activity on Facebook, including name, photos, friends, and more.

In this article, I show examples of Facebook’s data leaks. I compare these leaks to Facebook’s privacy promises, and I point out that Facebook has been on notice of this problem for at least eight months. I conclude with specific suggestions for Facebook to fix this problem and prevent its reoccurrence.

The sexiest video ever? Facebook users hit by Candid Camera Prank attack (Graham Cluley’s Sophos Blog)

MASSIVE FACEBOOK ATTACK OVER THE WEEKEND (posted May 17, 2010 by Roger Thompson, AVG Blogs)

Facebook CEO’s latest woe: accusations of securities fraud (VentureBeat posted May 19, 2010 by Owen Thomas)

I sure hope that the BBC report is correct, “Facebook looks likely to cave into pressure from users and simplify its privacy settings in the near future.” But other places are saying Facebook is just simplifying the existing privacy settings.

I don’t think there are many people who have experienced Facebook that don’t love most of the features on Facebook–at least the ones that help you keep in contact with your friends and family, and share (on the Facebook site) your photos, videos, links to articles of interest, chatting, direct messaging, posting between yours and your friends/family members walls, sharing in holidays, or fun, happy, sad conversations, and more. But, Facebook is wrong about privacy – it really is still very important. It is important and for more reasons than many may think. Even the Wall Street Journal has acknowledged that Facebook, MySpace and other social networking sites are having to confront the privacy loophole.

But, when the trust that Facebook used to get people to sign up in the first place (a trust that your privacy is important to Facebook and will be protected by default – unlike MySpace, et al) is breached by that very same service, then there is a problem.

If you don’t remember the early days of Facebook, many of us do. Facebook did made claims that they would protect our privacy by default, that our privacy was important to Facebook. Zuckerberg made these ‘claims’ when they were trying to woo millions of MySpace’s users over to Facebook in Facebook’s early days. It worked too.

Privacy by default. What is that exactly? When Facebook started out and pushing to try to gain membership, and about the time that MySpace went through a huge privacy fiasco because new users had to immediately change their privacy settings if they didn’t want the whole world to see all their information (it was all public by default on MySpace). And many users, just like many new users at Facebook, didn’t know to change their settings, or even think about it. Many users were just not that savvy to know why it was even important to share only some information with the world/public. Or even understand why that might be a prudent move. But due to the marketing used by Facebook, people started to understand that privacy was important and they wanted their friends and family to be in a ‘safer’ environment. A place where they could connect and share with each other without concern that their data would be made public. After all, Mark Zuckerberg said he did care about our privacy (unlike the other guys).

Then after Facebook gets all these users, and gets them used to the convenience and ‘hooked’ on the service, THEN Facebook just seems to keep changing the rules — little by little — chipping away at the privacy and security standards that got them all the users in the first place. Not long after I finally joined Facebook, they went through this pretty big, and I actually deactivated my account at that time too. When Facebook changed their tune, I came back. Now they are doing it again, and even though I really enjoyed the service, I felt the need to again deactivate my account.

So, tell me, why would Facebook be surprised when users get up in arms about all these changes, especially in light of other security problems and vulnerabilities within their newest ‘features’ as well as their existing features? One group has even created a Facebook Group entitled, “1,000,000 Strong to leave Facebook by July 4 unless FB respects our privacy is on Facebook” (See there can be appropriate public facing things on Facebook). And EFF’s various articles enlightening folks about the changes and affects of those changes and how you can mitigate them, at least most of the problems.

Features are a great thing except when the service starts to change your privacy settings for you, and they don’t bother to tell you about it until after they have done it. That is a real problem of trust, because, if even for a short time, your data is left to the search engine spiders to start indexing data that shouldn’t have been made ‘public’ in the first place without user permission.

So, then users start complaining, and getting no satisfaction from the service because the changes they made will make them a ton of money, so some users start deactivating their accounts — many users are upset with Facebook, and for good reason. A basic trust was broken and it wasn’t by the users.

But privacy issues are not the only issues. There are also other security issues as well; vulnerabilities and more vulnerabilities. And only God knows how many more vulnerabilities are known by the bad guys that expose users’ data that are not yet known to the good guys.

I had already checked and reset all my privacy settings multiple times since December 2009 when this fiasco starting getting into high gear, even before the now known vulnerabilities that still put users at risk made me say, ‘enough is enough’. I still struggled with the decision before I decided I could put it off no longer. Even the benefits for business, family and friends wasn’t worth security risks not only directly but indirectly by friends who might get hit with these vulnerabilities, or the potential for unwise decisions about their accounts where their data might overlap with mine.

It is not an easy thing to make a decision to deactivate, or go through the hoops (or even find a link to get information) on deleting your Facebook account. Especially when you enjoy the service. And the service really is a good service, if not for the bad decisions about security and privacy have caused, and of course there are those related vulnerabilities. Sure they fix the vulnerabilities when they are made public, but how long was your data, your information, exposed through these vulnerabilities before it was brought to light?

The Consumerist actually did an article on deleting your Facebook account since it’s not easy to find. It’s entitled, “Delete Your Facebook Account Forever” by Ben Popken (April 20, 2010).

And if you think they will figure out all the vulnerabilities and then it will be safe, think again. Facebook is 440 Million strong and growing. Just like the huge bullseye target on Microsoft’s Windows’ back, Facebook is the biggest target in Social Networking. Too big for the bad guys to let it alone. It’s a treasure trove of information (and not just aggregate information like Facebook sells, oh, no, this is the actual connections, the actual information linked to individual people that’s at risk). Between the vulnerabilities, as well as some decisions by users regarding Friends, their choices of third party Facebook apps, and their privacy settings, this could become a real nightmare, very quickly, and for some it already has.

Have you ever thought how much information about you is actually public on Facebook? Or even on the Internet in general? What about your family and friend connections, or business connections? What about your choices regarding purchases, what you like or dislike? Do you want them made public? And Facebook has much of that information in one place just ripe for the picking. And who would want to pick that information? Even in aggregate form it is very valuable data, but to bad guys, it is fodder for social engineering, phishing attempts in email, potential ways to get malware on your system by presenting it as though it is from people you are friends with, and so much more.

It’s an especially hard decision when you have gotten used to keeping in contact with friends and family through one particular service via browsers and mobile devices. And it really is great to have a place where your family pictures (your children and grandchildren, travel/trips, conversations between many friends and family, and so much more), are right at your fingertips and can be posted, responded to, and still be safe from the prying eyes of the general public. At least that’s how it was, or at least we thought it was.

Of course, Facebook makes it even more difficult to make the choice to deactivate or delete your account. When you choose to deactivate, which by the way, doesn’t actually delete your data (in case you want to come back), Facebook tries to use emotional blackmail, err, pressure to try to keep you from deactivating your account. As you are trying to deactivate, they show you some pictures of your ‘friends’ and talk about how you won’t be able to contact your friends and family anymore, or your friends and family won’t be able to contact you anymore. As if Facebook is the ONLY way to contact your friends and family?! It might make it easier, but it’s not the ONLY way to keep in contact with your friends and family.

Also, note that Facebook doesn’t allow you to delete your own account on your own — you have to actually contact them directly to ask them to delete your account — as if you were an errant child who couldn’t be trusted to do this on your own?! Even MySpace and other social networking sites let you delete your own account!

Oh, no. This is not about whether you would be able to delete your account, this is about another attempt to coerce you to stay with Facebook. Besides they don’t actually delete your data, oh, no. They still make use of that data in aggregate form, it’s just not linked by your name supposedly, after your account is deleted:

How Companies Are Using Your Social Media Data (by Leah Betancourt at Mashable)

Facebook Data Mining: Not Just for Advertisers Anymore (SCI Social Capital Inc.)

More on Facebook, Privacy & Data Mining (by Greg Sterling at ScreenWerk)

data-extraction-facebook (Google Code website)

End of Year Data: Facebook Currently Leads (Data Mining: Text Mining, Visualization and Social Media)

Facebook Data Reveal Secrets of American Culture (by Matt Safford at LiveScience)

Microsoft Inks Twitter, Facebook Data Mining Deal (by Jennifer Martinez at GIGAOM October 21, 2010)

The Man Who Looked Into Facebook’s Soul (by Marshall Kirkpatrick at ReadWriteWeb February 8, 2010)

Even though it has been stated that at least 60% of users are upset and are actually considering one of these options (deactivation or deletion of their account), with over 400 million active users worldwide and over $300USD million in annual revenue (estimated in 2008) and ranked #2 site on the Internet in May 2010 according to Alexa, does Facebook even care? Have we just become so much advertising and data mining fodder that translate to hundreds of Millions of dollars annually (Billions over time) for Mark Zuckerberg and company? Is that what it was all about from the beginning? If some articles are to be believed, Mark Zuckerberg may have played a good game when he told us he was concerned about our privacy right from the beginning.

And we even have some who think that malware and hacking haven’t caught up with it all on Facebook … yet. But I think we have determined that this is not really the case.

So, even with all that, maybe you still feel it’s safe to continue to with Facebook, what next? There are some very good places to study up on how to make yourself as safe as possible, and understand the account and privacy settings, and their implications, and how they interact with each other and with your friends and the public. Things like ReclaimPrivacy and others are cropping up to help folks deal with their Facebook privacy that is so complex. Who knows if this will be squashed by Facebook, but it could help out right now to help get your settings set.

WindowsSecret’s Complimentary portion of their Newsletter has an excellent article by Scott Mace called, “Tighten your Facebook privacy settings” with a great outline of the various areas and some great thoughts on how to keep yourself as safe as you can be on Facebook.


Facebook Security | Facebook Privacy | Best Practices at Sophos
(be sure to read through all the pages listed on the right side – like WindowsSecrets, Sophos goes through all the different facets of Facebook)

Fast Company also has an article to help called, “Online Privacy: Check Yourself Before You Wreck Yourself

It’s your life, it’s your data, it’s your choice…what will you do?

UPDATED 5/22/2010*, 5/23/2010**: EDIT: Added additional links

Facebook account deactivated today

[tweetmeme source=”franscomputerservices” only_single=false]

Well, today is the day.

As much as I love Facebook, and enjoy the ability to keep in contact with family and friends easily, I have deactivated my account today in protest of their stance on privacy and the apparent lack of concern for their users by changing to the opposite stance on user privacy. It has been one step, after another over the last year or so. Desensitizing users to the changes they have made by doing it slowly.

Facebook sees dollar signs where we users are concerned. They have deluded themselves into thinking that with all the family and/friends connectios, and simplicity of keeping in contact with our Facebook friends, that we won’t be able to stop, that we are now hooked…”we have you now” in Darth Vader’s voice.

Is it true?

Not in my case at least. I let my friends and family know what I was doing. They support and understand. Will any of them do the same thing? I hope so…

We need to stand together to disallow Facebook a pass on the changes from supposed concern for users and user’s security and privacy to what it is today … where they are saying we don’t care about privacy by default. That we only see the connections we can make to other sites?!?! Facebook is saying proudly that they are the next MySpace … “now we control all these users and connections, and you as users have no privacy. Privacy is dead.”

Can we prove them wrong?

===

Edit: added some links to help make your decision:

With Facebook’s security and privacy standards under fire from all sides, suffice it to say that this is not a good time for one of the company’s investors to fall for a Facebook phishing scam. (Facebook phishing scam snares company board member – CNET – May 10, 2010 8:42 AM PDT )

Comparing Facebook’s latest product modifications to deadly natural disasters is probably a little bit inappropriate, but the psychological reaction doesn’t seem all that different. The social network modified its policies for handling user data once again as part of its F8 conference and release of the Open Graph API, and ever since it became clear that more information is being set as public by default and more is being shared with third parties, concerned Facebook users have been on jittery alert, perhaps prone to overreaction, concerned that something even bigger may be about to change. (Understanding Facebook’s privacy aftershocks – CNET May 6, 2010 3:51 PM PDT)

Criticism of Facebook (Wikipedia.com)

Four senators are adding their voices to criticism that Facebook Inc. doesn’t do enough to give its 400 million users easier ways to protect their privacy online. (Senators turn up the heat on Facebook privacy issues – SFGATE.com – April 28, 2010)

More links on my blog post, Bye, Bye, Facebook, Bye, Bye… AND ALL OVER THE WEB! Just do a search on facebook privacy issues on any search engine and read it and weep.