dougv.com « Doug Vanderweide » privacy

Tumblr Mangles Developer Relations

Doug Vanderweide — Sun, 01 Jan 2012 19:15:53 +0000

Last week I logged on to Tumblr and was confronted with this abomination:

Missing e notice from tumblr. Way to encourage API development, guys.

Needless to say, this is pretty disturbing, and I wonder what Tumblr is thinking by posting this.

Background

Some background: Tumblr is a blogging site, with social media overtones. Basically, you can easily follow other bloggers’ posts through a dashboard / search posts via tags, and it’s quite easy to repost material you find on other blogs.

Like most other major providers, Tumblr maintains an API. Until last year, it was mostly restricted to retrieving and submitting posts; it was recently expanded to allow some manipulation of blog settings and managing followers.

I like Tumblr a lot. I’ll go on a couple of times a day, and like most other Tumblr blogs, my blog is mostly reposts; it’s where I’ll dump links / reposts of things I see on the Web that I want to share.

Missing e has been around for a while. It’s a browser add-on for Webkit-enabled browsers; as its name implies, it leverages the API with some neat features that aren’t directly available through Tumblr itself.

For example, Tumblr has a lot of image posts. Missing e includes a magnifier feature that lets one see a full-sized image right from his dashboard, rather than having to engage in the several clicks it takes to see a full-sized image. Missing e also lets me more easily reblog items (including the automatic addition of tags to reblogged posts), manage my post queue, and otherwise make Tumblr easier to use.

I should note that I don’t know the developer of this plugin personally, nor have I spoken to him about this notice. (I have read his response to this outrage, however, and I find it remarkably calm, fair and responsible.) I don’t know if Tumblr has contacted him about its concerns or tried working with him on those issues (reading the developer’s responses, it sure sounds like they haven’t).

I also haven’t contacted Tumblr about this. I’m not interested in hearing whatever nonsense they intend to proffer as justification. I know what I read and I know how I feel about it as an API developer.

To Tumblr’s credit, they haven’t cut off API access to the plugin, which was certainly an option others might have pursued. It wouldn’t surprise me if a number of Tumblr users can’t tell where Tumblr ends and missing e begins, and thus they are swamped with support requests they can’t do much about. And it does make sense to me that missing e uses a lot of resources to accomplish its tasks.

A Completely Wrong-Headed Approach

That’s where my empathy for Tumblr’s plight ends.

First, Tumblr’s reliability, both in terms of its primary service and its API uptime, rivals Twitter for embarrassingly inadequate. (At least Twitter has the common sense to not blame third-party developers for their failure to stay up.)

That’s on Tumblr alone. It’s up to them to keep their service running.

I especially find odious the insinuations contained in this notice. While missing e is, in the base definition, a “hack” of Tumblr, the tone of this message suggests that the plugin isn’t well-written and may be up to no good.

Well, you can go to GitHub and look at the code yourself. Yes, it sends data to intermediary servers. Yes, it is technically possible for missing e to steal a user’s Tumblr credentials, to track Tumblr users’ activities, to obtain personally identifiable information, etc.

Let me be clear: I agree with another user that missing e in no way compromises user information right now. However, it could do so, by virtue of being a browser add-on; to that extent, the notice Tumblr posted is accurate, as they don’t directly accuse missing e of privacy violations, but do note it is possible for browser plugins to capture information a user never anticipated having captured.

Absent proof that there is an intention behind missing e to do that specifically, and to use such information for nefarious purposes — evidence Tumblr clearly could provide, if it existed — I find the tone of this note beyond insulting; it’s chilling.

My interpretation of this notice is, “We don’t like missing e. We’d just as soon ban it. But that’s not very Web 2.0 and it’s likely to generate PR static. So we’ll scare you, push you toward getting rid of it, then continue to serve those who want to use it.”

That’s being a dick. That’s being lazy. That’s being stupid.

A Proper Response

Were I in charge at Tumblr, we’d be going about this in an entirely different way.

The first thing we would have done is offered the guy who wrote missing e a job.
If not that, we would have offered to buy missing e outright.
And if that didn’t pan out, we’d ask missing e users to rate its features, then build those into our platform.

Because what does Tumblr’s approach to this issue say? It says, “We aren’t interested in the reasons why missing e is a problem for us. We don’t care about our end users and why so many of them are using this plugin. It’s not that our product is inferior, and someone has made it better; it’s that we have what we have, and even though it can clearly be better, we’re more interested in the status quo.”

Or, as I’ll coin it, The MySpace Response: “Do what you like, so long it fits in our picture of our service.”

You saw how well that worked out for them.

I don’t suspect this blog post will cause any change whatsoever in Tumblr’s approach. I simply want to lament what is an absurd and insulting response to a relatively minor problem by a company that I expected knew better than that.

If Google brought you here because you’re worried about that notice, suffice it to say that I looked at the missing e code and, as of this writing, I see nothing there to be concerned about.

I do, however, see a lot to be concerned about in Tumblr’s handling of this matter.

All links in this post on delicious: http://delicious.com/dougvdotcom/tumblr-mangles-developer-relations

The Lessons We Should All Relearn From HBGary (5)

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post.

Tags: blogging, coding standards, Google, hacking, MySpace, privacy, reputation, Tumblr, WebKit

Review: Free: The Future of a Radical Price

Doug Vanderweide — Fri, 05 Aug 2011 16:12:09 +0000

Free: The Future of a Radical Price by Chris Anderson

My rating: 3 of 5 stars

Reading Free: The Future of a Radical Price reminded me, in many ways, of The Grand Design.

To understand the universe on the quantum level, you have to embrace understandings and facts that seem ludicrous at human scales. That is, that we have free will; that things cannot be in the same place at the same time; that time progresses at one speed and forward only, are all convenient and explicit truths for our day-to-day existence. But at the subatomic level, that’s not how things work; not at all.

Anderson’s arguments about Free — that is, gratis and libre — are presented in the same sense, if not quite as well or explicitly.

Free does a fine job of explaining the mechanics of how things can be free on the Web: namely, per-unit / per-user costs are so low, they might as well be considered nothing.

He also does a good job of explaining the obvious money-making models applied successfully so far: advertising, freemium (basic service is free; premium service costs money) and non-monetary / indirect recompense, such as an increase in reputation / marketing of ancillary products, such as concerts and merchandise for musicians or speaking engagements and consultations for professionals.

Probably the most valuable lesson Anderson’s book provides is that in the information economy, copies cost nothing.

Certainly, the physical cost of the copy is so close to nothing, it might as well be nothing; but Anderson also suggests that the lost “opportunity cost” of not selling that record or book or software is significantly overstated, since there’s a good chance they wouldn’t have been purchased in the first place, and that the auxiliary benefits of spreading a product far and wide outweigh the loss from sales.

Speaking as someone who has pirated content he probably would have purchased if he couldn’t get it for free, I’d call that argument, on its face, pretty spurious.

But it makes perfect sense in view of the base assertion that digital content is going to be stolen, because it’s so easy and the costs / consequences are virtually zero. So don’t put all your effort into preventing theft (but don’t make it completely easy, either); put most of your effort into monetizing your soon-to-be-widespread content.

The reason I can’t give Anderson full credit here is because for someone who so consistently and readily acknowledges that there’s two groups of understanding when it comes to Free — the over-30 crowd, which can’t break free of the “there’s no such thing as a free lunch” model; and the under-30 crowd, which can’t understand copyright or intellectual property to save its life — he sure does a poor job of satiating each others’ curiosity.

It’s one thing to relate the obvious, which is about half of Anderson’s book. It’s another to provide real-life examples of how Free is being monetized, which Anderson does via several sidebars.

What this book lacks is what it needed most: its own version of M-theory, to explain how and why Free is the only model that makes sense here. That is, he went about presenting the information all wrong.

It should have been less anecdotal and more theoretical proof. Had Free set out with a statement of the “rules of the digital economy,” then proceeded to address those rules in order with interlocking and supporting truths, a much more useful book would have been produced.

As it is, Free tells us what we already know, and does little to predict what comes next. It suffices as an introduction to the idea of the economics of the 21st century, but it’s no road map.

View all my reviews

Tags: book reviews, brands / identity, copyright, crowdsourcing, ecommerce, ethics, marketing, pricing, privacy, reputation

News Of The World Wasn’t ‘Hacking’ Voicemail, It Was Blagging

Doug Vanderweide — Fri, 08 Jul 2011 22:09:42 +0000

flickr /compujeramey

This is nitpicky, and I certainly don’t mean to take lightly the seriousness of the matter. But I do want to clarify that the News of the World wasn’t technically “hacking” voicemail in its scandal. It was engaged in social engineering.

For those of you who missed the headlines (and for the benefit of posterity): News of the World was (until July 10, 2011) a Sunday tabloid; like most British tabs, it’s best known for printing racy pictures of women and sleazy stories.

News of the World hired a private investigator to help it research stories. That contractor gained access to a number of voicemail accounts, including those of a murdered 13-year-old girl, several soldiers killed in the Middle East conflicts, and royal family members.

All the shoes involved here haven’t yet dropped, but as of this writing the scandal has closed the paper after 168 years of publication; threatens to bring down Prime Minister David Cameron; has led to several arrests and may well result in additional restrictions on Great Britain’s press. (Even overwhelmingly reasonable pundits, such as The Economist, are calling for a mucking out of British journalism’s stables.)

The entire affair is loathsome, no question about that, even for the British press, nefarious for its “chew people up and spit them out” appetite. It’s also caused other world press outlets to term what News of the World did “phone hacking,” needlessly worrying people who have taken reasonable steps to secure their voicemail that they, too, might be targeted.

So I want to clear things up. If you’ve changed your voicemail password (PIN), you almost certainly can’t be violated in the way News of the World violated its victims.

Hacking means “to alter a system to perform differently than intended.” Hacking isn’t necessarily a malicious act. In fact, it’s often a good thing. I am 100 percent in favor of hacking, provided the thing you are hacking is yours or you have permission to hack it.

Cracking means “to compromise the security of a system.” While there are legitimate reasons to crack, it’s never an appropriate thing to do with property that doesn’t belong to you.

(I realize this is only one interpretation of “hacker,” and that other definitions exist, which also encompass what I term separately as “cracking.” I reject definitions of hacking that assume malice or nefarious intent. Hackers don’t aim to cause harm to, or violate the rights of, others; crackers do. Period.)

Social engineering (also called “blagging”) is the act of exploiting human behavior to achieve an end, usually without the tacit understanding of the people targeted that they are being exploited.

That’s what News of the World was up to: Exploiting people who were ignorant of, or indifferent to, basic voicemail features and security.

As explained at this excellent article at sophos.com, a lot of people don’t change the default password for their voicemail. Additionally, most users don’t understand that the convenience of being able to access voicemail from a different phone is a security risk that should at least be managed, if not disabled. (Admittedly, a number of phone providers don’t give you the option to disable remote access to voicemail.)

Simply put, News of the World’s private investigator gambled that the victims of his snooping didn’t bother to change their voicemail passwords from default values, and didn’t disable (if they even could disable) remote voicemail access.

Again, I am not suggesting what News of the World did was OK. That people don’t protect themselves from being violated does not make it OK to violate them.

My point is that what News of the World did is not hacking; at no point did anything not perform as designed. It also isn’t cracking; at no point was any procedure undertaken to circumvent the built-in security of the voicemail systems in question. The victims’ misunderstandings and inaction were exploited. That’s social engineering.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/news-of-the-world-wasnt-hacking-voicemail-it-was-blagging

Tags: ethics, hacking, journalism, newspapers, privacy, social engineering

Google Search Results Encourage New Wave Of Negative Customer Service

Doug Vanderweide — Mon, 29 Nov 2010 03:00:48 +0000

A fascinating article in today’s New York Times examines the case of DecorMyEyes, an online eyeglasses retailer who’s found an interesting exploit in Google’s search rankings.

Noting that Google’s PageRank algorithm doesn’t determine if a linkback to a Web site is positive or negative, store owner Vitoly Borker games that system simply: He fights every customer complaint bitterly, with verbal abuse, counter-complaints, and what some construe as overt threats of violence.

Update, Dec. 2, 2010: Google has changed its PageRank algorithm to weigh the negativity of comments.

This aggressive, seemingly destructive behavior is so over-the-top, it leads disgruntled customers to complain everyplace they can online, including at such massive entities as Get Satisfaction.

The long and short: Lots of mentions and links to his Web site, plus lots of mentions of the brands he sells, all in context, often on high-traffic Web sites, means searching for a specific pair of eyeglasses often leads to Borker’s Web site being listed first in a Google search.

Borker effectively preys on the inexperienced online shopper. “If you’re the type of person who reads consumer reviews,” says the Times, “Mr. Borker would rather you shop elsewhere.”

He gets away with it via a combination of apathy and obeying the letter of the law.

His previous hosting company and eBay (from where he buys glasses for resale) ignored scores of complaints until the Times inquired about his accounts. The confusion law enforcement has over Web-based commerce crime, including the IC3, means police have largely been absent, even in the face of obvious violations of the law.

Borker carefully monitors Visa and MasterCard complaints, making sure he doesn’t go past the monthly complaint limits. After MasterCard closed one of his merchant accounts, he opened another:

“There is no such thing as shutting someone down on the Internet,” he said during our initial telephone interview. “It isn’t possible. If Visa and MasterCard ever shut me down, I’d use the name of a friend of mine. Give him 1 percent.”

Most interesting, Borker sells on Amazon.com’s Marketplace, and doesn’t employ any nastiness there, because Amazon has a very low tolerance for customer complaints, according to the Times.

The Genius Of Borker

Let me be clear, right up front: What Borker is doing is awful. No decent human being can endorse any of it. But one cannot deny the genius behind it, especially using arrogance to game arrogance.

Anyone experienced with a large Web host knows, they generally have no interest or incentive to discontinue any but the most odious of Web sites. Unless a site is getting a host thrown into a black hole list; is generating actual lawsuits, warrants or court orders; or is generating loads of negative publicity, most Web hosting providers ignore complaints.

Usually, that’s a good thing; not liking a Web site’s message is seldom reason to have it removed, and admittedly, anyone who puts in any due diligence would never buy from DecorMyEyes. That said, there’s a very good point about being a good corporate citizen, and there’s no question that what Borker is doing is exploitation at its worst.

Anyone who’s been on eBay for any period of time also knows how arbitrary both its rules and its rules enforcement prove. Simply put, only repeated and egregious violations get one in trouble.

There’s really only three ways to get kicked off of eBay: never pay for anything, never ship anything you’ve sold, or don’t pay your eBay fees. Even then, one can simply sign up with a new e-mail address / under someone else’s name.

Anyone who’s had the misfortune of dealing with local law enforcement knows how little most police understand the Internet, and how most don’t care to prosecute such crimes because of jurisdictional questions.

I have had two occasions to deal with Internet harassment over the years. In one case, it took several overt threats from an e-mailer to get the police to contact the person involved and tell him to stop. In the other, it took scores of spam messages and extensive evidence that it was all coming from a specific, out-of-state IP address in the same neighborhood as someone with whom I had an eBay dispute to get police in his home state to issue him a warning.

Similarly, there is zero incentive for Visa and MasterCard to intervene with vendors who ship defective or fraudulent merchandise. Some percentage of victims won’t complain at all. Another percentage won’t fight a refusal to reverse charges. Practically none will sue. In the end, it’s more profitable to look the other way on occasional fraud.

And again, their incentive is in having more sellers, not fewer, so there’s little reason for them to strongly vet new applications, to ensure those who ultimately profit weren’t previously banned.

So yes, what Borker is doing is loathesome. But it’s a product of the compromises we’ve made to keep the Internet an open and free place to operate.

Ultimately, I believe that those who have done business with him only have themselves to blame, given that the ease of finding his store is equivalent to the ease of discovering what a shady operator he is. It’s not only caveat emptor, it’s “freedom isn’t free.” Protect yourself at all times in the ring.

Tags: Amazon, ethics, Google, hacking, privacy, reputation

xkcd Nails The Real Security Threat

Doug Vanderweide — Mon, 13 Sep 2010 16:13:11 +0000

As I was saying … today’s comic from xkcd:

No related posts.

Tags: hacking, identity theft, login / membership, privacy, xkcd

Killing Tynt’s “Read More” Clipboard Copy Hijacker With The Adblock Plus Plug-In For Firefox

Doug Vanderweide — Mon, 19 Jul 2010 23:07:12 +0000

Update, 20 July 2011: I received an e-mail that notes the correct link to Tynt’s opt-out button is now http://www.tynt.com/tynt-users-opt-out. Its author adds that he believes their opt-out system now works.

Tynt's annoying Read More clipboard jacking: You can kill it with AdBlock Plus for Firefox.

I love Firefox. It’s pretty much the only Web browser I use.

I hate Tynt. If you’ve ever copied text from a Web page, then pasted it, only to find a mysterious “Read More:” link inserted at the end of the text you copied, you just ran headfirst into Tynt.

Each time a user pastes content from your website into an email, blog or website, we automatically add a URL link back to your site’s original content. When someone clicks that URL, they are directed back to your site and see the original content. This drives incremental traffic to your site when your content is shared without your knowledge while maintaining a consistent user experience.

It may well be a “consistent user experience” for me to have to hit the backspace key to delete the “Read more” link Tynt adds every time I copy a small block of text, but it’s a consistently annoying experience.

I appreciate the importance of reciprocal links. I understand the challenge to content publishers of having content lifted from their Web sites without attribution.

So before I get into details about this fix, let me be clear: If you copy Web content, attribute it. It’s the right thing to do.

That said, there’s a wrong way of getting people to do the right thing, and Tynt is definitely the wrong way.

I find having my simple act of extracting a quote from a Web page turned into a link-spamming takeover of my local machine to be far more disturbing than a tracking cookie or layer ad.

Don’t be messing with my clipboard. It’s mine, not yours. I will put into it what I want there, not what you want.

Fortunately, I was able to put an immediate end to Tynt’s “Read More” clipboard copy highjacking in Firefox with Adblock Plus, a highly popular add-in that does what its name suggests: Blocks advertisements, and other content, from displaying on a page.

How To Block Tynt In Firefox Via Adblock Plus

I don’t mind Web ads. In fact, on many sites, ads are quite useful. But I absolutely despise Tynt, so I went ahead and installed Adblock Plus specifically to deal with it:

I installed AdBlock Plus from the link above.
After restarting Firefox, I was asked to choose a “filter subscription,” which is basically a series of user-contributed rules that block various ads, scripts, images, etc.
1. Because I don’t mind Web ads, I chose “Cancel.” Adblock Plus warned me that without a subscription, I would need to add any filters manually; I clicked OK.
2. You can go ahead and add a filter subscription. The “EasyList” subscription is supposed to block Tynt’s functionality; however, I found that was not always the case. For example, the EasyList (English) subscription available at this writing did not block Tynt on MySpace.
I selected Tools –> Add-ons, then clicked the Options button under Adblock Plus.
I clicked “Add Filter” at the bottom of the window that came up.
A “New filter” line opened.
1. In the text box beneath, I entered *tynt* and hit the Enter key.
2. A red exclamation point resulted, which indicated that the filter was a regular expression / too short to be optimized. I accepted that; the reason why appears below.
I clicked OK on the filter editing window and Close on the add-ons dialog box.

The dialog boxes for Adblock Plus that accommodate my Tynt killing filter.

And just like that, I have not been bothered since by Tynt’s annoying “Read More” hijacking.

The Alternatives Didn’t Work

There are a number of suggestions out there to put an end to Tynt’s activities. I tried most but found them wanting compared to my solution.

Block tcr.tynt.com via your computer’s HOSTS file: This was a popular suggestion. Many claimed it worked fine for them. But some Web sites — again, MySpace serves as an excellent example — aren’t stopped by blocking that one domain.

Tynt actually uses a number of subdomains to deliver its services; in some cases, the Tynt scripts run off the Web server you’re visiting. Since you can’t use wildcards in a HOSTS file, that means adding dozens of entries to the HOSTS file; and again, even that won’t stop Tynt if it is running off the local Web server.

Use the NoScript add-on for Firefox: Another option is to employ NoScript. But that is a nuclear solution; NoScript is pessimistic.

In other words, it blocks all Web sites from running JavaScript, and allows you to whitelist sites. That might have been an acceptable approach to annoying scripts five years ago, but in this age, your Web experience is going to be seriously curtailed if you start by blocking scripts.

Use the YesScript add-on for Firefox: YesScript is a Firefox add-on that takes an optimistic approach to JavaScript. That is, you can blacklist sites, rather than having to whitelist them, as in NoScript.

Unfortunately, I did not see a way to use wildcards with YesScript, which pretty much made it the same as the HOSTS file option; and therefore, it did not work, for pretty much the same reasons.

And for the record, I looked for Greasemonkey scripts (couldn’t find one), add-ons specific to Tynt (couldn’t find one), and even tried using Tynt’s purported global opt-out button (surprise: it didn’t work).

About That Exclamation Point In Adblock Plus

Which brings us to the warning Adblock Plus shows about the filter rule.

As previously noted, our filter uses *tynt* as its expression. This is basically an instruction to Adblock Plus to block all objects that contain the letter sequence tynt: scripts, images, cookies, HTML, whatever.

Adblock Plus is smart enough to know that this is a very broad stroke; it’s four characters long, and generally speaking, that’s a wide net to cast — a net that could well catch a lot of fish we don’t want to fry.

For example, suppose we used the expression *ding*, instead. That would catch over 900 different dictionary words alone, most likely removing content from the page that we actually want to see.

On the other hand, *tynt* catches zero dictionary words. Because that combination of letters is so rare — it almost exclusively applies to content we intend to block — the chances it blocks something we want to see is infinitesimal.

But Adblock Plus doesn’t know that, so it warns us.

Finally, I used *tynt* as the filter expression because I want to block not only scripts and content emanating from tynt.com, but to also catch local implementations of Tynt’s scripts and objects.

In other words, the entire Tynt clipboard hijacking solution could be installed on the Web host I am visiting. But the objects those scripts use are going to have to invoke the term tynt in calling objects or sending requests to Tynt’s servers in order to work; I am catching every time that happens with this expression, and putting an end to it before it begins.

All links in this post on delicious: http://delicious.com/dougvdotcom/killing-tynts-read-more-clipboard-copy-hijacker-with-the-adblock-plus-plug-in-for-firefox

No related posts.

Tags: blogging, ethics, Firefox, marketing, MySpace, objects and classes, privacy, regular expression, web server

LastPass: A Great Way To Protect Your Actual Internet Privacy

Doug Vanderweide — Sat, 10 Jul 2010 04:46:52 +0000

It’s a trial for me to listen to people complain about privacy on Facebook or anonymity on the Web.

Don’t get me wrong; you aren’t going to find a bigger defender of anonymous speech than me. The same way a secret ballot preserves the integrity of the plebiscite, anonymous political speech protects republicanism.

But there’s a difference between standing up for the right of someone to publish an anonymous blog and listening to people carp about whether some stranger can see pictures of his kids.

In the case of the former, the author wants to be heard, but to protect himself from the repercussions of speaking. That’s a tradition as old as politics itself, albeit that in time, anyone who makes an impact with anonymous speech is exposed.

In the case of the average Joe bitching about his boss via a tweet, there’s a far simpler point to be made: If you put it on the Internet, it’s not private. Period.

When we waste time debating whether it’s right for some potential employer to use a five-year-old drunken tweet against you, we don’t focus on the real things people should be doing to protect their Internet identities. For example, using strong passwords.

I’ll bet a dollar to doughnuts that the average person who worries about Facebook privacy is using his dog’s name as his Facebook password. And not only that, but using that same password for every Internet site he visits, including Amazon.com, online banking, travel sites, etc., etc. And not only that, but has been using the same password for years.

I’m willing to make that bet because that described my password strategy up to about a week ago. Until I discovered, and started using, LastPass.

The LastPass password vault. All your logins are kept in a remote database; LastPass says everything is encrypted and conducted over SSL, so even if your information is compromised, it won't be of use to hackers.

“LastPass is a password manager that makes web browsing easier and more secure,” says its inventors. What LastPass does is collect and store all the passwords you have for various Web sites; and, through Web browser add-ons, allows you to fill in those passwords without having to remember what they are.

What that means is, you can create a hard-to-remember, and thus more secure, password for each Web site you visit. LastPass stores that information on its servers, so you can access your login information from anywhere and any device. You need only remember one “master” password in order to be able to access the service.

Better Than The Alternatives

Now, some people will likely take umbrage at my painting this as inherently secure.

After all, once you give your login information to LastPass, you theoretically lose control of it; in theory, LastPass could collect, use or sell your information. Or allow it to be compromised by a third party. Or fail to properly protect its own systems and allow hackers to get that info.

All of that is true as far as it goes. The same is true, however, of the sites with which one has created a user account. What value would there be to LastPass in destroying its business model by compromising user information?

One might also note that the built-in password managers of modern Web browsers can allow the same flexibility of LastPass. If you only use one computer and one Web browser, then by all means, use its built-in password manager.

But I don’t know of many people who only access the Web from one device and browser; most people use at least a PC, and probably a cell ph0ne, and maybe a laptop, and probably two or more browsers. For most people, having a central password collection point makes sense.

Finally, LastPass says that every bit of information is encrypted with your master password, which they don’t store, and all traffic is conducted over SSL, meaning that even if hackers could compromise their systems and get your login information, it wouldn’t be of any use to them.

I don’t know if that is 100 percent true, but I have no reason to doubt what they say, and if what they say is true — which appears to be the case — then they’re right: so long as you have a strong master password, there’s no chance hackers will get any use out of stolen data.

Anyway, the summary is, I understand Web security pretty well, and I believe LastPass is secure. It’s certainly far more secure than using the same Web password for two different sites.

The Good, The Bad And The Ugly

The best things about LastPass, in addition to providing a central repository of Web site passwords that you can access from any place and any device, is:

It is remarkably good at finding login forms and properly filling them out.
It will generate secure passwords for you.
You can use it to fill out forms, such as order forms, with name, address and other information; you can even have multiple profiles, to fill out forms for business, personal, kids, etc. Again, all this is stored securely.

The things I don’t like about LastPass are:

It sometimes doesn’t properly record passwords, especially if you are changing a password. I highly recommend that you copy the password for a site, and test logging in for every site you add to LastPass. Trust me, I learned this the hard way. Copy your password, test logging in with LastPass, and make sure it works before you discard the password.
Its AutoLogin feature — which, as it suggests, will log you in automatically to a Web site, if you opt to set up a site to use it — works well some places, but wreaks havoc on others. For Facebook, Twitter and most Web forums, AutoLogin works great. For shopping sites or other places with lots of forms, it’s a major pain in the butt, and you should opt against using it.

Some hard-to-use / hard-to-understand parts of LastPass are:

The vault, where passwords are stored, is a bit cumbersome. While I like the ability to group passwords together, there are so many settings and so many things you can do with a password that it can be overwhelming to manage them.
Using LastPass with a mobile device requires a $12 per year premium service. Actually, I’m OK with that; others might not be, but I like and support the freemium model, especially when the free services work so well.

It took me the better part of a day to visit all the Web sites for which I have login information, generate, record and test new passwords.

But I know now that my online identity is far more secure than it had been; if somehow, the login information I have on a site is compromised, I know that the trouble probably can’t extend past that site, whereas before, a compromise of one site was pretty much an open invitation to compromise everything.

No related posts.

Tags: hacking, identity theft, login / membership, privacy, reputation

The Answers I Wish Facebook Had Given To User Questions

Doug Vanderweide — Wed, 12 May 2010 02:54:51 +0000

Elliot Schrage

The New York Times’ Bits blog has a post today in which chief Facebook lobbyist Elliot Schrage answers reader questions.

For a lawyer — especially a lawyer facing a Bonfire of the Vanities-worthy media frenzy, a meddling Congress, watchdog groups barking at his door and an inchoate Intifada by his longest-standing and most important partner — Schrage was pretty forthcoming; most lobbyist / marketers would equivocate their way out of a similar mess.

Actually, if you read the Times blog post closely enough, Schrage effectively admits it’s that sort of behavior that has put Facebook in hot water:

“Our desire to innovate and create new opportunities for people to share sometimes conflicts with our goal to create an easy and accessible user experience,” he wrote in the introduction. “It takes forums like this to get better ideas and insights about your needs.”

Which is the purpose behind this post. I’d like to put, in layman’s terms, Schrage’s answers to each of the questions posed, and either provide the answer I wish he had given — that is, an answer that is the plain truth about why Facebook does what it does — or expand on what he said.

Q: “Why can’t you leave well enough alone? Why do I have to do a weekly ritual of checking to see what new holes you’ve slashed into the Facebook Security Blanket, so that I have to go and hide or delete yet more stuff? Are Facebook customers really pounding on your door screaming that they want more categories of their personal data to be available to marketers every few months?”

Schrage: We are clearly upsetting people by making changes as often as we do. No personally identifiable information is shared with advertisers.

Me: Social media is young. What works and what is profitable changes quickly; what fit into the way Facebook did things, even just a few months ago, may be cutting off opportunities to make money or head off challenges from other social media providers today. That’s why things change so much: To protect and grow Facebook’s market share.

If you’re going to complain about Web advertising based on browsing habits, you probably should have stopped using the Web back in 1996. And if you’ve ever used a coupon, promo code, frequent buyer card or gift card, I’d like to kick you in the butt as I explain what, exactly, constitutes behavior-based marketing.

Q: “It used to be that I could limit what strangers saw about me to almost nothing. I could not show my profile picture, not allow them to ‘poke’ or message me, certainly not allow them to view my profile page. Now, even my interests have to be public information. Why can’t I control my own information anymore?”

Schrage: Using Facebook means accepting the terms of service. As the service changes to become more interactive and to leverage Facebook’s data across independent Web sites, what data gets shared needs to change, too. “If you’re not comfortable sharing, don’t.”

Me: And the horse you rode in on.

Q: “What caused the controversial glitch; what are the chances of it recurring?”

Schrage: Engineering screwed the pooch. Let’s hope that doesn’t happen again.

Me: Been there, done that. More times than I’d like to admit.

Q: “What are Facebook’s legal liabilities should any critical information be leaked and misused?”

Schrage: An exodus of users would hurt us way more than any stupid law, or lawsuit, will ever manage.

Me: Amen, brother. Facebook’s bread and butter is in having lots and lots of users sharing lots and lots of information. That’s why Facebook will never charge a basic user fee, regardless of the endlessly recycled rumors to the contrary.

Q: “Has Facebook ever considered asking us, the hundreds of millions of users who make money for them, what we would or would rather not have? You know, sort of like asking the customer what they would prefer?”

Schrage: You mean the millions of dollars we spend every year on market research and focus groups?

Me: And the “anyone can make anything” framework that powers thousands of annoying quiz, game and trinket-swap programs?

Seems to me every time we ask tens of millions of Americans to make a decision, we manage to mess things up badly. Facebook has a better idea than Joe the Plumber of how it should work and what makes a successful social media empire.

Q: “What is the long-term plan to monetize Facebook’s huge traffic, and how will that impact user privacy?”

Schrage: Targeted ads will pay the bills. We don’t need to sell personally identifiable information.

Me: Let’s not forget becoming a primary content portal, the possibility of charging businesses to operate pages on the site, and selling to others the same aggregated data you use to place targeted ads.

That might be back-burner stuff at the moment, but it’s coming, especially if Facebook continues to grow in its role as a source of single sign-on to other Web sites.

Q: “What’s the actual, real-life-applicable upside for the Facebook user of any of the recent changes you’ve made to privacy settings? How do they make the site better for me?”

Schrage: Social networking only works if people are looking at what you are sharing. If Facebook’s data of shared items can permeate everyplace on the Web — major news sites, Pandora, etc. — that’s a lot more useful than having to run TweetDeck, or having to visit Facebook itself. Let Facebook come to you, wherever you are; that’s how we will conquer the Web.

Me: MySpace had a closed model in which there was no API provided to third parties to leverage its data and share what you do elsewhere on the Web; MySpace lets you completely shut out strangers from your profile. Look where that got them.

Q: “I’d like to ask Elliot, and all the senior staff at Facebook, what are the privacy settings for their own personal Facebook accounts? Can you share the settings (not your personal data, obviously) with the NYT and Facebook users?”

Schrage: I don’t use the default privacy settings for Facebook. Neither does Facebook CEO Mark Zuckerberg. That’s because we ain’t your friend, and we ain’t gonna be your friend.

Me: Take that, Schrage! Best question of them all.

It is worth noting the irony that Schrage’s Facebook profile can’t be found via searching Facebook. The one profile I found with a photo (and with the permalink user name of elliot.schrage) clearly isn’t the Elliot Schrage, and the other two listings had no identifying information other than sex. These, of course, could be troll accounts.

Schrage is also listed on the Facebook executives bios media page.

But, seriously, if you’re going to claim your default privacy settings are innocuous, shouldn’t all your executives have profiles that conform to, and reveal legitimate information under, the default privacy settings?

Q: “Why not simply set everything up for opt-in rather than opt-out? Facebook seems to assume that users generally want all the details of their private lives made public.”

Schrage: You shouldn’t put things on the Internet that you don’t want others to see. Or you could just go pound sand.

Me: Pwned!

Q: “I love Facebook, but I am increasingly frustrated by the convoluted nature of the privacy settings. It’s clearly within Facebook’s ability to make the privacy settings clear and easy to use — why hasn’t this been a focus?”

Schrage: To make privacy settings simple enough for the average middle-class housewife to operate, we have to use very broad settings. If we let users micromanage privacy, they’ll mess it up badly.

Me: Take it from someone who has made a lot of money cleaning up PCs trashed by users who click things randomly: He’s underselling the problem. I have provided step-by-step instructions on how to change Facebook settings — sometimes, even including screenshots — and had them botched beyond recognition.

Q: “What happens when an account is deleted? Do one’s posts on walls, photos, and fan pages remain visible on the site? How long does user data remain on your servers?”

Schrage: If you deactivate your account, your name and posts on other profiles remain, but your profile effectively disappears. If you delete your account, your name and posts on other people’s walls get attributed to “anonymous,” your profile is gone, and the stuff you’ve put on Facebook is deleted over time.

Me: What he said.

Q: “How can I easily see what people who aren’t my friends but are members of Facebook see about me in my profile?”

Schrage: There’s a preview my profile button when you edit your profile, and there’s a button on the Privacy guide page.

Me: RTFM, n00b.

Q: “Also, what of my information is being indexed by search engines?”

Schrage: Whatever information you set to be viewable by “Everyone” in your privacy settings; and, a standardized search engine listing page, if you have checked that box in your privacy settings.

Me: STFW, n00b.

Q: “Why must I link to a page for my school, job, or interests and make them public, or delete the information entirely?”

Schrage: It’s easier to physically link the relationships between classmates, coworkers and the like if we can standardize both how, and where, you list your school, employer and interests.

Me: The purpose behind social media is to connect to people with whom you might have similarities. If you don’t want to do that, just make a private blog.

Wrapping Up

Man, I gotta tell you, that was a lot of fun. I have more to say about Facebook and all the concerns about privacy, so watch for a post on that soon.

All links in this post on delicious: http://delicious.com/dougvdotcom/the-answers-i-wish-facebook-had-given-to-user-questions

Tags: Amazon, brands / identity, ethics, Google, graphic design, leadership, login / membership, marketing, MySpace, privacy

On Facebook, Appendix: The Rapid Decline Of AOL

Doug Vanderweide — Mon, 26 Apr 2010 15:47:22 +0000

In an earlier blog post, I called Facebook “a 1998-vintage AOL that doesn’t suck,” by which I meant, Facebook is a convenient way to aggregate and streamline all the information on the Web into a smaller, easier-to-manage stream of information, just as America Online was in its heydey.

The benefit of Facebook over other portals and social media — including AOL — is not only that it brings together several kinds of sharing (video, pictures, text, blog, application, games, etc.), it allows the end user to effectively customize what he shares, how he shares it and with whom.

In other words, the Facebook experience is driven by the end user, not the limitations or expectations of Facebook itself. (Yes, I understand users can’t do things that Facebook is incapable of or unwilling to allow them to do. Please grant me the license to make my general point.)

At least, more so than with other social media platforms, such as Twitter, LinkedIn, StumbleUpon, etc.

Which made my stumbling across this recent chart from International Business Management News, detailing significant events vs. AOL membership over the last decade, all the more serendipitous (click image for full-size pic at flicker, in new window):

I think it’s safe to assume that old-media thinking is at the heart of the problem. When AOL changed its models, it did so too late; and no amount of stealing big-name talent and purchasing promising start-ups can overcome trying to sell the wrong things to the wrong people in the wrong way.

Again, congratulations to Facebook for its success, be that the result of wisdom beyond its time, sheer luck or a combination of the two.

But I fully expect that luck, wisdom and success to run out, right around the time it looks like the Facebook behemoth can’t be stopped — as it was in 2002, when it looked like AOL would surely own the world, or in 2008, when clearly Google could do no wrong.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/on-facebook-appendix-the-rapid-decline-of-aol

Tags: Google, leadership, marketing, MySpace, privacy, reputation

On Facebook’s New Features, Privacy And The Near Future Of The Web

Doug Vanderweide — Mon, 26 Apr 2010 06:46:31 +0000

Quite a bit has been made recently of the changes to Facebook’s default settings, an extensive expansion of how Facebook shares data with other Web sites, and how all that works within the traditional expectation — if not the fundamental understanding — most people have about privacy.

Facebook’s recent change to, by default, share public user information with partner Web sites — namely, Microsoft’s Docs.com, Internet radio provider Pandora and city-based business review site Yelp — is “building a largely closed, alternative version of the Internet,” or, in plainer language, “a power grab.”

This argument is further (and ironically) strengthened by Facebook’s announcement at the recent f8 developer conference that it is switching from its proprietary Facebook Connect login system to OAuth, the soon-to-be-a-standard, open Web site authentication protocol. In so doing, the fabled idea of the “single sign-on” for all Web sites becomes less pipe dream and more within reach — with Facebook the linchpin, and by inference, the one link that can’t be removed from the chain.

In other words, Facebook is a 1998-vintage AOL that doesn’t suck.

That’s not a bad thing. Actually, it’s a great thing.

The Price Of A Web That Works: Your “Privacy”

Yahoo! has been trying to be AOL that doesn’t suck ever since 1994, but it sucks almost as much as AOL and is run by business people with about as much foresight as old-media behemoth Time Warner. (I clearly remember, back in the late 1990s, all the buzz about “portals” and the need to be the conduit through which everyone searched the Web. How is that fundamentally different from what Facebook is actually achieving now?)

But because it is so grossly incompetent, nobody goes around accusing Yahoo! of being the second Evil Empire. For what that’s worth, the first IT Evil Empire, Microsoft, is so inept at Web strategies, no one even considers raising its name, nonetheless a fist toward it. This, even as its one potentially useful Internet contribution — docs.com — is inextricably linked to Facebook.

Had MySpace, Bebo (a.k.a. AOL 11) or even Ning actually understood how social media work, they could be the target of such Web hysterics. Even the most prevalent previous target of Web-related hysterics — Google — doesn’t now rate the kind of ire Facebook has been getting this week.

That the promise of Web 2.0 has been so successfully seized by Facebook is proof of one of the basic, overarching laws of economic progress: Technologies that make it easy for many people to create lots of products cheaply are always handsomely rewarded.

Facebook makes social media simple. It makes the sharing and consuming media very efficient by:

consolidating a lot of communication channels (read: video, text, chat, photos, games, etc.) into one place;
aggregating significant amounts of data into easy-to-consume streams; and
ultimately allowing content consumers to dictate their experience, rather than content creators.

The price for this is, I agree, the death of the kind of privacy — or, more accurately, anonymity — most people expected in their offline lives and assume they can have online. But I have startling news: Online privacy has never existed.

There is only what you don’t say, what others don’t say about you, what people interested in you aren’t willing to seek out, and whatever real-world reputation you actually create.

About the best you can do to preserve your online privacy is never go online; because once you do, everything you have done and will do — from using a search engine, to chatting with complete strangers, to everything you’ve ever put on your Web site, to even your allegedly secure credit card transactions — can be known. And even refusing to go online isn’t enough; forgetting all the people finder Web sites, one of your online friends need simply mention you or post your photo on Facebook or Twitter, and you now have an online trail.

History Repeats

That Facebook does this kind of information aggregation better than anyone else — and seeks to replace the series of tubes with one giant pipe — is, therefore, really more of a question of a second kind of net neutrality, rather than the erosion of a right that neither does exist, nor, by definition of how the medium works, can exist.

It’s not whether it is fair for a few giant bandwidth providers to restrict the type of information that flows from one place to another. It’s whether it’s right for a few giant Internet presences — Facebook, Google, Amazon (by virtue of its share of the cloud computing platforms) and Apple (by virtue of its growing hold on hand-held computing devices) — to control the data we exchange.

What concerns most is the idea of Big Brother — that one, overriding entity has control of all the information about us, and can easily interrelate and aggregate that information to anyone, probably for a price.

This is an entirely valid fear. I share the same distrust of all large organizations, be they governments, companies, armies or mobs. And there is no example from history, of which I am aware, of any large organization that built or retained power without resorting to compulsion of its subjects and violent opposition of its critics nee enemies.

I admit that’s hyperbole. It is a more than just a stretch to assume that this blog will cease to exist, or be hard to find, due to Facebook’s successes.

But that is not to suggest that coming here is something the average user would care to do, if Facebook directly presented users who might like this blog with dozens of alternative blogs, perhaps more germane to their interests, right in their news streams, based on the types of Web queries they are using and sites they are visiting.

In other words, as Facebook succeeds, the onus on others to leverage its success increases. And this, in turn, becomes the snowball effect.

In 1994, it was not unusual to not have an e-mail account, but unimaginable to not have a land line. Today, not having an e-mail address is almost unfathomable; but wireless-only households are increasing rapidly.

One can expect this to happen as Facebook continues to push being the preferred platform for data exchange on the Web.

Real ‘Net Neutrality’ And Privacy: Obfuscation, Decentralization

When considered in the abstract, this chain of events was to be expected. As the neolithic and agricultural revolutions took place, we went from having a rudimentary understanding of property to an exceedingly complex one; as the industrial revolution took root, we went from a strict, property-and-possession based understanding of money and wealth to one more sophisticated, abstract and — as recent events have borne out — difficult to measure or appreciate.

We are still in the infancy of the information revolution, and one of its primary victims will be our traditional sense of privacy.

When we changed from hunter-gatherers into farmers, we had to accept that the freedom we enjoyed to use whatever land we were on needed to bend to the right of property. When we changed from farmers to factory workers, we had to change our concepts of personal liberty, both in the sense of our right to work for our own benefit and to not enslave others.

One of the first tests we are facing in the information age is our ability to maintain secrets.

In past economic revolutions, there were a number of convulsions, many of them quite destructive. We saw monopolies, government excesses, popular revolts, bloodshed on grand scales and plenty of trial and error before we reached hegemony. There’s no reason to expect that isn’t going to be the case with the information economy.

In the case of previous economic revolutions, hegemony was built on two footings: obfuscation and decentralization.

That is, monopolies could not survive, based largely due to public revolt; but a sort of plutocracy took over, one based primarily in the fact that it is just complex enough to prevent any one player from controlling it in large part, in turn leaving enough options so that even if popular opinion turns against any one part, attacking (or even destroying) it makes no difference.

For example, great hue and cry is raised every year about “special interests” controlling Washington, DC. Enough laws and restrictions have been passed since the founding of the United States, to control the voices of special interests, that if the problem could be solved, it should have been solved by now.

But there are enough “special interests” — and so many ways to peddle influence, since the U.S. government has its hands in every pocket — that not only does no one effort to restrict influence work as advertised; the entire sum of all efforts have been for naught.

That’s obfuscation and decentralization in practice.

We’re Still At The Drawing Board

I think what we see, today, is Facebook as a step toward whatever the Web is going to be. Even as Google captured the majority of search, it has not succeeded where Facebook has: in aggregating communication into a convenient channel. That elusive goal AOL had nearly achieved at the birth of the Web has come full circle, just as the server-client model went to client-server and now, back again, via the graces of cloud computing.

Will Facebook be akin to feudalism, or the robber baron, as critics today predict? Probably. I really don’t see any place for it to go but there.

But vassals and Standard Oil went the way they went because those models didn’t work. I have to believe that the Facebook model, too, will eventually bend to humanity and practicality.

Will it require government intervention, or worse, outright civic revolt, to loose Facebook’s grip? Of the former, perhaps; of the latter, probably not, but if I knew the answer for sure, I wouldn’t be writing this post, I’d be cashing very large checks.

But I do have confidence that history will repeat itself, if we consider the information economy in wide view. Facebook is a second draft of the social Web, and I assume we aren’t nearly done drawing yet.

Facebook is but the villain of the moment, as Microsoft was, Google is and Apple is becoming.

All links in this post on delicious: http://delicious.com/dougvdotcom/on-facebooks-new-features-privacy-and-the-near-future-of-the-web

Tags: Amazon, brands / identity, cloud computing, CNET, ebooks, ethics, Google, leadership, marketing, Microsoft, MySpace, OAuth, privacy, reputation, slashdot

dougv.com « Doug Vanderweide » privacy

Tumblr Mangles Developer Relations

Background

A Completely Wrong-Headed Approach

A Proper Response

Related Posts

Review: Free: The Future of a Radical Price

Related Posts

News Of The World Wasn’t ‘Hacking’ Voicemail, It Was Blagging

Related Posts

Google Search Results Encourage New Wave Of Negative Customer Service

The Genius Of Borker

Related Posts

xkcd Nails The Real Security Threat

Related Posts

Killing Tynt’s “Read More” Clipboard Copy Hijacker With The Adblock Plus Plug-In For Firefox

How To Block Tynt In Firefox Via Adblock Plus

The Alternatives Didn’t Work

About That Exclamation Point In Adblock Plus

Related Posts

LastPass: A Great Way To Protect Your Actual Internet Privacy

Better Than The Alternatives

The Good, The Bad And The Ugly

Related Posts

The Answers I Wish Facebook Had Given To User Questions

Related Posts

On Facebook, Appendix: The Rapid Decline Of AOL

Related Posts

On Facebook’s New Features, Privacy And The Near Future Of The Web

The Price Of A Web That Works: Your “Privacy”

History Repeats

Real ‘Net Neutrality’ And Privacy: Obfuscation, Decentralization

We’re Still At The Drawing Board

Related Posts