Sunday, June 10, 2012

Facebook Lists – The Respectful Way to Use Apps

Back in April I posted Spam Nation - Disintegrating RespectOne Friend at a Time  in an attempt to help people reduce Facebook spam and treat one another with more respect. Some people “got it” and made changes to their app settings, but other people, people I like and respect, still are spamming their friends with notices about Bejeweled Blitz, videos they saw on SocialCam or Vimmy, stories they read on the Washington Post Social Reader, or what song they are listening to on whatever music spamming app they use to listen to music on.

I wondered why these normally polite people were still allowing their apps to spam all of their friends and I came up with three possible answers. It’s possible they didn’t understand the post. I try to make these things as understandable to as wide an audience as I can, but individuals often learn differently and maybe for some I wasn’t really clear. If that’s the case, please let me know so I can be a better educator. The second reason, and the one I think is probably the least likely, is that they really don’t care who they spam about what. I don’t think that most of my friends are like that though. The third reason, and the one I suspect is the most common one, is that they have friends that they want to share this stuff with and that they want to see. If I’m playing Words with Friends, I might want to know what other friends who play are doing too.

If you are one of those friends, or a friend of yours referred you here and this is true for you, then today I will teach you how to share with your friends who want to know while respecting the rest of your friends enough to not let your apps spam them.

The little trick here is something called lists. Of course there isn’t a link on your home page called “lists”, but it’s easy to make one. Once you make a list you can tell the apps to only send notifications to that list. This is really easy and here is how you do it!

On the left side of your newsfeed you have a grouping called “Friends”. If you hold your mouse over the word “FRIENDS” then on the right you see the word “MORE”. If this step isn’t working for you, ask me for help!

When you click on “MORE” you will see a screen like the one below, only it is probably longer. See at the top where it says “Create List”? Click that!

Now you get to the Create New List screen. Choose a name for your list and then start typing in the names of the friends you want to be on your list. As soon as you have a letter or two the friend’s name and icon will appear.

See (below) how I only had to type in two letters to get a list of friends whose names start with those two letters? I just click on the friend and move on to the next friend. It is really fast and easy.

Now when you go to add an app notice the part that says “Who can see posts this app makes for you on your timeline. This really should say “Control whose newsfeed we are going to spam”. In the picture below, see where I have circled “FRIENDS” in red? That is where you select who the app talks to.

Many apps default to everyone or friends. I’m going to change this to my new list that I titled “App Lovers Anonymous”.

Now all the app chatter only is seen by the people I put on my “App Lovers Anonymous” list, and not in the news feed of my friends who couldn’t care less if I play bejeweled or not.

We aren’t quite done yet. There is still the issue of the apps you already installed. It’s time to fix their spammy behavior problem!

Go to that little down arrow by the word “Home” in the upper right corner of your screen and choose “Account Settings”.

The next thing is to click on “APPS”.
On the right you will see a list of your installed apps.

Next to each app click the “Edit” link. You have to do this step for each individual app.

Now you see in the lower corner where this app is set to spam "Everyone"? I’m going to click on “Everyone” and change it to my new list “App Lovers Anonymous”.

Repeat this step for each app and now you will share with those who want the information and stop spamming the rest of the world!

Seriously, these apps don’t post all that stuff to save you the effort, they post to your timeline because it is free spam-vertising. These App publishers know that they can leverage you to spam all of your connections if you don’t limit their audience by choice. Please be considerate of your friends and only share the app messages with those who want to know it. Most of your friends probably don’t want to know what video you just watched, what songs you listen to all day, or what game you have been playing.

You can create separate lists for music, games, videos and social readers, or put them all in one or two lists. You really can share with your gaming buddies and stop annoying the rest of your friends!!!

If you want to use lists and I haven’t explained this well enough, leave me a comment here or contact me at Facebook ( and I will happily assist you!!!

Remember, it’s up to all of us to make Facebook a kinder, more respectful place by reducing the unwanted spam we can control! Share this with those who need the information, and use the information if you use apps!

Special thanks to my awesome friends Anders Nillson, Christina Ho, Kenneth Bechtel, Lisa Wolfenbarger-Wagner, Larry Bridwell, Mary Donovan, Natalie Moreno, and my sister (If I say awesome sister she’ll report to the FBI, again, that my identity was stolen by an imposter) for allowing me to use them as research guinea pigs for this article. I learned that you can’t use a group for app notifications, it has to be a list. Also, if you name a group “App Lovers Anonymous” Facebook with tell your friends that you added them to a group called “Lovers Anonymous”.

You may republish, or translate and republish this specific blog posting at no cost as long as you don't charge others for it. It would also be nice if you let me know if you republish. Thanks!

©2012 Randy Abrams - Independent Security Analyst

Wednesday, June 6, 2012

Dumb, Dumb, and Dumber

LinkedIn recently had a bit of a security problem that allowed people to access about 6 million user passwords. Actually they were unsalted hashes of passwords and that is technically different, but effectively about the same in this case. That was dumb. The passwords hashes should have been salted.

For the non-technical user a password “hash” is a code that the password is translated to. If I know the code I can figure out any coded password from the “hash”. A process called “salting” adds randomness to the hash, so knowing the code doesn’t let me crack all of the passwords from the hash.

On to the next “Dumb”. As an attempted “Public Service” Mr. Chris Shiflett (  put up the website so that users can check to see if their password was one of the ones that was compromised. In order to do this you have to type in your LinkedIn password. Sorry, but despite good intents by Mr. Shiflett, this is a dumb idea. You should never type your LinkedIn password anywhere other than at LinkedIn. If you are concerned that your password may have been one that was compromised, it is time to change it.

Now for the dumber… is not using SSL, or in other words it does not start with https. When you go to a website that starts with http nothing is encrypted. If you use public Wi-Fi then all of your data can be captured (unless WPA2 encryption is used). For this reason any reasonable web site that asks for a password uses https (encrypted) for at least the part where you send your password. LeakedIn uses http and that is really bad.

So, LinkedIn failing to use best practices when encrypting passwords was dumb. Asking users to type in their LinkedIn password anywhere other than at LinkedIn is dumb. Asking a user to you in their password on a non-SSL site is even dumber!

For the more technical users who have looked at the code on the web site, yes it is the hash and not the password that is returned to, but the problem LinkedIn has is that the unsalted hashes were leaked and LeakedIn is having users send their unsalted password hashed in plaintext across the web.

©2012 Randy Abrams - Independent Security Analyst

Wednesday, May 2, 2012

The Myth of Facebook Blocking

There’s a reason, and a damned good reason why the word “Security” appears exactly zero times at Facebook doesn’t want you to think about security and surely doesn’t care if you have a security problem.

One of the security myths on Facebook is that you can “block” a person. Sure, you can “unfriend” someone, but they can still see whatever part of your profile you make public. If you block a person, they can’t see your profile and they can’t message you either. The problem is that you cannot block a person. You can only block an account. A person can sign up for multiple Facebook accounts, so blocking an account is a relatively meaningless security measure that only has value as a symbolic gesture.

Note, I am not advocating that you sign up for another account to get around someone who may have blocked you. You need to respect that a person doesn’t want to hear from you or share information with you anymore. If you can’t do that then it is time to treat yourself kindly and get some professional therapy.

As a Facebook user it is important that you are not lulled into a false sense of security or privacy. If you really don’t want someone to be able to see your Facebook activity, then you need to make sure that you limit the audience you share information with. Unfriending and blocking are no substitute for controlling your own information.

If you have blocked someone and then they message you using a different account, you can try to find out how to report stalking, but if you go to help in Facebook, there is no answer to the question “how do I report stalking”. What you can do is “report” the conversation and maybe somebody at Facebook will take a break from scattering privacy settings across the site and take a look at your report. To report someone, click on the message and then at the top click “Actions” and then “Report Conversation” as shown here.

One thing that you have to keep in mind is that Facebook’s mission is “is to give people the power to share and make the world more open and connected” and blocking stalkers doesn’t really boost advertising revenue, so there is no easy way to do it. You can find Facebook’s mission statement at, but if you try to find it using help, here is what you will see…

When you block someone, they still can see everything that you share publicly if they use another account, so take a look at your privacy settings and make sure you have limited your information so that nobody in the public can see more than information you want someone you block to see.

A good place to start is in your privacy settings, found by clicking the down arrow by the “Home” button in the upper right corner of your screen.

Today I am not going to go through all of the settings. If you care enough you will explore them and you can always send a question through the blog comment link.

I’m not quite sure why Facebook doesn’t consider it a privacy setting, but in the same drop down menu where you see “Privacy Settings” there are also account settings you need to be aware of. In account settings you should definitely look at the “Subscribers” link. To anyone outside of the person who put subscribers in the account settings, it is first and foremost a privacy setting.

Another extremely important setting that is missing from the privacy setting is privacy. To be more precise, who can see who your friends are? Depending upon how you share information with your friends and how they share information, quite a bit can be learned from knowing who your friends are. I’ll show you where to find the settings for Timeline enabled profiles. First go to your timeline, then just under your banner and picture there are boxes titled “Friends”, “Photos”, “Map”, and “Likes”. Click on friends and it should look something like this…

You won’t see the drop down until you click “Edit” and then the little symbol to the right of “Who can see your full friend list on your timeline”.

If you are lucky and have not had Timeline imposed upon you, the click on your name at the top of the screen, next to “Find Friends” and “Home.” Next, to the right of your profile picture it lists your birthday, where you work, where you went to school, and there’s a link to “Edit Profile”. Click that link and then you can change the audience for who can see your friends as shown below. (You can also search for "edit profile" to get there).

This is potentially a very, very important setting. If you are afraid of someone stalking you, or have blocked someone and want to better limit what they can find out about you, then don’t let the public see who all of your friends are. One can potentially see information you don’t want them to see by visiting your friend’s pages logged in as someone other than what you blocked.

Perhaps I will compile a more comprehensive privacy guide, but it really is problematic as Facebook changes things and doesn’t understand privacy well enough to put the privacy settings in the section titled privacy settings.

Frankly, if I was visiting Mark Zuckerberg’s house and he told me to feel free to help myself to a beer, I’d check the microwave oven and all other nonsensical places first! What if his house is organized like Facebook privacy settings?

Remember, you do not block people on Facebook, you block accounts. The only way to limit what a person can see is to make sure that you limit what the public can see!

If you have any questions on the privacy settings once you have tried to understand them, I am happy to help, but you have to make a real effort to review the information. If you tried and have questions, you can send a comment on the blog. If you don’t want the comment published, be sure to tell me.

©2012 Randy Abrams - Independent Security Analyst

Saturday, April 28, 2012

Spam Nation - Disintegrating Respect One Friend at a Time

Dear reader,

If I or one of your friends referred you to this blog, please do not be offended. The intent is to help you be the kind, considerate person it is believed you intend to be, or to help you help friends who do not realize they have been deceived into spamming others.

If Facebook was a country, with a population of over 840 million users it would be the third largest nation in the world, and Facebook, more than any other nation in the world, has embraced Orwellian doublethink

In the Facebook doublethink nation, “like” may mean you want to tell a group what idiots they are, but to have a voice in their forum you engage in a practice called “liking” to tell them you hate them. “Like” may mean you want to get something free and if you click a little button that says “like” you will get something free from an organization you don’t even care about. This is like saying you “like” someone you don’t give a damn about to get laid, except if six months of free antivirus is as good as getting laid, you’re doing it wrong, not that lying to get laid is ever right.

“Friend” frequently means “someone you have never met, you have talked to very little, and you know virtually nothing about.” The dictionary definition of friend applies to a small percentage of what Facebook defines as “Friends”. That said, most everyone on Facebook does have some friends who fit the traditional definition and many of these people have become quite rude to their real friends because “Sharing” is doublethink for spamming on Facebook.

Would you consider it kind, friendly, or considerate of me to sign you up for spam that relates to something you have no interest in? Is it fair for me to force you to opt out of something you never expressed any interest in that I didn’t even actively post to your newsfeed? I’m not talking about posting something you disagree with, I am talking about allowing a business to advertise on YOUR newsfeed because I gave them permission to without asking you if that is what you wanted. Fundamentally it is absolutely no different than me signing you up for email spam, except in the rude nation of doublethink called Facebook.

Specifically, this rude behavior is a by-product of the spammy world of Facebook apps. Facebook apps re-wrote the dictionary entries for deception and rudeness.

Let’s take a look at what you agree to and we change the marketing lies and deception into truth and disclosure.

You see where it says “Okay, Watch Video”? That means that you have just agreed to become a spammer on behalf of the company that makes the Viddy app. It means that you agree to let Viddy post any action you take on Facebook, including sharing private messages between you and others.

“This app may post on your behalf, including videos you watched, people you liked and more” means that “and more” is not defined or limited. Facebook may claim they have policies that would prohibit this kind of information sharing abuse, but Facebook’s terms of service are subject to change and Facebook itself has consented to 20 years of government auditing for privacy abuses. The company claiming the rights to post on your behalf has just tricked you into becoming their unpaid spammer and spamming people you call friends. Do you really trust them to do what is right?

Do you really want to tell your friends every video you watch? Do you really think they want to hear about every video you watch? Do you understand it isn’t at all about what you watched, it is all about spamming the name “Viddy” in as many people’s newsfeeds as is possible, and using you as the unpaid spammer.

This activity is not limited to teeny-bopper fads like Viddy. The Washington Post is a major spammer in the Facebook Nation and is all too happy to turn you into a spammer as well.

Now, you see where it says “Who can see posts this app makes for you on your Facebook timeline”? Let’s get rid of the deception. What this means is who are you going to sign up for spam. By default you sign up your friends, relatives, basically all of Facebook for spam when you enable an app that posts “on your behalf”. By the way, it is not on your behalf it is for the sole purpose of selling product and using your Facebook account to spam the world. This is the place where you can choose not to become a spammer and limit the posts to yourself or a selected group of people if you use lists.  Below is a list of the choices. Be kind and change the default. If Facebook had a person with a conscience in charge, the default would always be “only me”, but decency must be an active choice and is never a default.

Don’t be fooled though, if you limit it to just you, it may be temporary. You see, you also agree to the Viddy terms of service which explicitly state that “Any updates, new services or any modifications of an existing service will be governed by the TOS, which may be modified or updated from time to time in our sole discretion. The continued use of the Site or Services following the posting of changes to the TOS constitutes your acceptance to such changes. We strongly encourage you to regularly review this TOS.”

In other words, at any time Viddy can change who they spam back to everyone again.

There are worse apps than the ones that at least let you choose to limit the audience when you sign up. Some of the apps do not offer a choice at sign up. Let’s look at the app “Words with Friends”. Yes, that right, the app for those who wish to emulate the self-centered Alec Baldwin. I don’t know if Words with Friends will let you call your 11 year old daughter a “thoughtless little pig”, but it will let you spam your friends. From the screen below, it doesn’t appear that limiting the audience is an option.

For the sleazy apps like Words with Friends and Farmville, you have to go into your app settings after you agree to be a rude spammer and then change into a respectful person by changing the auto-spam settings.

There are thousands of apps on Facebook and many of them start spamming as soon as you start using them. If you have 100 friends, then you have just opted 100 people into spam who then have to learn how to opt out if they happen to figure out that they can get rid of the spam. You clicked once and signed 100 people up for spam without asking them if that is what they wanted.

If you signed up for 10 apps (yes angry birds and bejeweled are apps) then you have signed each person you call a friend up for 10 spam feeds without asking them if that they want that spam. That is 10 separate apps that you have forced people you call friends intro having to unsubscribe from to get out of the spam. Their other option is to simply unfriend you or ignores all but “important posts”. Does anybody know how to make a post “important? Seeing as it is Facebook, I haven’t looked into what makes a post “important”, but it sure as heck isn’t Bejeweled Blitz spam!

 So you signed up for an App on Facebook and didn’t quite understand how rude the app provider was going to make you be to your friends. I don’t take it personally, you weren’t intending to be rude or insensitive. My friend, you were played like a violin… too bad the tuba player was the one playing you.

In the computer security industry a zombie is a computer that is infected with a bot. One of the nefarious things that zombie computers do is send spam from the infected computer. In the Facebook Nation, app providers make you into a spambot zombie. For your own security and privacy I recommend turning off ALL Facebook apps, but I will teach you how to cure yourself of the zombie infection and even still be able to use apps if you want to. For those of you who don’t mind looking around a little bit, it’s in your privacy settings under apps and websites. If you happen to be a zombie and are proud of it, please don’t bite off my head.

To begin, go to the upper right portion of your Facebook screen and click the little down arrow by the word “Home” and choose privacy settings.

Next, you are going to choose "Edit Settings" from "Apps and Websites". You may have to scroll down a little to find "Apps and Websites", depending upon your screen.

Now you can click on each app and disable its ability to spam the world all the while abusing your fine name!

If you don’t want the app to ever post anything then click remove where it says “Post on your behalf” in the top section where it says “This app can:”. This really would read “Post on the advertiser’s behalf if Facebook required honesty in Facebook advertising. If you do want some people to see what the app posts, then do not remove the post on your behalf feature.

Continue to the “Public” button and change that setting to something considerate of your many friends. This is where lists can be handy. Suppose you have a group of friends who play “Words with Friends” and they really do want to know what words you play, then make a list and let the app post status to that list. For most people I think “Only Me” is the correct option.

If you choose custom it appears to allow you to specify people, but I haven’t tested it.

Now you know how to use the apps you want without being a rude zombie spammer and eating your friends!

I would encourage you to share this each time someone allows an app to spam your newsfeed to help them be a kinder, more considerate friend on Facebook.

Copying this blog and even translating it for non-commercial purposes is explicitly allowed IF you let me know where it is being posted and how to contact you. You can leave a comment as I moderate all comments and I won’t publish notes directed to me with personal information.

Commercial organizations wishing to republish this blog must make arrangements with me.

Randy Abrams
Independent Security Analyst
© 2012

Tuesday, April 24, 2012

Asking for a Facebook Password – Malice, Ignorance, or Incompetence?

Recently some governments and businesses have gone the extra mile to distance themselves from the decent and intelligent members of their communities. The growing practice of asking employees or potential employees for their social networking account passwords is being embraced by the ignorant, incompetent, and the malicious at such a rate that laws banning the practice are becoming a necessity. The legislature of Maryland recently became the first state legislature to approve such legislation and Michigan doesn’t appear to be far behind.

Aside from the obvious fact that it is an affront to anyone who ever fought for any country to protect and preserve freedom, there are several reasons why only an incompetent or ignorant business (or government agency) would engage in such a practice.

Legal Liability

At least in the United States, there are some questions that an employer does not ask a potential employee. There are laws against discriminating against people who are members of certain groups. In most cases, asking a potential employees age is not allowed. Asking a person’s sexual orientation or religious beliefs is generally not allowed. By accessing a person’s Facebook account an employer may see information that the employee or potential employee can claim was used to discriminate against them. The employer who asks for a Facebook password lacks the intellect to seek legal advice before doing so, has incredibly poor legal advisers, or lacks the wisdom to accept competent advice.

Security Implications

As I have often written about before, there are two types of people who ask you for your password… thieves and idiots ( The reason for this advice is that it is a really bad practice to give out your password to anyone. The employer who asks someone to share their password is encouraging truly horrendous security practices within their organization. The employer who requires a Facebook password also requires that employees be less than competent at security. You might want to carefully consider doing business with another business that engages in such practices as they lack the basic knowledge of security required to keep confidential dealings with you or your business confidential. The core of the company’s culture is the least intelligent security practices. The employer who asks for passwords for personal accounts failed to ask their head of IT for advice, or has an incredibly inept IT “expert”, or simply ignores good advice.

Character Implications

Facebook, Google, and virtually all online services have user agreements that explicitly state that the user agrees not to share their password with anyone. The employer who requires employees or potential employees to share their password is the employer who categorically rejects any employee that keeps their word. The core of that organization’s ethical culture is dishonesty. The employee who stands by their legal agreements is deemed to be unfit for employment. Does this sound like an organization you want to do business with?

Social Implications

The organization that asks for the password to social networking or email accounts is an organization that thumbs their noses at the heroes of their country. This is the organization that tells the family members of soldiers who have died fighting to protect freedoms that they truly do not appreciate the sacrifice and that their lives were wasted fighting for principals that the organization holds as worthless. These are the employers who would tell today’s soldiers that their sacrifices are completely unappreciated.

The Tiny Intellect

One of my all-time favorite sayings is “If you only see one solution, you probably do not understand the problem”. The employer who asks for passwords does not understand much at all. Unless the goal is to violate privacy, there are other ways to approach the problem that the employer is trying to solve using the least intelligent solution.

The Dumbest Argument of All

This is the one that set the ignorant apart from the truly, pathologically stupid. The argument is… “If you have nothing to hide then it isn’t a problem”. This argument assumes that failing to abide by an agreement isn’t a problem, but also demonstrates extreme short-sightedness in another area. Although I may not have anything to hide, it does not mean that I am acting morally, ethically, or even just plain decently by showing emails and messages that others may have sent to me in confidence. While Facebook may arguably not be a great place to send a confidential message to someone, people do share private information and trust that the person they share it with will respect their privacy. The argument “If you have nothing to hide then it isn’t a problem” completely ignores the very real fact that the employee or potential employee has agreed not to share someone else’s information.

Thieves and Idiots

It may be that the employer asking for the password isn’t a thief… I can buy that. It may be that the person isn’t an idiot, but if they are neither a thief nor an idiot, they are so painfully ignorant that it isn’t safe to give them your password and you certainly don’t want to do business with companies where such gross ignorance is embraced by management. In the case of city officials engaging in this behavior, it is a danger to society to have such civil irresponsible people in positions of authority. 

Randy Abrams
Independent Security Analyst

© 2012