Google

by

Google Chrome to abandon older versions of Windows and Mac OS X April 2016

Google Chrome icon

Back in November of 2015, Google made an unwelcome announcement which was some very bad news for older Windows and older Mac OS X users.

On their Google Chrome Blog posting at that time, Google announced that it will stop providing updates to Google Chrome for the following Windows and Mac OS X versions;

  • Windows XP
  • Windows Vista
  • Mac OS X 10.6 (Snow Leopard)
  • Mac OS X 10.7 (Lion)
  • Mac OS X 10.8 (Mountain Lion)

NOTE: Linux 32-bit Distribution users see the end of this article for your sad news too, but most of you are already aware of this since it happens this month!

This does not mean Google Chrome will stop working in these OS versions — which would almost be better security wise. Instead, Google has decided to simply stop providing updates to the installed versions of Google Chrome for these OS versions.

This is very bad news since Google Chrome has Flash built in (which is updated as needed with Google Chrome). These older versions of Windows and Mac OS X will be doubly vulnerable. Over the years, these users have gotten used to not having to update Flash separately like you need to do in other browsers like Firefox, Safari, Opera, earlier versions of Internet Explorer, Pale Moon, etc.
Because Flash is built in to Google Chrome, these abandoned users will not be getting the Flash updates either.

This will make these older versions of non updated Google Chrome extremely vulnerable to browser attacks from infected websites. Malware purveyors will quickly begin to adjust their attacks (if they have not already in anticipation of this change) to look for these older vulnerable systems using outdated/vulnerable versions of Google Chrome as new attack vectors for these abandoned Windows and Mac users.

Those thinking that being a Mac user will make you impervious to attack, think again. Browser attacks are one thing that every operating system including Windows, Macs and Linux have been subject to these days. Sure Windows users get hit more often but that is because they are the biggest user base and they have the largest target on their back, but Mac users and Linux users can still get hit at times if they have outdated operating systems, Flash, Java, etc. Even Android has been hit by a banking trojan these days – reported March 9, 2016 by ESET’s We Live Security Blog.

With other browsers, you could simply remove Flash from the system and be done with it if you were concerned about it and didn’t mind losing the ability to see YouTube videos and other Flash supported content on other websites. Although, with HTML5 support coming right along, that could be moot.

Some might be quick to blame Adobe Flash, but apparently this is not the case as Adobe is quick to point out in at least two places that they support these OSes:

Plus other browsers such as Firefox clearly still support these OSes and Flash on these OSes. However, they will have to update their supported browsers to NOT include Google Chrome after April 2016 unless Google rethinks all this for at least a couple of the newer, of the older, OS versions. 😉

If Google does not give a reprieve/stay of execution, once Adobe makes their final update to Adobe Flash in April 2016 and Google updates Google Chrome the final time for these OS version users that includes that last Flash version, it will apparently be the last Google Chrome AND thereby Flash update that these Google abandoned OSes will see Google based on the Google Chrome blog article posted November 2015.

Google has been very quiet on the subject since that date so no reprieve or stay of execution even for the newer OS versions to be abandoned; Windows Vista and Mac OS X 10.8 (Mountain Lion).

It seems quite harsh to drop support for these two OS versions (Vista and Mac OS X 10.8 (Mountain Lion)) since Google supported the earlier noted OS versions like Windows XP and Mac OS X 10.6 (Snow Leopard) for so many years! But there it is.

If you are using one of these older OS versions of Windows or Mac OS X, read it and weep for the loss of a great browser like Google Chrome, and make be wise to make the move to Mozilla Firefox newest version to-date 44.0.2 (STILL supports Mac OS X 10.6 Mountain Lion), or Opera (however NO support for Mac OS X 10.6 Mountain Lion, but does support Lion and Mountain Lion), which have not, so far, abandoned these users. But they are not the only players still in the game…

There is also another browser project that has gained a lot of popularity among Windows users — the Pale Moon browser. There are versions for Windows: Pale Moon, Pale Moon 64, Portable. There are also versions for:  Atom/XP, Linux and Android on the Download tab on the website.

There is also a Mac OS X version of Pale Moon 26.1.1 Unofficial available as of February 2016. As noted on their forum page:

Important note:
The Mac OSX version of Pale Moon is still very much in development. Your assistance in bringing this build to fruition is greatly appreciated, but you can expect there to be bugs and problems for a while yet!
Any specific bugs you find that don’t have their own topic yet: please make a new topic; one bug per topic please to keep things organized.
Please also note that these builds are currently created by BitVapor and Moonchild will likely not be able to provide insight or assistance due to lack of Mac hardware and OS/build knowledge for Mac.

Windows XP Vista No Support Yellow Strip Popup Google Chrome

Windows XP Vista already shows No Support Yellow Info band in Google Chrome

Those using these older versions of Windows (See image to the right), and Mac are already getting an annoying yellow warning info band across the top of their Google Chrome browsers.It is advising them to move to a more modern operating system. Wise move on Google’s part and it also servers to show that they  do not appear to be backing down from their November 2015 announcement.

That means Google Chrome users will need to do something to address the issues by either upgrading to a more modern operating system where possible, getting a newer computer with a more modern operating system since all of these operating systems are older and most have been abandoned by their creators anyway except Vista which is coming next April 2017 (preferable security wise), or barring all that, changing to a supported browser, or using an extension to address the old version of Flash issue (see end of article posting).

If you move to another browser, it will be very important to keep Adobe Flash updated since only Google Chrome in Windows 7, 8.1 and Windows 10, or on Mac OS X: Mavericks, Yosemite and El Capitan! will include Flash updates automatically with browser updates after April 2016.
NOTE: In addition, in Windows 8.1, the latest versions of Internet Explorer (IE10, IE11), and of course the new Edge browser on Windows 10 include Flash built in and updated for you like Google Chrome does.

Older versions of Windows and Mac are not the only users to be abandoned/axed by Google Chrome in early 2016. ALL 32-bit Linux distribution versions are also being abandoned — this month — March 2016 as noted in BetaNews, Slash Dot, and PCWorld and other news outlets back in November and December 2015.

Even though many and maybe even most computers these days are 64-bit, there are still a lot of 32-bit computers and 32-bit operating systems in use around the world today so this may be a move forward for 64-bit, but it is also a sad day for all the 32-bit hardware/operating systems worldwide.

Of course, there are still several browsers like Firefox, Opera and Pale Moon available for Linux 32-bit computers —  just as there are for Windows and Mac users. There are also some alternative browsers based on Firefox available (Pale Moon noted earlier here is included), and distro-specific versions of Firefox like Iceweasel in Debian Linux, etc.)

For all users of Google Chrome, there are some Flash blocking or control Extension possibilities that can protect everyone, but particularly these older users from having Flash run all the time if they choose to continue to use Google Chrome:

by

Bits are Bits…Net Neutrality

But they say we'll all be better off this way (as they cut new content, innovation, consumer choice)

But they say we’ll all be better off this way (as they cut new content, innovation, consumer choice) – Imgur.com

What is net neutrality?

At its simplest, net neutrality holds that just as phone companies can’t check who’s on the line and selectively block or degrade the service of callers, everyone on the internet should start on roughly the same footing: ISPs shouldn’t slow down services, block legal content, or let companies pay for their data to get to customers faster than a competitor’s.

In this case, we’re also talking about a very specific policy: the Open Internet Order, which the FCC adopted in 2010. Under the order, wired and wireless broadband providers must disclose how they manage network traffic. Wired providers can’t block lawful content, software, services, or devices, and wireless providers can’t block websites or directly competing apps. And wired providers can’t “unreasonably discriminate” in transmitting information. The FCC has been trying in one way or another to implement net neutrality rules since 2005.

That was in the sidebar from The Verge’s article from May 14, 2014 called GAME OF PHONES: HOW VERIZON IS PLAYING THE FCC AND ITS CUSTOMERS

So very important!

Much more in the article.

I found that when I was reading a more recent article by arstechnica called Report: Verizon FiOS claimed public utility status to get government perks:

“It’s the secret that’s been hiding in plain sight,” said Harold Feld, senior VP of consumer advocacy group Public Knowledge and an expert on the FCC and telecommunications. “At the exact moment that these guys are complaining about how awful Title II is, they are trying to enjoy all the privileges of Title II on the regulated side.”

“There’s nothing illegal about it,” Feld, who wasn’t involved in writing the report, told Ars. However, “as a political point this is very useful.”

The FCC classifies broadband (such as FiOS) as an information service under Title I of the Communications Act, resulting in less strict rules than the ones applied to common carrier services (such as the traditional phone system) under Title II. But since both services are delivered over the same wire, Verizon FiOS is able to reap the benefits of utility regulation without the downsides.

Much more in this article as well.

Bits are bits. This is the point I have been pushing. Like water companies, electric companies and even telcos. There should be no fast lanes. There should be no place where they discriminate between bits. They are the water or electric company of the Internet. they provide the pipes that the data rides through. They should be simply providing the bits and not discriminating between them.

If they start discriminating between the bits, they set themselves up as the gatekeepers of the Internet. It opens the door to invasion of privacy and discrimination. It also stifles innovation by making it easier for big business to control the industry. It makes it exponentially harder for the next “Google” or “Yahoo” or other disruptive innovation to take off. If Google or Yahoo had to pay for fast lanes for their customers in the early days of the Internet, they never would have made it out of the gate. Neither will the next innovative and disruptive technology. And we will all be the losers if that happens. It will also make it harder for small businesses in general that might have an online component to their business to provide competitive services because they can’t afford to pay for those fast lanes. This will be true of small businesses that provide remote services as well as hosting, etc.

I think it is very important to contact the FCC and submit your thoughts on this very important issue of Net Neutrality which will affect us all in one way or another. Even if we are just users of the Internet, we will also feel the monetary impact, as well as freedom and privacy impact, and innovation impact. We always do.

What Do You Want Your Representatives to Ask Chairman Wheeler About Net Neutrality? – EFF.org:

Thus, Congress has an important role to play in the struggle for a neutral Internet. We know that members of the subcommittee are planning to re-write the Communications Act, and we know that letters from Congress members aren’t taken lightly by the FCC in the rulemaking process. That means it’s time to let our elected officials and the FCC know that we will fight to protect the future of our open Internet.

Here are three ways to join the debate and have your voice heard:

  1. Today, tweet your questions for FCC Chairman Wheeler during the Communications and Technology Subcommittee hearing using the hashtag #AskWheeler.
  2. Call your representative. Let’s be clear: any rules that allow Internet providers to discriminate against how we access websites would be a disaster for the open Internet.
  3. Submit comments in the FCC official rulemaking process. We’ve made it easy with our DearFCC.org public comment tool. It’s time to fill the FCC’s Open Internet docket with our voices and our stories. After all, it’s our Internet.

There are no easy solutions. But the FCC and Congress both want and need to hear from us. So let’s give them what they ask for. Let’s defend our Internet.

by

Heartbleed, OpenSSL and Perfect Forward Secrecy

If you want to know the quick and easy way to understand what Heartbleed is, How the Heartbleed Bug Works and what it means to you in very simple and elegant terms, there’s this wonderful xkcd cartoon today:

Heartbleed Explanation: How the Heartbleed Bug Works - xkcd.com - Click on image to go to the site to see it larger

Heartbleed Explanation: How the Heartbleed Bug Works – xkcd.com – Click on image to go to the site to see it larger

And that my friends is pretty much it in the nutshell.

Due to this ‘bug’ or what could be commonly called in days gone by as a type of buffer overflow condition causing leaking of information, sometimes serious and important information.

You will or at least you should be hearing from secure websites where you have made purchases and have accounts, as well as banks you use, and many more secure websites as they update their SSL Certificates.

Many have been working on this and many have already taken care of this on their servers.

Once it is taken care of, then you want to change your password but not before.

If the website was vulnerable, they should be contacting you, or when you login you will see a notice about it. Soundcloud.com was a good example. When I logged in today, they presented a banner across the top about the Heartbleed vulnerability.

When/If a secure website was vulnerable, they will be contacting you when they get this fixed on their website server, so you can change your password.

The sad thing is that this bug has been out there for at least 2 years!

Here’s a really good article about this in layman’s terms and there are several sites for testing supposedly secure websites for your banks, credit card companies, email, etc.:

Heartbleed OpenSSL Bug FAQ for Mac iPhone and iPad users – Intego.com Blog

What CERT and others are recommending to these websites that are vulnerable is to implement Perfect Forward Secrecy like StartPage.com and ixquick.com where they have this knowledge base article:
“Heartbleed” is a security vulnerability in OpenSSL (Secure Socket Layer) encryption that permits eavesdropping on communications and access to sensitive data such as passwords. Heartbleed gives read access to the memory of the encryption functions of vulnerable servers, allowing attackers to steal the private keys used to encrypt data transmissions.StartPage’s vulnerability to this attack was limited, since we had implemented a more secure, upgraded form of SSL known as Perfect Forward Security (PFS) in July 2013. PFS is generally supported by most recent browser versions. Since PFS uses a different “per-session” encryption key for each data transfer, even if a site’s private SSL key is compromised, past communications are protected from retroactive decryption.

Security is a moving target, and we work hard to stay ahead of the curve. Immediately after the Heartbleed security advisory, StartPage’s encryption modules were updated and encryption certificates were changed.

In independent evaluation, StartPage and Ixquick outscore other search engines on encryption standards, earning an A+ rating. See Qualys’ SSL Labs evaluation of StartPage’s encryption features here:
https://www.ssllabs.com/ssltest/analyze.html?d=startpage.com&s=69.90.210.72

This problem is serious and needs to be addressed, but don’t panic. Secure websites that are vulnerable are working on the problem that was discovered this week.

Wait to hear from companies about whether they were vulnerable and that they have fixed the vulnerability on their secure webservers before changing any passwords.

Some good things to note, Apple and Microsoft have already notified that their services are not vulnerable. Here’s the Hit List from Mashable:

The Heartbleed Hit List: The Passwords You Need to Change Right Now – Mashable

Some big names that you might be happy to hear were not affected according to the Mashable article:

Apple, Microsoft, Amazon, eBay, PayPal, Target, Walmart, LinkedIn, Hulu, AOL email, Hotmail/MSN/Outlook.com emails and more.

All the Google servers have been updated:

You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine.Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this — and encourage others to report them — so that that we can fix software flaws before they are exploited.

More in the article.

More information on Heartbleed:

EDIT: Please check the comments for some additional links that are very helpful and informative about the Bleeding Hearts Club by EFF.org, the vulnerable routers from Cisco/Juniper Networks as well as some additional VPN  and other products. And some good news about 1Password.
by

Support Ends today for Windows XP and Office 2003

RIP Windows XP and Office 2003!

Well, like it or not, Windows XP Home and Professional, as well as Microsoft Office 2003 support ends today, April 8, 2014.

Windows XP Home and Professional Support Ends today, April 8, 2014!

Windows XP Home and Professional Support Ends today, April 8, 2014!

 

Windows XP support end: 10 steps to cut security risks – ZDNet

“While doing nothing is an option, we do not believe that most organisations — or their auditors — will find this level of risk acceptable,” vice president and Gartner fellow Neil MacDonald said in a report, Best practices for secure use of XP after support ends.

Between 20 percent and 25 percent of enterprise systems are still running XP, and one-third of organisations continue to use it on more than 10 percent of their machines, Gartner estimates.

For those still using the venerable OS after the end of routine Microsoft updates and security patches, MacDonald has come up with 10 best practices to minimise the risks.

Rest in Peace, Windows XP – PCMag SecurityWatch

Rest in Peace Windows XP 2001-2014 You will be missed!

Rest in Peace Windows XP 2001-2014 You will be missed! Image links to PCMag article.

This is the end. Your Windows XP computer will get its last update today. Oh, it’s not going to roll over and kick the bucket, but continuing to use it will be more and more dangerous, since any new vulnerabilities that arise won’t be patched. We checked in with a number of security experts to discuss just how risky life will be for those who continue to run XP.

It’s the end of the line for Windows XP – USAToday

The software — introduced in an era before texting, Facebook, Snapchat, the iPhone and iPad — has lingered thanks to the reluctance of many consumers and small businesses to change. Despite its age, XP is the No. 2 computer operating system, and many folks are in store for a rude wake-up call.

Microsoft on Tuesday ceases official support for XP. The company will no longer issue patches or system updates to protect against viruses and other malware. If you run into any snags at all, you won’t be able to call Microsoft for technical assistance.

Microsoft Ends Support for Windows XP – Mashable

“Microsoft has provided support for Windows XP for the past 12 years. But now the time has come for us, along with our hardware and software partners, to invest our resources toward supporting more recent technologies so that we can continue to deliver great new experiences,” wrote Microsoft in an announcement.

Launched on October 25, 2001, Windows XP is one of the most successful Microsoft products ever; its successor, Windows Vista, was quickly replaced with Windows 7, and it took as long as September 2012 for Windows 7 to overtake XP as the most popular desktop operating system.

Microsoft ends support for Windows XP and Office 2003 – TheNextWeb

If you’re wondering why April 8, 2014 is the date support for both of these products ends, it’s really quite simple. Microsoft releases regular patches on Patch Tuesday, the second Tuesday of every month.

Microsoft supports its products for many years, and depending on when service packs as well as successors are released, the company eventually announces, in advance, when it will cut off support. April 8 happens to be the last Patch Tuesday for both products, meaning if security holes are found after today’s date, they won’t be plugged.

Excellent point!

Netmarketshare.com for Operating Systems pulled today showed March 2014 tallies:

Networkmarketshare, as of March 2014, pulled today, still shows Windows XP as 27.69% of the MarketShare.

Networkmarketshare, as of March 2014, pulled today, still shows Windows XP as 27.69% of the MarketShare. Link goes to metmarketshare.com

I personally still find it unbelievable that Microsoft, or any company really, would retire/pull support an OS that still garners nearly 30% of Windows users around the world.

Of course if you are an Enterprise company that can afford $200 PER PC for the first year, and increasing amounts each year THEREAFTER for Windows XP updates (security updates only by the way)…

Windows XP support will be available after April 8—just not for you – PCMag

Meet Microsoft’s Custom Support for Windows XP, described as a last-ditch effort for big businesses to quite literally buy some more time to migrate from Windows XP to a more modern operating system. The U.K. paid 5.548 million pounds to Microsoft for an additional year of support to maintain critical and important security updates for Windows XP, Office 2003, and Exchange 2003. Otherwise, Microsoft plans to end support for Windows XP by April 8.

Microsoft has been warning about the demise of Windows XP support since September, 2007, and Custom Support will extract a heavy toll from businesses that were too slow to act: up to $5 million per year (according to a report from Gartner), negotiated on a custom, per-company basis. Last year, Gartner issued a report claiming that the prices could go as high as $200 per PC, per year. The firm called such prices “punitive”.

Should consumers get the same break?

To date, Microsoft has given no indication that it will extend consumer support for Windows XP after the April 8 deadline, even though it has extended anti-malware support through July, 2015. After that date, any and all vulnerabilities found for Windows XP will live on forever, even though there are some avenues to keep your PC safe and protected after the deadline expires.

BTW: Apple‘s Mac OS X Mavericks holds 3.75% of the market (putting it between Windows 8.1 and Vista), however, if you include all Mac OS X operating systems listed: Mac OS X 10.6 1.29% (support ended), Mac OS X 10.8 1.18%, Mac OS X 10.7 1.05% Mac OS X 10.5 .24% (support ended), Mac OX X 10.4 0.06% (supported ended), and Mac OS X no version reported 0.01%, then the total is 7.58% of the operating system total market share (which puts it on the low end between Windows XP and Windows 8).

But, that does mean that only 1.59% of all Mac OS X users are running expired versions with no support.

Compare that with 27.69% of Windows users running  Windows XP.

NOTE: That doesn’t count the expired/no support users running Windows NT at 0.15%, Windows 2000 at 0.03%. Apparently Windows 98 users have finally fallen off at 0.00%.

Windows XP end of support: why it concerns you – OnWindows.com

Reto Haeni explores the risks of running Windows XP after its end of service and the benefits of migrating to newer operating systems

This article was first published in the Spring 2014 issue of Touch

Designed in a different era

Computers running Windows XP routinely experience a significantly higher malware infection rate than computers running any other supported version of Windows. Much of the elevated infection rate on Windows XP can be attributed to the fact that some of the key built-in security features included with more recent versions of Windows are not present in Windows XP. Windows XP, designed in a different era, simply can’t mitigate threats as effectively as newer operating systems, like Windows 7 and Windows 8. As the threat landscape has evolved over the past twelve years since the release of Windows XP, so has software security.

It’s time folks! If you haven’t done it yet, and if you are still running Windows XP on the Internet, it is high time to correct this by upgrading to a modern OS that is still supported, or disconnect from the Internet.

Please, unless you are a technical person who truly understands the risks and has taken steps to mitigate the overwhelming risks, then please be responsible and disconnect your Windows XP computer now!

Or move to new computer running a current version of Windows, or a Mac from Apple, or the Open Source ‘UNIX like’ Linux operating system and run Windows XP programs with Crossover as suggested here, or you could use Windows XP offline, and use a Linux LiveCD for Internet surfing and email, etc as suggested here and not mess up your offline Windows XP system. No matter how you do it, PULL THE PLUG on Windows XP – Disconnect the Ethernet or Wireless connection to the Internet! Just as soon as you get any April 8th Windows Updates on Patch Tuesday.

Unless you know what you are doing, you will be playing Russian Roulette with your Windows XP computer if you allow it to be online once Microsoft ends support after April 8, 2014. And that has been only Life Line extended support since 2009.

 

Microsoft Office 2003 support ends today, April 8, 2014!

Microsoft Office 2003 support ends today, April 8, 2014!

We also mentioned Microsoft Office 2003. Oh, yes, Microsoft Office 2003 has also expired today. No more security updates will be provided for Office 2003 either, just like Windows XP.

If you are still using Office 2003, it’s high time to remove it and move to a current version of Microsoft Office, or move to one of the Open Source alternatives such as;  Apache Foundation‘s OpenOffice.org or Document Foundation‘s LibreOffice, or move to using online versions of MS Office software like MS Office Web Apps or move over to Google’s online document handling programs; Google Docs.

 

by

Dangerous Internet Explorer Flaw Jeopardizes GMail accounts

‘State-sponsored attackers’ using IE zero-day to hijack GMail accounts – ZDNet:

Microsoft’s advisory speaks of “active attacks” and follows a separate note from Google that references the IE flaw “being actively exploited in the wild for targeted attacks.”

IMPORTANT: This is not the MS12-037 that Microsoft just patched this week on Patch Tuesday.

This is a zero-day vulnerability. Both Microsoft and Google have issued warnings regarding it.

There are Twitter warnings all over the place about “Warning: State-Sponsored attackers may be trying to compromise your account or computer“.

In leiu of a patch for Internet Explorer to fix this vulnerability, Microsoft has devised a “FixIt” Tool intended to block the attack vector:

Microsoft Knowledge Base Article 2719615

Also, according to the ZDNet article:

Microsoft also recommends that Windows users deploy the Enhanced Mitigation Experience Toolkit (EMET), which helps prevent vulnerabilities in software from successfully being exploited.

However, either way, it makes great sense to use Microsoft’s “FixIt” Tool to mitigate this zero-day Internet Explorer vulnerability whether you use Internet Explorer or not.

If you do not wish to use the “FixIt Tool”, you could also use the pre-advisory instructions under the Suggested Actions section to mitigate the problem by disallowing Active Scripting from automatically running on your system (set it to prompt you to allow).

by

Certificate Authoritities, DigiNotar, GlobalSign, OSes, Browsers, Adobe, more

[tweetmeme source=”franscomputerservices” only_single=false]DigiNotar Breach Affected 531 Certificates (Tom’s Hardware):

The break-in in Certificate Authority (CA) DigiNotar back in July was much worse than previously thought.

A preliminary analysis of the incident now claims that there have been 531 fraudulent certificates. The hackers may have explored DigiNotar’s servers for the first time in early June and gained control on June 17. The company detected the hack on June 19, but failed to prevent the creation of the first rogue certificate on July 2. The hacker activity apparently ended on July 22.

As a Aryeh Goretsky stated at Scot’s Newsletter Forums noted so succinctly:

DigiNotar, a company which issues digital certificates used to establish cryptographically-secure connections to web sites, was hacked, and over 500 certificates were acquired for high-profile web sites. Amongst other things, this would allow someone* to monitor what would otherwise be secure, private connections to those sites. Passwords, emails, personally-identifiable information and other sensitive data could be viewed by someone* who would otherwise not be able to see that information.

*Such as a government, ISP, or government-owned ISP.

Aryeh, I couldn’t have said it better myself.

And highlighting the fact that it could be a government, ISP, or government-owned ISP is spot on to the concerns.

There was recently an article that suggested that this has already happened in Iran.

Hackers steal SSL certificates for CIA, MI6, Mossad (Computerworld):

Criminals acquired over 500 DigiNotar digital certificates; Mozilla and Google issue ‘death sentence’

Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft’s Windows Update service.

Google has pointed fingers at Iran, saying that attacks using an ill-gotten certificate for google.com had targeted Iranian users.

Much more in this two page article where a link to Markham’s blog details more about this:

On Monday August 29th at 6.30pm BST Mozilla was informed by Google about a misissued certificate for *.google.com which was being used in active attacks on users in Iran. This certificate was chained to the root of the Dutch CA “DigiNotar”. Since that notification, I have been part of the Mozilla team working on our response.

The CNs concerned were as follows:

*.10million.org
*.balatarin.com
*.google.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.skype.com
*.torproject.org
*.walla.co.il
*.wordpress.com
addons.mozilla.org
azadegi.com
DigiCert Root CA
Equifax Root CA
friends.walla.co.il
login.yahoo.com
Thawte Root CA
twitter.com
VeriSign Root CA
wordpress.com
http://www.cia.gov
http://www.facebook.com
http://www.sis.gov.uk

So much more in Markham’s blog posting.

Delay in disclosing SSL theft put Iranian activists at risk, says researcher (Computerworld)

The delay in disclosing a theft of the digital certificates for some of the Web’s biggest sites, including Google, Skype, Microsoft and Yahoo, put Iranian activists’ lives at risk, a researcher argued Wednesday.

But I think EFF explains the issues best.

Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities (EFF)

What’s worse than finding a worm in your apple? Finding half a worm.

What’s worse than discovering that someone has launched a man-in-the-middle attack against Iranian Google users, silently intercepting everything from email to search results and possibly putting Iranian activists in danger? Discovering that this attack has been active for two months.

People all over the world use Google services for sensitive or private communications every day. Google enables encrypted connections to these services in order to protect users from spying by those who control the network, such as ISPs and governments. Today, the security of this encryption relies entirely on certificates issued by certificate authorities (CAs), which continue to prove vulnerable to attack. When an attacker obtains a fraudulent certificate, he can use it to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure.

The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today Internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden.

This latest attack was reportedly caught by a user running the Google Chrome browser in Iran who noticed a warning produced by the “public key pinning” feature which Google introduced in May of this year. Basically, Google hard-coded the fingerprints for its own sites’ encryption keys into Chrome, and told the browser to simply ignore contrary information from certificate authorities. That meant that even if an attacker got a hold of a fake certificate for a Google site—as this attacker did—newer versions of the Chrome browser would not be fooled.

Certificate authorities have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years and EFF has voiced concerns that the problem may be even more widespread. But this is the first time that a fake certificate is known to have been successfully used in the wild. Even worse, the certificate in this attack was issued on July 10th 2011, almost two months ago, and may well have been used to spy on an unknown number of Internet users in Iran from the moment of its issuance until it was revoked earlier today. To be effective, fraudulent certificates do not need to have been issued by the same authority that issued the legitimate certificates. For example, the certificate in question here was issued by a Dutch certificate authority with which Google had no business relationship at all; that didn’t make it any less acceptable to web browsers.

Much more in the article…

This problem is not only related to issues of privacy related to people who’s lives would be in danger, but also, victims of malware purveyors as well.

Cryptographic keys for SSL sites are only as good as the honesty of the holder and issuer of those keys, as well as the honesty and security diligence of the issuer, in this case DigiNotar.

They would like us to think that SSL is extremely safe, but it’s not as safe as those who issue them would like us to believe either. Anyone with money can purchase a SSL certificate, and there have been malware purveyors that have also bought them so folks would ‘feel’ secure. If you see the lock, you think, “Safe”. That’s what they want you to think.

However, just like anyone can purchase what is considered a ‘legitimate’ SSL certificate, good, bad or indifferent, there are worse things.

‘Legitimate’ SSL certificates can be created by site owners as well, good, bad, or indifferent.

The companies that sell SSL certificates and browser makers put out root certificates for their browers and show green or gold with the lock for those obtained by big name sellers of these certificates. So if you are legitimate site owner who creates their own to save money, you are automatically assumed to be ‘not legitimate’ by browsers and it shows as red/dangerous to users.

I don’t see what the solution is, but it really doesn’t matter whether you make your own, or if you buy one, you are still playing craps with SSL certificates in many ways these days.

As Corrine noted in the same topic at Scot’s Newsletter Forums:

Microsoft Security Advisory 2607712 has been updated to revoke the trust of the DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store.

The update is available via Automatic Update and applies to all supported releases of Microsoft Windows, including Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Within short order, Mozilla sent out updates to their products including Firefox, Thunderbird, et. revoking the certificates.

Opera has done the same thing yesterday, disabling the root store for DigiNotar.

Because Apple was slow to act, one researcher (thanks Corrine) rapped Apple for not blocking the stolen SSL certificates, and various places on the Internet were trying to help Mac users to take care of disabling and removing the DigiNotar certificates from the KeyChain so Safari and other browsers would be safer online on the Mac. Since then, Apple released an update to revoke DigiNotar from their trusted list:

If you are running an older Mac you can still protect yourself, but you will need to do it manually. You can follow the excellent instructions posted over at the ps | Enable blog.

And most recently, Adobe has posted instructions on how to remove DigiNotar from the Adobe Approved Trust List (AATL) for Adobe Reader.

And here we go again (thanks zlim)…

GlobalSign Stops Issuing Digital Certificates After Hack (PCWorld)

Second firms stops issuing digital certificates (CNET)

How many more will have fallen before it’s all said and done? I am beginning to wonder if we wouldn’t be better off just generating our own SSL certificates, it would likely be as safe as this fiasco has become…

by

Bye Bye Google Plus

[tweetmeme source=”franscomputerservices” only_single=false]Some of you may have noticed I have removed my Google Plus account today. Others may think good riddance to another person who doesn’t get it.

But nothing could be further from the truth. I was one of Google’s real endorsers. But no more. Their real name policy has turned away many real people and that was never Google’s way before. So why now?

I have to say i loved Google. I generally don’t trust corporations online or off, but Google was one I thought and even through all this i really hoped they would turn this around and once again try to ‘do no evil’.

I guess the old saying is true — especially for corporations — Everyone has their price; even Google.

Sigh…

NOTE: see my last posting entitled A wave out to all my Google+ friends.

by

A wave out to all my Google+ friends

[tweetmeme source=”franscomputerservices” only_single=false]And other Google+ users who might soon be wondering where I went…

EDIT 9/6/2011: In the comments, I continue to add articles. I hope to have this be a pretty inclusive list of articles on this issue. If you know of one I have missed please feel free to leave a comment with the link. Thanks!

I have found that as much as I absolutely love Google+ the ‘social network’ — now known to be an ‘identity service’, I am leaving on 9/9 along with some others that have identified 9/9 as the day to leave. Hopefully it will have some impact even if it’s only a small overall number of users. But more than anything, I hope it will have a lasting impression regardless on how dangerous ‘identity services’ appearing to be ‘social networks’ can be.

Google has determined that Google+ aka Google Plus or G+ is to be an ‘identity service’ and that Google/Google+ require your real/common name not a pseudonym, pen name, stage name but only western style two name real/common names apparently.

Some may say so what. But others will know that this is a major issue and has been since Facebook started this trend. Here‘s my Google+ posting on this and this one reshared from Tom Anderson both which will be gone after 9/9.

Not to mention the fact that Google+ is linked to things like your GMail account, Google Search, Picasa, Youtube, Google maps/location data, Android apps purchases, and so much more — and even more of Google’s offerings as time goes on (and boy do they have a lot of social types of offerings or apps). And if you don’t like that and decide to leave G+, you are prompted to remove all, what they call connections to their ‘social apps’ linked to your G+ GMail account.

“Just go somewhere else” is a fallacy. The name policy stretches far beyond Google+, and here’s why. (Todd Vierling on Google+)

Here’s just a couple early articles the weekend when Google started arbitrarily disabling accounts:

Google+ and the loss of online anonymity by Matthew Ingram (GigaOm)

Update: Complaints mount over Google+ account deletions by Juan Carlos Perez (Computerworld)

Dutch researcher downloads 35 million Google Profiles (State of Search)

So what’s the big deal? First, it’s a great security risk for users. Especially normal/average users since many business users already have their ‘real’ name out there and it’s part of their branding. I actually am one who has done just that. Fran Parker is Fran’s Computer Services and this posting is on my Fran’s Computer Services blog. And technically Fran Parker is a common variation on my real name, but that is ‘allowable’ on G+ because it is how I am commonly known. Also, there is some arbitrariness about it all too. If disabled users can ‘prove’ who they are, or can ‘prove’ that they have a ‘valid’ reason for allowing the ‘pseudonym’ to those at Google/G+ who handle complaints or vetting of those who want to try to get reinstated, you can be back in their good graces.

However I am leaving Google+ — and don’t get me wrong — it would certainly benefit me to stay on G+ and let their new service benefit my business networking online. Instead, I am leaving Google+.

My name is Clo | My Name Is Me

My name is Albatross | My Name Is Me

Why? I am leaving because Google has decided to build G+ as an identity service — in some ways like Facebook, but not really since G+ is a public profile server — yes, you can hide nearly everything but your public posts or responses to public posts, your +1 (think: Facebook Like), AND you can’t hide your real/common name because they make that public — and Google has changed the rules on their services so they can now link you, by name, and even by what you put in the field for ‘also known as’, or ‘nicknames’ field, on every one of their services and boy do they have a lot of services. And if you don’t believe me, try this. Especially if you are a member of Google+, search on your name, particularly your Google+ profile name.

Will cyberthugs exploit Google Plus ‘identity service’ for spear phishing attacks? by Darlene Storm (Computerworld)

What’s the big deal, you say? Oh, nothing much accept that by doing this, they have made each and every one of us a bigger phishing, actually more like spear phishing, and/or unethical hacking/cracking target by linking everything we do or say online. For business users whose names are linked to their branding, they live with that day in and day out and it’s a major pain, but they made that decision to deal with that consciously at some point. But the average user? I don’t think the average or normal user needs or wants those types of hassles. OK, so maybe you say, So what? It’s a greater security risk for users. You can be targeted so much easier by linking so much about yourself online. And there is this to think about:

Google fined in Brazil for refusing to reveal bloggers’ identities (TheNextWeb)

OK, and if that wasn’t bad enough. By limiting the ability to use pseudonyms, stage names, pen names, non-English Western civilization name standards, etc., Google is cutting of their nose to spite their face. And some folks have been known by nothing else but a pseudonym, pen name or stage name online for as much as 20+ years, by the way. But that’s OK, they don’t really want to be everyone’s Google+ friend, they obviously just want to make more money.

Why do I say that? Because all of this linking is data they can market with, sell to others in corporations, governments, highest bidder, whatever — in aggregate form of course, like Facebook does. Facebook makes a bundle on this already and Google apparently wants a piece of that action…well a bigger piece. Besides they already know you. Now they are getting your permission to basically track you further, and use more of your data that you share with them….errr, enter on their services, like Google+.

Also, but many of us have been working against abuse of marketing crap since Steve Gibson created OptOut when he became aware of the crap that was going on in the early days of computing online on the Internet. Marketing which was more like spyware than benign advertising in the newspapers or magazines where they can’t track you!

OK, enough about that side of things. Now on to the other side. The discrimination, the arbitrary decisions to disable accounts and require proof of who they are or the changing of their ‘name’ to something more western or 1st world or whatever you want to call it … two name (first and last name) like western countries do. Which is not at all like real/common names in other parts of the world.

Also, some folks really do need to use a pseudonym, or alternative name, stage name, pen name …whatever you want to call it. And many people in this type of situation would rightfully feel this is a discrimination against women. Many women have been stalked, have had abusive spouses or coworkers/bosses or have spouses or jobs where it would be ‘inconvenient’ (like they could lose their job or their spouses job for them or their position), if they were not able to speak out anonymously through a pseudonym.

There are so many angles on this issue. It was wrong when Facebook did it and it’s even more wrong (if there is such a thing) for Google to do it. Why is it more wrong for Google? Because we have higher expectations of Google. They have always tried to ‘do no evil’ in the past and now they will be right in the middle of it. Was ‘do no evil’ only to get people to trust them? Like Apple with their ‘think different’ and revolution anti-big brother stance in their 1984 commercial? But all the time they had other plans?

If you are not familiar, and it would likely be easy not to be familiar if you are not on G+ aka Google Plus service or have friends that are. Since it is an invite only ‘field test’ at the moment anyway, many would be not involved. But many geeks, technicians, artists, artisans, journalists, etc. are on it to help improve it and try it out as the new kid on the block in social networking. I have been one of these folks for some time now. First with a pseudonym which was quickly squashed through either someone turning me in for having a pseudonym or their algorithm bot got me because the name was obviously not a real name, and after that was disabled, I decided to come back as my business name.

Here are some, and just a few really of the articles that address the issues better than I could ever do:

Understanding the Nym Wars (BoingBoing) with several links and some great commentary


A Case for Pseudonyms (EFF.org)


Google+ Identity Crisis: What’s at Stake With Real Names and Privacy (Wired.com)

Violet Blue: just one of her many postings about Pseudonyms on G+ and she has a legitimate gripe and one of her articles on ZDNet


“Real Names” Policies Are an Abuse of Power (danah boyd blog)

Tracking the Nym Wars (G+ Insider’s Guide)

On Pseudonymity, Privacy and Responsibility on Google+ – Kee Hinkley

Why It’s Important To Turn the Tide on Google’s Real Name Policy (Botgirl’s Second Life Diary blog)

Who is harmed by a “Real Names” policy? (GeekFeminism – Wikia.com) (and related Pseudonymity article).

Who is harmed by a “Real Names” policy?

This page lists groups of people who are disadvantaged by any policy which bans Pseudonymity and requires so-called “Real names” (more properly, legal names).

This is an attempt to create a comprehensive list of groups of people who are affected by such policies.

The cost to these people can be vast, including:

  • harassment, both online and offline
  • discrimination in employment, provision of services, etc.
  • actual physical danger of bullying, hate crime, etc.
  • arrest, imprisonment, or execution in some jurisdictions
  • economic harm such as job loss, loss of professional reputation, reduction of job opportunity, etc.
  • social costs of not being able to interact with friends and colleagues
  • possible (temporary) loss of access to their data if their account is suspended or terminated

The groups of people who use pseudonyms, or want to use pseudonyms, are not a small minority (some of the classes of people who can benefit from pseudonyms constitute up to 50% of the total population, and many of the others are classes of people that almost everyone knows). However, their needs are often ignored by the relatively privileged designers and policy-makers who want people to use their real/legal names.


Nymwars – Wikipedia

The icing on the cake was Eric Schmidt the recent but former CEO of Google stating this (guess he can say anything now, eh?):

Eric Schmidt: Google+ Is An Identity Service; User Your Real Name Or Don’t Sign On (Huffington Post)

Schmidt: G+ ‘Identity Service,’ Not Social Network by David Gerard (slash dot or /.):

David Gerard writes
“Eric Schmidt has revealed that Google+ is an identity service, and the ‘social network’ bit is just bait. Schmidt says ‘G+ is completely optional,’ not mentioning that Google has admitted that deleting a G+ account will seriously downgrade your other Google services. As others have noted, Somewhere, there are two kids in a garage building a company whose motto will be ‘Don’t be Google.‘”

And here’s one I missed that I just saw over at Google+ on Nom DeB‘s profile posts:

Google+ Can Be A Social Network Or The Name Police – Not Both by Bob Blakley at Gartner Blogs

Really all you need to do to find out more about this is to search on Google or any other search engine for any number of combinations of words in this article.

Now we even have a place for Google Refuges to be able to link up after they leave Google+.

EDIT: grammer/clarity and to add Bob Blakley’s Gartner blog article. Also almost forgot my TWEETMEME link, and Added Todd Vierling’s “Just go somewhere else” is a fallacy. The name policy stretches far beyond Google+, and here’s why.”

by

Internet Explorer Search Bar Malware Hijack

[tweetmeme source=”franscomputerservices” only_single=false]Recently, the Google Gala malware has been hijacking the Google Search engine in Internet Explorer’s Search Bar. In addition, Fast Browser Searching apparently has been being installed through some means and stealing the Google Homepage of other users.

Google Gala and Fast Search hijacks is nothing new, but they are making a serious comeback. I am not sure how they are injecting themselves into the Google Search on IE8 Search Bar, but they definitely are corrupting the Google Search engine in the IE8 Search Bar. This has been known to happen in Firefox in the past as well. And who knows how long it will be till Google Chrome and other browsers will be hit the same way, if not already.

Browser makers need to harden their Search Bar against this type of attack, but until they do, we have to take matters into our own hands.

If you feel the need to use Internet Explorer, I would strongly suggest hiding or removing the IE8 Search Box and going directly to Google website instead.

As shown at w7forums link above, to hide/remove the IE8 Search Box:

Start -> run -> gpedit.msc

Or better yet, change to an alternative browser, like Google Chrome or Mozilla Firefox.

The advantages of Google Chrome with built-in Flash player that is updated automatically through Google Chrome’s update mechanism is quite attractive. In addition, Google Chrome is fast to load and now has extensions such as Adblock Plus, WOT, FlashBlock and others, like Mozilla Firefox has had for a long time. In addition, Google Chrome has a built-in ‘sandbox’ feature which can save a world of hurt while browsing the web. Although it is not perfect, it is a great feature.

I have to say for years now, I have not used any built-in browser search bar. I go directly to the Google website, or other favorite search engine websites directly. I would suggest that, until browser developers harden their search bars, it would be wise to not make use of search bars for searching.

In addition, I would strongly suggest you install and run, CCleaner frequently. Close your browser after every use and right click on the Recycle Bin and choose Run CCleaner after every use of the browser.

If you do get hit with malware like Security Shield for any reason, but especially in this case, due to the redirection/hijack of search results in the IE8 Search Bar, you will need to use rkill or the Task Manager (if available) to find/kill the Security Shield oddball named process and then update and run Malwarebytes Antimalware to get rid of related registry entries, hidden files, etc., as shown at BleepingComputers Forum Security Shield (Uninstall Guide).

Or call your computer expert to help you with removal of the malware.

The most important thing is not to continue to use the computer on the Internet until it is removed to keep from getting hit with more malware. Redirection to malware sites posing as legitimate websites and searches is a strong possibility while infected with malware.

EDIT: I started writing this post yesterday morning and got it published at 12:06PM. Within hours, there was a security advisory by Microsoft and articles about:

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is investigating new public reports of a vulnerability in MHTML on all supported editions of Microsoft Windows. This vulnerability manifests itself in Internet Explorer.

Is this a security vulnerability that requires Microsoft to issue a security update?
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process, or providing an out-of-cycle security update, depending on our customer needs.

What is MHTML?
MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content. The MHTML protocol handler in Windows provides a pluggable protocol (MHTML:) that permits MHTML encoded documents to be rendered in applications.

What causes this threat?
The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s Internet Explorer instance. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker could convince a user to click a specially crafted link that would inject a malicious script in the response of the Web request.

Sure sounds like this may be the problem I was writing about in this posting.

by

We love you Facebook but privacy and security are important

[tweetmeme source=”franscomputerservices” only_single=false]UPDATED 5/22/2010*, 5/23/2010**: EDIT: Added additional links

Yes, most of us do love our Facebook, or at least we enjoy the feature set and keeping in easy contact with our friends and family, but some of us feel that it is not worth the expense of our privacy and security and potential malware infections due to rogue apps on our own or others’ accounts. But Facebook privacy concerns are heating up. Or the risks from other sites getting at our data:

New security hole in Facebook through Yelp (here on our blog last week, apparently fixed now), or having our chats exposed to people other than those we are talking to, even if they are our friends.

So, you think Facebook is safe? Hmmm. Really?

* Hackers can delete Facebook friends, thanks to flaw (By Robert McMillan at ITWorld May 21, 2010):

A bug in Facebook’s Web site lets hackers delete Facebook friends without permission.

The flaw was reported Wednesday by Steven Abbagnaro, a student at Marist College in Poughkeepsie, New York. But as of Friday morning, Pacific time, it had still not been patched, based on tests conducted by the IDG News Service on a reporter’s Facebook friends list.

* Fake joke worm wriggles through Facebook (By John Leydon at The Register May 21, 2010)

Shifty sorts have created a new worm which spread rapidly on Facebook on Friday.

The malware, for now at least, does nothing more malicious than posting a message on an infected user’s Facebook wall that point to a site called fbhole.com. Nonetheless, the speed of its spread on the social networking site has net security experts worried.

* Facebook Fixing Embarrassing Privacy Bug (by Robert McMillan at NYTimes on May 19, 2010):

Facebook is fixing a Web programming bug that could have allowed hackers to alter profile pages or make restricted information public.

Facebook Violates Privacy Promises, Leaks User Info to Advertisers (by Tim Jones at Electronic Frontier Foundation May 21, 2010):

A Wall Street Journal article today draws attention to yet another unexpected way in which Facebook’s privacy practices have not complied with its public statements and have disregarded users’ privacy rights. Just last week, when asked about Facebook’s privacy practices with advertisers, Facebook executive Elliot Schrage wrote:

We don’t share your information with advertisers. Our targeting is anonymous. We don’t identify or share names. Period.

As the Wall Street Journal report shows, this was not true. In fact, Facebook’s architecture at the time allowed advertisers to see detailed personal information about some Facebook users.

Much more in the article! Must read.

** Facebook privacy: Zuckerberg overruled? (By Richi Jennings at Computerworld IT Blogwatch May 19, 2010)

** Facebook Leaks Usernames, User IDs, and Personal Details to Advertisers (By privacy advocate Ben Edelman at BenEdelman.org on May 20, 2010):

Browse Facebook, and you wouldn’t expect Facebook’s advertisers to learn who you are. After all, Facebook’s privacy policy and blog posts promise not to share user data with advertisers except when users grant specific permission. For example, on April 6, 2010 Facebook’s Barry Schnitt promised: “We don’t share your information with advertisers unless you tell us to (e.g. to get a sample, hear more, or enter a contest). Any assertion to the contrary is false. Period.”

My findings are exactly the contrary: Merely clicking an advertiser’s ad reveals to the advertiser the user’s Facebook username or user ID. With default privacy settings, the advertiser can then see almost all of a user’s activity on Facebook, including name, photos, friends, and more.

In this article, I show examples of Facebook’s data leaks. I compare these leaks to Facebook’s privacy promises, and I point out that Facebook has been on notice of this problem for at least eight months. I conclude with specific suggestions for Facebook to fix this problem and prevent its reoccurrence.

The sexiest video ever? Facebook users hit by Candid Camera Prank attack (Graham Cluley’s Sophos Blog)

MASSIVE FACEBOOK ATTACK OVER THE WEEKEND (posted May 17, 2010 by Roger Thompson, AVG Blogs)

Facebook CEO’s latest woe: accusations of securities fraud (VentureBeat posted May 19, 2010 by Owen Thomas)

I sure hope that the BBC report is correct, “Facebook looks likely to cave into pressure from users and simplify its privacy settings in the near future.” But other places are saying Facebook is just simplifying the existing privacy settings.

I don’t think there are many people who have experienced Facebook that don’t love most of the features on Facebook–at least the ones that help you keep in contact with your friends and family, and share (on the Facebook site) your photos, videos, links to articles of interest, chatting, direct messaging, posting between yours and your friends/family members walls, sharing in holidays, or fun, happy, sad conversations, and more. But, Facebook is wrong about privacy – it really is still very important. It is important and for more reasons than many may think. Even the Wall Street Journal has acknowledged that Facebook, MySpace and other social networking sites are having to confront the privacy loophole.

But, when the trust that Facebook used to get people to sign up in the first place (a trust that your privacy is important to Facebook and will be protected by default – unlike MySpace, et al) is breached by that very same service, then there is a problem.

If you don’t remember the early days of Facebook, many of us do. Facebook did made claims that they would protect our privacy by default, that our privacy was important to Facebook. Zuckerberg made these ‘claims’ when they were trying to woo millions of MySpace’s users over to Facebook in Facebook’s early days. It worked too.

Privacy by default. What is that exactly? When Facebook started out and pushing to try to gain membership, and about the time that MySpace went through a huge privacy fiasco because new users had to immediately change their privacy settings if they didn’t want the whole world to see all their information (it was all public by default on MySpace). And many users, just like many new users at Facebook, didn’t know to change their settings, or even think about it. Many users were just not that savvy to know why it was even important to share only some information with the world/public. Or even understand why that might be a prudent move. But due to the marketing used by Facebook, people started to understand that privacy was important and they wanted their friends and family to be in a ‘safer’ environment. A place where they could connect and share with each other without concern that their data would be made public. After all, Mark Zuckerberg said he did care about our privacy (unlike the other guys).

Then after Facebook gets all these users, and gets them used to the convenience and ‘hooked’ on the service, THEN Facebook just seems to keep changing the rules — little by little — chipping away at the privacy and security standards that got them all the users in the first place. Not long after I finally joined Facebook, they went through this pretty big, and I actually deactivated my account at that time too. When Facebook changed their tune, I came back. Now they are doing it again, and even though I really enjoyed the service, I felt the need to again deactivate my account.

So, tell me, why would Facebook be surprised when users get up in arms about all these changes, especially in light of other security problems and vulnerabilities within their newest ‘features’ as well as their existing features? One group has even created a Facebook Group entitled, “1,000,000 Strong to leave Facebook by July 4 unless FB respects our privacy is on Facebook” (See there can be appropriate public facing things on Facebook). And EFF’s various articles enlightening folks about the changes and affects of those changes and how you can mitigate them, at least most of the problems.

Features are a great thing except when the service starts to change your privacy settings for you, and they don’t bother to tell you about it until after they have done it. That is a real problem of trust, because, if even for a short time, your data is left to the search engine spiders to start indexing data that shouldn’t have been made ‘public’ in the first place without user permission.

So, then users start complaining, and getting no satisfaction from the service because the changes they made will make them a ton of money, so some users start deactivating their accounts — many users are upset with Facebook, and for good reason. A basic trust was broken and it wasn’t by the users.

But privacy issues are not the only issues. There are also other security issues as well; vulnerabilities and more vulnerabilities. And only God knows how many more vulnerabilities are known by the bad guys that expose users’ data that are not yet known to the good guys.

I had already checked and reset all my privacy settings multiple times since December 2009 when this fiasco starting getting into high gear, even before the now known vulnerabilities that still put users at risk made me say, ‘enough is enough’. I still struggled with the decision before I decided I could put it off no longer. Even the benefits for business, family and friends wasn’t worth security risks not only directly but indirectly by friends who might get hit with these vulnerabilities, or the potential for unwise decisions about their accounts where their data might overlap with mine.

It is not an easy thing to make a decision to deactivate, or go through the hoops (or even find a link to get information) on deleting your Facebook account. Especially when you enjoy the service. And the service really is a good service, if not for the bad decisions about security and privacy have caused, and of course there are those related vulnerabilities. Sure they fix the vulnerabilities when they are made public, but how long was your data, your information, exposed through these vulnerabilities before it was brought to light?

The Consumerist actually did an article on deleting your Facebook account since it’s not easy to find. It’s entitled, “Delete Your Facebook Account Forever” by Ben Popken (April 20, 2010).

And if you think they will figure out all the vulnerabilities and then it will be safe, think again. Facebook is 440 Million strong and growing. Just like the huge bullseye target on Microsoft’s Windows’ back, Facebook is the biggest target in Social Networking. Too big for the bad guys to let it alone. It’s a treasure trove of information (and not just aggregate information like Facebook sells, oh, no, this is the actual connections, the actual information linked to individual people that’s at risk). Between the vulnerabilities, as well as some decisions by users regarding Friends, their choices of third party Facebook apps, and their privacy settings, this could become a real nightmare, very quickly, and for some it already has.

Have you ever thought how much information about you is actually public on Facebook? Or even on the Internet in general? What about your family and friend connections, or business connections? What about your choices regarding purchases, what you like or dislike? Do you want them made public? And Facebook has much of that information in one place just ripe for the picking. And who would want to pick that information? Even in aggregate form it is very valuable data, but to bad guys, it is fodder for social engineering, phishing attempts in email, potential ways to get malware on your system by presenting it as though it is from people you are friends with, and so much more.

It’s an especially hard decision when you have gotten used to keeping in contact with friends and family through one particular service via browsers and mobile devices. And it really is great to have a place where your family pictures (your children and grandchildren, travel/trips, conversations between many friends and family, and so much more), are right at your fingertips and can be posted, responded to, and still be safe from the prying eyes of the general public. At least that’s how it was, or at least we thought it was.

Of course, Facebook makes it even more difficult to make the choice to deactivate or delete your account. When you choose to deactivate, which by the way, doesn’t actually delete your data (in case you want to come back), Facebook tries to use emotional blackmail, err, pressure to try to keep you from deactivating your account. As you are trying to deactivate, they show you some pictures of your ‘friends’ and talk about how you won’t be able to contact your friends and family anymore, or your friends and family won’t be able to contact you anymore. As if Facebook is the ONLY way to contact your friends and family?! It might make it easier, but it’s not the ONLY way to keep in contact with your friends and family.

Also, note that Facebook doesn’t allow you to delete your own account on your own — you have to actually contact them directly to ask them to delete your account — as if you were an errant child who couldn’t be trusted to do this on your own?! Even MySpace and other social networking sites let you delete your own account!

Oh, no. This is not about whether you would be able to delete your account, this is about another attempt to coerce you to stay with Facebook. Besides they don’t actually delete your data, oh, no. They still make use of that data in aggregate form, it’s just not linked by your name supposedly, after your account is deleted:

How Companies Are Using Your Social Media Data (by Leah Betancourt at Mashable)

Facebook Data Mining: Not Just for Advertisers Anymore (SCI Social Capital Inc.)

More on Facebook, Privacy & Data Mining (by Greg Sterling at ScreenWerk)

data-extraction-facebook (Google Code website)

End of Year Data: Facebook Currently Leads (Data Mining: Text Mining, Visualization and Social Media)

Facebook Data Reveal Secrets of American Culture (by Matt Safford at LiveScience)

Microsoft Inks Twitter, Facebook Data Mining Deal (by Jennifer Martinez at GIGAOM October 21, 2010)

The Man Who Looked Into Facebook’s Soul (by Marshall Kirkpatrick at ReadWriteWeb February 8, 2010)

Even though it has been stated that at least 60% of users are upset and are actually considering one of these options (deactivation or deletion of their account), with over 400 million active users worldwide and over $300USD million in annual revenue (estimated in 2008) and ranked #2 site on the Internet in May 2010 according to Alexa, does Facebook even care? Have we just become so much advertising and data mining fodder that translate to hundreds of Millions of dollars annually (Billions over time) for Mark Zuckerberg and company? Is that what it was all about from the beginning? If some articles are to be believed, Mark Zuckerberg may have played a good game when he told us he was concerned about our privacy right from the beginning.

And we even have some who think that malware and hacking haven’t caught up with it all on Facebook … yet. But I think we have determined that this is not really the case.

So, even with all that, maybe you still feel it’s safe to continue to with Facebook, what next? There are some very good places to study up on how to make yourself as safe as possible, and understand the account and privacy settings, and their implications, and how they interact with each other and with your friends and the public. Things like ReclaimPrivacy and others are cropping up to help folks deal with their Facebook privacy that is so complex. Who knows if this will be squashed by Facebook, but it could help out right now to help get your settings set.

WindowsSecret’s Complimentary portion of their Newsletter has an excellent article by Scott Mace called, “Tighten your Facebook privacy settings” with a great outline of the various areas and some great thoughts on how to keep yourself as safe as you can be on Facebook.


Facebook Security | Facebook Privacy | Best Practices at Sophos (be sure to read through all the pages listed on the right side – like WindowsSecrets, Sophos goes through all the different facets of Facebook)

Fast Company also has an article to help called, “Online Privacy: Check Yourself Before You Wreck Yourself

It’s your life, it’s your data, it’s your choice…what will you do?

UPDATED 5/22/2010*, 5/23/2010**: EDIT: Added additional links