In the new, digital economy, security is becoming more and more important. Online accounts are available everywhere. Your data needs to be safe. Security engineers have been paying a lot of attention to online security lately. Here are some trends in online security that are making the Internet a safer place.

1. Security Keys

Multi-factor authentication, or a way of using MORE than a username and password to prove your identity, is making serious advances.

Security keys are one popular multi-factor method of securing online accounts. Basically, you’re issued a device that contains a unique code generation algorithm. On the keychain-sized device, a 6-digit code changes every 30 seconds. The algorithm is shared between your device and the server that you’ll be authenticating with, so the server can generate the number, too. When the time comes to login, both ends of the transaction are able to generate THE SAME NUMBER and authenticate.

Currently, eBay/PayPal is mass-marketing these security devices. You can secure (not that it already isn’t) your account for a one-time fee of $5.00 USD. After your account is secured, it needs a username a password AND 6 digits that change every 30 seconds.  Unfortunately, this is ONLY available in the United States, Germany, and Australia.

PayPal.com

2. Key-Based Authentication

Another advance in the identity-proving arena is key-based authentication. Rather than a username and password, a user has a login key that contains a unique set of information–unique only to the visitor.

The authenticating server is equipped with a public-safe variant of that private key giving the user the digital equivalent of a padlock/key system. When a connection is initiated with a server, your computer encrypts your key in a securely-encrypted tunnel, sends it to the server where it is then decrypted (if you added a password) and matched against the key file (padlock). If successful, you are securely authenticated to the service. Essentially, rather than a short password that you have to type in, you have a long (1024 bits isn’t out-of-the-ordinary) password file that takes the password’s place.

Public implementations of this are still in the works; however, SSH has been using it for a long time now.

Learn more: http://www.laubenheimer.net/ssh-keys.shtml
Secure Shell on Wikipedia

3. OpenID

Attempts at central online identity management have been attempted in the past, but many experts say that OpenID is the best, most efficient and most flexible unified sign on system to bless the internet so far.

Logging in with OpenID couldn’t be easier. Rather than a username/password prompt, you’re asked to provide your OpenID identity URL. This URL can be anywhere. AOL, WordPress, and many other websites host your login identities as OpenID identities. In emails I have exchanged with Facebook, I know that they, too, are working to become an OpenID provider.

After entering your OpenID identity URL, you’ll be sent to your OpenID provider (eg: AOL) to verify your identity. It is up to the particular provider to determine the challenges that grant you access to your account. Verisign Labs, who licensed the PayPal Security Key, is providing OpenID solutions WITH your PayPal security key.  Most challenge with a simple username and password.

More information here: http://openid.net/
VeriSign PIP: http://pip.verisignlabs.com

4. Ambiguous Password Failure

When programming an authentication system, care must be taken to not reveal the underpinnings of the system and its structure.

Many websites will reveal the existence of an account to a potentially malicious user by saying “incorrect password.” The problem exists that with that type of verification, a malicious user knows that an account exists under the requested name and can proceed to breaking in with a brute-force or dictionary attack.

Now, many websites are just saying that the username/password is incorrect. Not only does this foil malicious cracker logins, but it causes the user to reassess his or her login credentials.

Conclusion

If you’ve seen good online security practices in the wild, let the world know in the comments area.

Update! RSVP on Facebook!

Who: Anyone who wants to come.
What: An improv comedy event. Everyone freezes in place for a specified period of time, thaws, then leaves.
When: April fools day… Briefing starts at 6:30PM
Where: Thriftway in Afton
Why: For fun.

For anyone who cares, I stole this hilarious idea from the genii in charge at improveverywhere.com.

How

Execution of this shenanigan will be crucial. Everyone must be in the Thriftway parking lot on time at 6:30 for briefing. The briefing will let you know of any important changes to the plan.

Since documentation will be so crucial, we’ll have a few people filming the whole event. Melanie Robinson will be there with her purse/video camera. We need more hidden camera videographers. If you have a small digital camera or something, please bring it and hide it! Hide it on a shopping cart and drive around. Place it between some Macaroni and Cheese on a shelf and leave it. Just make sure its in a good spot.

1. 6:30pm: Briefing.  This won’t take too long, but it’s super important!  I’ll go over final details and changes.  Be there or don’t participate!
2. 6:45pm: Everyone will enter the store inconspicuously (in a way that isn’t obvious). You might enter with a group of friends, but we won’t herd in together. Everybody should be in the store ready at 6:50
3. Shop… browse… do whatever—just act natural.
4. When 7:00 hits, listen to the intercom system.
5. When you hear the first intercom after 7:00 (if it’s not happening, Mel will get a bag boy paged), FREEZE!
6. Wait for five more intercom announcements, and then unfreeze after the last announcement finishes.  (Emergency plan: if it’s been about 5 minutes without an announcement, Mel will have a bag boy paged to help her.  At that point, leave.)
7. Act like nothing happened. Leave. It’s as simple as cake.

If you’re still confused, watch this video (it opens in a new window): Frozen Grand Central.

In summary

We’re freezing in Thriftway on Tuesday, April 1, 2008 for the duration of 5 intercom announcements (subject to change).

Be at the briefing in the Thriftway parking lot for final details.
Briefing: 6:30 PM
Everybody in the store by 6:50 PM
Freeze: the first announcement after 7:00PM

If you can, bring a camera or something so we can document this feat.

In Parts One and Two of my series on The Demise of Facebook, I looked at Facebook’s background in general, Facebook’s infrastructure choices up to this point, and how its users have paid the price.

Security and Privacy

Facebook touts its security and privacy as a big feature. Part of Facebook’s appeal comes from the fact that you can “use privacy settings to control who sees your info.” (Quoted from Facebook’s homepage).

Facebook, although diligent in keeping information from the public eye, has lax policies regarding usage of private data within the company. A recent scoop by tech-gossip aggregator Valleywag exposed that “Facebook employees can (and do) check out anyone’s profile.”

Facebook employees can also cross-reference profile views, by perusing a list of profiles a user has viewed. Surprisingly, the privacy policy, which every user agrees to, doesn’t forbid this practice. Hypocritically, if you send a user a copy of a profile, it’s a privacy policy violation, which have previously been punished with cease and desist letters! When Facebook says you can “use privacy settings to control who sees your info,” they mean that you can use privacy settings to control who (of people that don’t work at Facebook) can see your info.

Facebook openly admits to objectionable data aggregation practices. Facebook’s privacy policy states that “we may use information about you that we collect from other sources, including but not limited to newspapers and Internet sources such as blogs, instant messaging services and other users of Facebook, to supplement your profile” (Facebook’s Privacy Policy). Translation: “we might stalk you using newspapers, blogs, instant messenging services, and other users of Facebook to help people stalk you faster.” They harvest data? This stalking process needs a cool name. Like Beacon.

Facebook Beacon

To clear up misconceptions, I need to explain some terminology. Opt-in and Opt-out are words used to describe security practices. When a service is said to be opt-in, it means the user chose to partake in the service. Users can OPTion IN. When a security practice is opt-out, it means the user is automatically enrolled/subjected/interacting with a service, sometimes without knowledge that they were. Users can OPTion OUT from their enrollment.

Facebook Beacon, akin to Platform in that it allows 3rd party integration with Facebook, was originally opt-in without a chance to opt-out. When a user would make an action on non-Facebook websites, such as a purchase, information would be sent back to Facebook, without the user’s consent.

Facebook Beacon has raised significant problems. During the 2007 holiday season, Overstock.com customers noticed that their purchases were being aggregated to Facebook… which is bad if you’re buying for a Facebook friend, or spouse…

Sean Lane’s purchase was supposed to be a surprise for his wife. Then it appeared as a news headline - “Sean Lane bought 14k White Gold 1/5 ct Diamond Eternity Flower Ring from overstock.com” - last week on the social networking Web site Facebook.

Without Lane’s knowledge, the headline was visible to everyone in his online network, including 500 classmates from Columbia University and 220 other friends, co-workers and acquaintances.

And his wife.

Facebook backs down in privacy case

It’s not all bad, though. After exposing the online habits of millions of users without permission, Facebook apologized to users, and will now allow them to opt-out. Facebook CEO Mark Zuckerberg apologized for Beacon’s intrusiveness in a press release on Facebook.com. Curiously, after the apology, Beacon has remained opt-in by default. Millions of naive users are having information aggregated about them. I suggest you turn it off.

Turning off Beacon

1. Go to the privacy page
2. Select “edit settings“
3. Check “Don’t allow any websites to send stories to my profile” and click “Save.”

Update: Respect

I had this in my notes, I just forgot to add it.

Facebook may be the most fun you’ve had online. I’ve had a blast using it. Facebook is hoarding your data. People upload photos, events, their lives, etc. to Facebook. Good luck getting it back. Facebook makes it difficult, if not impossible, to cancel your account. You can “Deactivate” your account, but it’s there… waiting… for you to come back and rejoin Facebook. You can deactivate, but Facebook has all of your photos, comments, demographic information, and your online life archived… for whatever reason.

According to Facebook’s Privacy Policy, “Individuals who wish to deactivate their Facebook account may do so on the My Account page. Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.”

Even continued requests to Facebook support yield endless hoops to jump through. In the hilarious article 2504 Steps to closing your Facebook account, Stephen Mansour proves that it is nearly impossible to close a Facebook account. His email banter with a customer “service” representative proved it:

If you do want your information completely wiped from our servers, we can do this for you.

So he deleted everything. However…

[Facebook] apologize[s], but you have not completely deleted all of your information. You still have incoming and outgoing messages, wall posts, mini-feed stories, friends, and contact information remaining on your profile. Once you have completely removed all information from your account, I will permanently delete it for you.

Facebook doesn’t respect your data. They hoard it. They profit from it. Without it, they wouldn’t be worth a recent $10 billion investment from Microsoft.

Citations

• Facebook employees know what profiles you look at
• Facebook | Privacy Policy
• Facebook backs down in privacy case
• Announcement: Facebook Users Can Now Opt-Out of Beacon Feature
• 2504 steps to closing your Facebook account

In Part 1 of The Demise of Facebook, I looked at several facets of Facebook that have helped it become popular. People have always been pleased with Facebook’s simple interface layout and easy navigation, but there are some flaws in Facebook that will haunt its future.

Applications are ruining Facebook. Photo: I Started Something

Platform

In the beginning, when Facebook was limited, it provided simple features: messaging, friend lists, event management, etc. As Facebook grew, so did it’s vision. Facebook has grown from simple networking/messaging to an online social operating system. CEO Mark Zuckerberg even voiced in his F8 (ironically spells fate) Keynote that the new vision of Facebook is to become an operating system.

Facebook Platform, a mesh of extensive APIs and programming malarkey, allows developers to build on to Facebook. Developers can create applications that hook their applications into Facebook, and vice-versa.

These applications are getting a mixed reception. Some people hate them. Many like them. But all are plagued by the spam-like social nature of the applications. Some applications, such as the Picasa application, provide useful conduit to another service on the Internet. The Picasa application, for example, allows you to upload photos, using the Picasa desktop program, straight to Facebook. Other applications have missed the mark entirely.

Applications are getting out of hand. People loved the mature Facebook. It was messaging/friend-making/event-planning bliss. Facebook is locked in a gradual, deadly decline.

When I log on to Facebook, dozens of “application invites” plug up my notification area. People want to know if I want to play “Pirates vs. Ninjas”… Hell no. “Grow a plant on my profile?”… Like weed? Punch someone?… Yeah, in real life.

Application developers are loving the gigantic social graph they tap into with their applications. For example, a Stanford course on Facebook Applications was collectively able to obtain 10 million users in 10 weeks. People are raking it in, too. A do-what-you-want policy lets application developers maintain applications for no fees, and serve advertisements without penalty. This win-win model allows some application developers earn upwards of $4,000 a day.

Facebook, has been deemed the number 1 persuasive technology¹. This clout, coupled with the power of the social graph, greedy developers and a juicy API have rocketed Facebook into the online operating system world. Although capable, Facebook will never be taken seriously as an online operating system due to the fact that “Pirates vs. Ninjas” has nothing to do with productivity or networking. At all.

Citations

1. Learning to Create Engaging Apps for Facebook: What Works and What Does Not - http://www.baychi.org/calendar/20071211/#1
2. Facebook Developers | Videos - http://developers.facebook.com/videos.php

Everyone has seen the Facebook train-wreck a-coming. I’ve been doing a lot of research on Facebook and will now throw my hat into the ring: Facebook needs to shape up, or they’ll lose users with dumb mistakes, just like MySpace.

Facebook started as a social networking website with a clean interface that helped its users navigate efficiently³. Headed by college-dropout² Mark Zuckerberg, Facebook blossomed into the monstrosity that it is today. Facebook is the host of nearly 58 million profiles, with an expected beyond-60-million-member milestone set for the end of 2007¹.

Mark Zuckerberg
Photo: Facebook.com

Facebook’s beginning started in February 2004³ when Zuckerberg created it to host profiles for Harvard University, where he was then attending. Soon, Zuckerberg opened Facebook to allow any college student with a collegiate email address.

Facebook slowly opened membership to younger audiences. On September 2, 2005, high schools, also subject to exclusivity restrictions, began appearing on Facebook². No big deal. By February 27, 2007, high-school members were allowed to network with college members¹.

Facebook has slowly been opening to more demographics. Now, if you’re alive, older than 13, in school ⁴ and able to read, you can join Facebook. This greatly enriches the so-called “social graph” a term used by Zuckerberg and Facebook to illustrate the vast amount of connections people make with each other using Facebook³.

Facebook’s success shadowed that of networking behemoth MySpace. Watching MySpace’s failures, especially the “pedophile era” that everyone remembers, was beneficial for Facebook. They quickly learned that privacy, most of all, was the priority, in fact, Facebook’s homepage still touts privacy as a “top 6″ feature.

The Facebook Signup Spiel - Screen captured from Facebook.com

Facebook has had a blessed history. They had a successful beginning, a great run so far, but it’s coming to an end. Part 2 of my three-part series will focus on the social graph’s potential, and how the greed associated with a gigantic community drove Facebook to create Facebook Platform, a way for developers to connect their own application development into Facebook’s gigantic “social graph.”

And so the fun begins.

Citations

1. Facebook - From Wikipedia, the free Encyclopedia
2. Mark Zuckerberg - From Wikipedia, the free Encyclopedia
3. Facebook | Factsheet - From Facebook Press Page
4. Terms of Use - From Facebook