Print

[mefree]

Remember that torrent yesterday  that contained the personal information off of 100 million scraped Facebook profiles? I thought it was strange that the guy didn't sell this information, since many companies would be interested. Turns out they are interested.

http://gizmodo.com/5599970/major-corporations-are-downloading-those-100-million-facebook-profiles-off-bittorrent

[mefree]

Another ugly reminder to check your Facebook settings — NOW! - msnbc.com
29 July 2010, 7:05 pm



 You know that guy who just posted the personal details of 100 million Facebook profiles in an online downloadable file? He ain't Matthew Broderick in "War Games," Keanu Reeves as "Neo" or "The Girl with the Dragon Tattoo."

Sure, the dude wrote some code to access and aggregate user information through Facebook's directory , but he isn't a "cracker." He didn't even need to be a "hacker" to do it. Ron Bowes is just a security researcher who used a tool to quickly access all the profile info made readily available by Facebook users who — by either choice or chance — didn't lock it down.

more at http://www.msnbc.msn.com/id/38474945/ns/technology_and_science-tech_and_gadgets/

[Stutroup]

I didn't see that until this evening.  But I'm glad all my more serious accounts were already secured enough.

[ethercat]

Remember that torrent yesterday  that contained the personal information off of 100 million scraped Facebook profiles?

http://gizmodo.com/5599970/major-corporations-are-downloading-those-100-million-facebook-profiles-off-bittorrent

Well, no, actually. I don't remember that from yesterday, or the day before.  Here's a little more info from http://www.thinq.co.uk/2010/7/28/100-million-facebook-pages-leaked-torrent-site/

A directory containing personal details about more than 100 million Facebook
users has surfaced on an Internet file-sharing site.

The 2.8GB torrent was compiled by hacker Ron Bowes of Skull Security, who created a web crawler program that harvested data on users contained in Facebook's open access directory, which lists all users who haven't bothered to change their privacy settings to make their pages unavailable to search engines.

Bowes' directory contains 171 million entries, relating to more than 100 million individual users - more than one in five of Facebook's recently trumpeted half billion user base.

The file contains user account names and a URL for each user's profile page, from which details such as addresses, dates of birth or phone numbers can be accessed. Accessing a user's page from the list will also enable you to click through to friends' profiles - even if those friends have made themselves non-searchable.

There's absolutely nothing illegal about what Bowes has done - the information is, after all, publicly available - but perhaps the existence of a stalker's online black book might finally persuade less security-minded Facebook users to get their arses in gear.

UPDATE
For the many of you who have asked how to fix Facebook's default settings to expose less of your data, we have posted a beginner's guide.

Glad I don't do SpaceBook or MyFace.

Yes, all that was obtained was public information already, but now it is aggregated for ease of use, not just by scientology, but shady marketers, identity thieves, stalkers, and obsessed teenagers.  And anyone else who cares for whatever reason. 

Some people may not even realize their private information has been made public: Facebook's Eroding Privacy Policy: A Timeline

Facebook lulled people into a sense of false security about putting their personal information on the site, with information set to be private, then changed their settings to expose information which infrequent users did not realize was being exposed. 

There's an interesting article here that draws parallels between the latest Wikileaks leak, and the Facebook "leak": http://www.telegraph.co.uk/technology/facebook/7919103/First-Wikileaks-now-Facebook.-Is-this-the-death-of-privacy.html

Some quotes:

It emerged on Wednesday afternoon that Bowes conducted this exercise to help him learn how to break passwords – very unsettling, I’m sure you’ll agree. But Bowes is not the villain in this piece, because his act of mischief – and we can’t call it more than that, because the information he collected was freely available to anyone who cared to search for it – was only possible because Facebook itself has repeatedly and shamelessly betrayed its users’ trust, instituting rollback after rollback of privacy settings, in what its CEO Mark Zuckerberg sees as a quest to encourage people into being more “open” online.

And Zuckerberg has repeatedly said that he wants Facebook users to learn to embrace openness. “We decided that these would be the social norms now,” he once declared, after another wave of privacy rollbacks.

Facebook makes it very difficult for you to extract yourself from the permanent and public style of communication that its CEO thinks should be normal online behaviour. Every time there’s a “privacy update” and you’re asked to review your settings, rather than respecting your previous wishes, the site sets a number of components of your profile back to public by default. It’s as if Facebook is constantly nudging you towards giving up on privacy and throwing the whole lot open to the world. You have to really know what you’re doing to spot, and undo, these sly changes as they happen.

It’s not good enough to tell me: “Oh, well, you made that stuff public,” when the shifting sands of Facebook's privacy settings make it impossibly difficult for me to understand or keep track of who can see my stuff and how. And it’s absolutely not acceptable for settings to be retroactively applied to content I never agreed or wanted to make public.

If you want to keep control of your personal information, don't put it in the care of a corporation that may change its mind whenever it sees more .

And, imo, google, with all its tentacles, is just as bad: What Google Knows About You

[mefree]

Church of Scientology searching leaked Facebook file (for new recruits)? - Examiner.com
30 July 2010, 3:48 pm
Michael Santo

You may (or may not) have heard that Ron Bowes, a security researcher, snagged the information of 100 million Facebook users, and not by hacking either, but simply by accessing their publicly available data using a Web crawler. It's been reported that, much as you might expect, some companies and corporations are downloading the file, via BitTorrent.

The file contains user account names and a URL for each user's profile page. To be clear, if you haven't locked down your Facebook profile, all of this is publicly available, so nothing Bowes did was illegal. It just goes to show why everything in your profile should be kept private, however.

On the other hand, what's more interesting, and perhaps frightening, is the number of organizations that are reportedly downloading the report. The list, gleaned by using the BitTorrent downloader's tool Peer Block (not that we've ever used it) lists a few interesting parties.

more at http://www.examiner.com/x-39728-Tech-Buzz-Examiner~y2010m7d30-Church-of-Scientology-searching-leaked-Facebook-file-for-new-recruits

[Lorelei]

If you don't put your real info online in the first place, then your real info can't get compromised.

[ethercat]

If you don't put your real info online in the first place, then your real info can't get compromised.

That is true, but doesn't that kind of defeat the purpose, for most people, of having a Facebook (or other social networking) site?  To meet up with people that know them, and to let distant friends and/or relatives know what's going on in their life?

[Lorelei]

In my case, I contact the people I want to have contact with, and am glad not to have to turn people down (who would possibly find me if I used certain names) that I do not wish to become reacquainted with. Works out great!

[ethercat]

But if all the people you contact were doing what you do, using information that wasn't their real info (fake names, fake pictures, fake details), how would you know to contact them, or even who to contact?

And if social networks became masses of people using non-real info, wouldn't they just become a fictional world of invented characters, kinda like an impromptu role playing game?

[Lorelei]

^^^That would be one way to protect yourself online, and not nec. a bad idea.

Then again, if I know you, I give you vetted contact info in person if you seem reliable, but I don't just have it hanging out there where it can be easily found. If everyone used a pseud online, there would be a lot less bank fraud, stalking, etc.

Having an online persona separate from your AFK persona has always made sense to me, and it has little to do with playing a role. I'm honest about my opinions and general stats (female, Caucasian) / age and anecdotes and such; it is personal data that can be used to market to me or defraud me or stalk me that remains more protected. I am less bothered about pictures of me online than I am my real name. My image only gets someone so far when trying to defraud or harass, especially if I am in a wig or have dyed hair in the picture or have gained or lost weight; conversely, my real name would garner actual info of use to them, such as a mailing / physical address, phone number, etc.

If you have the resources to protect yourself in other ways, such as by being very wealthy, by being geographically isolated, or by being a very public figure who can rally help and support if targeted by a bad person, that is different. The average person does not have the resources to hire lawyers or get police interested if they are targeted, but being targeted can cause you a lot of grief and trouble and wasted time.

I think it is particularly vital for underaged children to be taught not to reveal ID info online. Parents who know better than to send their kids out with shirts or bike license plates with the child's name on them, and who caution kids about Stranger Danger AFK, rarely take online security as seriously...perhaps because they assume they will always have the time to be in the room with the child to supervise when s/he is online. Fact is, this is probably not the case. Kids are often not supervised 24/7, if only because parents have to go to sleep at some point, and kids use computers at school, the library, friends' homes, etc.

My legal name entered into Google brings up only links that a potential / current employer would approve of, as another example. In each case, I used my legal name deliberately, knowing that someone would be likely to search for me eventually. So there is a record of me having been online for a long time, and being active and helpful in the early days of USENET (as an example), and some work-related posts, but no links to various hobbies, political opinions, religious beliefs, associations and groups I belong to that are not directly related to work, love life, pets, etc. Again, this was very deliberate. My real name entered into a site like Spokeo gets NOTHING (except people with the same name who aren't me). Also very deliberate.

This gets into thought experiment territory about what IS identity and what IS "you". I don't think that "I" am online, per se, I exist separately from my online activities. On the other hand, I don't try to pretend to be someone I am not, so it's not an attempt to fool anyone into thinking I am in any way "better" than my "real" self offline. I suppose people who are very unhappy with themselves AFK might be more tempted to fudge their stats; it is one reason I don't trust 100% that anything I am told by someone about themselves online is true, and why--though I'm not saying it would be impossible to fool me--that I have developed, over time, a nose for consistency and a "feel" for personality. Truth tends to remain consistent and simple; lies mutate and contradict and ring false and tend to usually paint the person in a good light. Certain things about yourself are not necessarily obvious to you but are glaringly obvious to others, and it can be easier than you'd think to tell when someone is using a sock puppet or pretending to be someone else IF you know someone's posting style and habits and preferred use of language / phrasing / grammar / spelling and normal times of activity online (if someone is normally on between 9-5PM EST and someone claiming to be them pops up at 4AM, you might be right to be suspicious) well enough to recognize their "tells."

Personally, if I care enough about a specific persona / person online to really get to "know" them, I'll probably "know" them no matter what name they are using. It's an art, not a science.

[ethercat]

Lorelei, I'll just say this; the vast majority of people using Facebook do not use it the same way you do.  They see it as a place to use their real identities. 

This image shows how complex it is to make sure you've set everything you want to keep private, private.

http://www.nytimes.com/interactive/2010/05/12/business/facebook-privacy.html

How to leave Facebook, check your privacy settings, find other social networking sites: http://news.cnet.com/8301-27080_3-20005556-245.html

[Stutroup]

Security is now MUCH more straightforward than that.  That tree also over complicates the process, and makes the entire process seem confusing.  It's not.  Everything is laid out in a list on the page.  Everything has a check mark under "Everyone," "Friends of Friends," "Friends only," and "Other."  It's a basic chart, as simple as the one people learn about in third grade.

To the left are several ways to generally set the options:
*Everyone
*Friends of Friends
*Friends Only
(line break)
*Recommended
*Custom

Clicking one of the top three will set all of your information to that setting.
Recommended settings are:

• Everyone gets to see Status, Photos, and Posts; Bio and favorite quotations;Family and Relations.
• Friends of Friends get to see Photos and Videos I'm Tagged In; Religious and Political Views;Birthday
• Friends Only get to Comment on Posts; Email Address and IM; Phone Number and Address

Of course with the Custom setting, you get to choose for each item on that list, and it also adds the option for "Just Me."  That means I am the only person on that account who can see what I have listed in those options/posts.

Yes, to people who aren't looking at it, and to those not familiar, it seems a little confusing.  But it has been well laid out for quite some time.  There have been some other Facebook issues about auto-joining groups, for example, of your listed home town.  That has supposedly been lessened, if not eliminated.

[SocialTransparency]

 No one is anonymous. 

[ethercat]

Security is now MUCH more straightforward than that.

That is good to hear.  Sorry, didn't mean to get on an off-topic rant.   

[SocialTransparency]

 FaceBook? Now thats a cult in of itself!