Vraul

Facebook may share user data with third party sites automatically. What happens when Facebook goes too far? Do users have the will to revolt? by Larry Dignan

Source

Much of what you need to know about Facebook’s proposed privacy changes boils down to timing: Friday, 3:04 p.m. PDT. Why is the timing important? That’s when you typically roll out news you don’t want folks to pay a lot of attention to.

For instance, some companies have famously issued profit warnings on a Friday before a four-day July 4 weekend. The news cycle may have compressed or even disappeared, but for the average bear—the poor fellow who can’t possibly keep up with Facebook’s open site governance the news cycle exists. You sort of tune out on weekends.

So what’s Facebook trying to downplay? Try a proposed privacy setting change where Facebook will share user data with external sites automatically. Perhaps it’s an improvement to Facebook Connect that’ll change your life. Or it’s just creepy. In either case, here’s the excerpt:

Pre-Approved Third-Party Websites and Applications. In order to provide you with useful social experiences off of Facebook, we occasionally need to provide General Information about you to pre-approved third party websites and applications that use Platform at the time you visit them (if you are still logged in to Facebook). Similarly, when one of your friends visits a pre-approved website or application, it will receive General Information about you so you and your friend can be connected on that website as well (if you also have an account with that website). In these cases we require these websites and applications to go through an approval process, and to enter into separate agreements designed to protect your privacy. For example, these agreements include provisions relating to the access and deletion of your General Information, along with your ability to opt-out of the experience being offered. You can also remove any pre-approved website or application you have visited here [add link], or block all pre-approved websites and applications from getting your General Information when you visit them here [add link].

In other words, the sharing with everyone move by Facebook makes a little more sense. Facebook will now share your data with a bunch of partners. It’s Facebook Beacon done right (for Facebook).

Now back to the timing. Facebook’s timing is notable and tells us more than we need to know about the proposed privacy changes. On cue, all of the folks that pay attention to Facebook’s privacy moves closely—TechCrunch, ReadWriteWeb, Louis Gray and Inside Facebook—rang the alarm bells. After all, do we really want to share information with sites screened by Facebook and not the user? And just as the oldest media trick would dictate, the hubbub was fierce on Saturday and Sunday and played out by Monday—just in time for you not to notice. Weekend revolutions don’t quite work.

Bottom line: Most folks—you know the ones that are sharing every detail of their lives with everyone on the Web when Facebook changed its settings the last time—will never opt out of the sharing with third party sites. Facebook’s privacy setting are open and in sort-of-kind-of English, but the frequent changes mean that most users won’t know what’s going on.

Your data will be shared with sites Facebook chooses. Just trust Facebook and everything will be just swell.

The big question here is what happens when Facebook pushes too far. Will people deactivate accounts? I’ve been a click away three times in recent months, but have refrained. I wonder how many other people have also thought about nuking their Facebook account. At some point, Facebook will push too hard. It’s a matter of “when” not “if.”

As most of you reported a few weeks ago, Vraul was having serious cookie problems (issues staying logged in across different blogs) this I found was arrising from the theme and Vraul-Bar we were using.

This of course presented the need for another re-design of the site and a re-design of the Vraul-Bar.  Taking everyone’s input into consideration we went with a thin-bar that is also semi-transparent and a site theme that is clean, light, and easy to navigate.  Light doesn’t mean the theme colors, but the fact it can be accessed on a low bandwidth connection and not take a few hours to load a page.  This also means that many of the features that we used with Ajax has been removed as the ajax and java script libraries were consuming the majority of the bandwidth for initially loading the home page.  Once a user logs in, however we load some libraries up so they can be used to sort through the blogs and their settings.  This method seemed to best fit the demands of our users to-date.

If you have an opinion we would love to hear it!  Let us know how we are doing by simply responding to this post, if something needs changing, we’ll do our best to get it done!

A special thanks goes out to Jeremy Van’Order for helping beta test the new style and features!

We are adding a policy to address inactive blogs and issues arrising from them.  This is a community website, and its rules and establishment is 100% for those of the community.  We strive to keep this community clear of offending materials, spam, and otherwise content that will make your experiences less than satisfactory.  Starting Feburary 1st, 2010, we will be deleting all blogs that have no posts (beyond the default post).  Some other things that this policy will encompass:

1. Blogs older than 7 days old with no post customized by the blog owner will be deleted.
2. Blogs that have had no traffic for 30 days will be archived, if no requests are made to said blog for 90 days from the data or archiving, the blog will be deleted.  It will be very important that the user ensures that his/her blog is recieving traffic if nothing other than logging into the blog themselves once per 30 days.
3. Blogs containing extreme violence, nudity, or language will be rated “Adult” and will have a feature where any visitor visiting the blog will have to enter their date of birth to confirm their age before seeing the blog’s contents.  We will store this birth-date in a cookie on said user’s web browser so they aren’t harassed or hounded by any other blogs on our servers that are considered adult-type blogs.
4. ANY BLOG suspected of being created for the purpose of search engine promotion of another website will be DELETED.  Anyone may link to their website or other websites, however the blog must contain organic content created by the blog owner and not in a manner to spew words on a posting that is only targeted to a web crawler.
5. SPAM BLOGS (blogs created for the sole purpose of falsely inflating their page rank on another website) will be deleted.
6. BOT BLOGS AND SIGNUPS (accounts and blogs created by software rather than a human being) will be immediately deleted (no more archiving or suspending) and a Cyber Crime report will be automatically made to the Charlotte, North Carolina, FBI Field Office.

What happens when you purposely and maliciously spam a website that is operated and owned by a company that specializes in internet and network security?  The chances of that company taking the actions as a joke is very unlikely.  When our spamming issues started, we had to first take immediate actions to get it to stop before our database becomes overwhelmed, and secondly we had to determine if the attacks were malicious in nature.  There are a few ways to determine this, but for the purpose of spamming the main concern is, “did the aggressor intentionally try and bypass safeguards?”

The same system in which defines if a home intrusion is breaking and entering or simple trespassing forgoes the same methods in determining if the spam was criminal or not and is based upon the principals if someone entered through an unlocked door or window or bypassed the safeguards that were in place.  In this case, we had everything from the CAPTCHA system which is the first safeguard against spam bots, a terms of service agreement that would be the second legal safeguard, and lastly we also had other methods to “bust” typical bot access.  Some spammers though, are so persistent, that they intentionally bypass these safeguards in order to vomit all of their filth all over the internet in a relentless manner.   We determined that it was this type of spammer that we were up against.

How It Works
We had first of all deployed a CAPTCHA system in which blocks 99% of bot access to our website by simply having the reader view an image with some text and type what they see.  This appears to a human to be an annoyance, but to a bot that is not programmed to read an image, they have a 99.9999999999% chance to guess the wrong code and fail the check.

Secondly we have browser agent blocking in place.  This safeguard looks at the “Browser type” accessing the website.  Browsers that are marked, “crawler”, “bot”, etc are immediately blocked from the registration page.  This usually blocks about 50% of the bots that are programmed to read the CAPTCHAs.

Our last line of defense is a referrer check, that ensures that the user submitted data from a form from our website.  This blocks another 35% of the bots that passed the previous 2 safeguards.

As you can see, you can never be 100% effective in stopping spam on a public interface such as Vraul, but there are safeguards to keep them out.  Our friend that had spammed us had:

1. Image reading bot to pass CAPTCHA tests
2. Browser agent to appear to be a legitimate user (my user agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 GTBDFff GTB7.0 (.NET CLR 3.5.30729).. their user agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.6 (KHTML like Gecko) Chrome/2.0.174.0 Safari/530.6. As you can see their bot was cloning the Chrome web-browser’s signature making it impossible for our second line of defense to stop them.
3. Referrer spoofing.  They were able to make their bot to appear to had been referred from our own site, by sending the referring packet to appear to be from our own website.

From this, any monkey on a piano can put 2 and 2 together to figure out that the spamming was targeted in a manner that intentionally bypassed any and all safe-guards that could possibly be put in place.  Thankfully, law-enforcement is own our side!

FBI Response
This morning I was informed that the FBI, Cyber Crimes Division, had tracked down the subject responsible for the spam on our website and are now days away from making an arrest.  This person(s) are now facing criminal electronics hacking and intrusion charges which are felonies and if convicted, will cause the person to loose the right to ever touch another computer system for the rest of their natural lives.  This subject operates a SEO company that specializes in “increasing your Google page rank by 3!“.  Sadly, their customers will be disappointed when their page ranks now drop by 2 from the original page-rank they did receive.  I am one of those rare people that knows the ins and outs of the Google Search Engine.  I also have their search algorithm nailed down to a “T” — in fact I know so much, that I had been propositioned in the past to go and work for Google, though the offer wasn’t still there when I was discharged from the Army.  But I know enough about their system that the customers this company had that gained +3 to their page rank, will be sorely disappointed to know that when someone removes a link, they loose more page-rank than they received!  The formula boils down to about a 1.2 loss.  So if they had a 3, gained 4 making it now 7, they would drop down to less than 2, most likely a 1.

With that said, if anyone reading this ever wants to get a better page rank, the best thing to do is ensure you thoroughly investigate the company you are doing business with, ensure that the link-backs they generate are legit and organic (no spamming), even ask to see some of their customer’s that they have optimized; then search google for “link:www.theirsite.com” to see the quality of their links; from that if you see a bunch of spam links that make no sense whatsoever or spam blogs, etc, you know that is not the company you want.  If you see links that are on forum signatures, other websites recommending the site, etc, that is a company you can stick with.  I would personally recommend my own company, www.mlwassociates.com but then again, make sure you do your own homework .

We have ended the spam crisis by installing some filters and black-lists that will first check to see if the registration is in-fact human and from a “human” web-browser, then it will check the email address the user is registering to ensure that it is not an email address that is associated with hibitual spam.

We are confident that this is nearly a 100% shot that it will end all spam signups on the forums unless the user signs up manually.