Sunday, June 10, 2012

Facebook Lists – The Respectful Way to Use Apps

Back in April I posted Spam Nation - Disintegrating RespectOne Friend at a Time  in an attempt to help people reduce Facebook spam and treat one another with more respect. Some people “got it” and made changes to their app settings, but other people, people I like and respect, still are spamming their friends with notices about Bejeweled Blitz, videos they saw on SocialCam or Vimmy, stories they read on the Washington Post Social Reader, or what song they are listening to on whatever music spamming app they use to listen to music on.

I wondered why these normally polite people were still allowing their apps to spam all of their friends and I came up with three possible answers. It’s possible they didn’t understand the post. I try to make these things as understandable to as wide an audience as I can, but individuals often learn differently and maybe for some I wasn’t really clear. If that’s the case, please let me know so I can be a better educator. The second reason, and the one I think is probably the least likely, is that they really don’t care who they spam about what. I don’t think that most of my friends are like that though. The third reason, and the one I suspect is the most common one, is that they have friends that they want to share this stuff with and that they want to see. If I’m playing Words with Friends, I might want to know what other friends who play are doing too.

If you are one of those friends, or a friend of yours referred you here and this is true for you, then today I will teach you how to share with your friends who want to know while respecting the rest of your friends enough to not let your apps spam them.

The little trick here is something called lists. Of course there isn’t a link on your home page called “lists”, but it’s easy to make one. Once you make a list you can tell the apps to only send notifications to that list. This is really easy and here is how you do it!

On the left side of your newsfeed you have a grouping called “Friends”. If you hold your mouse over the word “FRIENDS” then on the right you see the word “MORE”. If this step isn’t working for you, ask me for help!

When you click on “MORE” you will see a screen like the one below, only it is probably longer. See at the top where it says “Create List”? Click that!

Now you get to the Create New List screen. Choose a name for your list and then start typing in the names of the friends you want to be on your list. As soon as you have a letter or two the friend’s name and icon will appear.

See (below) how I only had to type in two letters to get a list of friends whose names start with those two letters? I just click on the friend and move on to the next friend. It is really fast and easy.

Now when you go to add an app notice the part that says “Who can see posts this app makes for you on your timeline. This really should say “Control whose newsfeed we are going to spam”. In the picture below, see where I have circled “FRIENDS” in red? That is where you select who the app talks to.

Many apps default to everyone or friends. I’m going to change this to my new list that I titled “App Lovers Anonymous”.

Now all the app chatter only is seen by the people I put on my “App Lovers Anonymous” list, and not in the news feed of my friends who couldn’t care less if I play bejeweled or not.

We aren’t quite done yet. There is still the issue of the apps you already installed. It’s time to fix their spammy behavior problem!

Go to that little down arrow by the word “Home” in the upper right corner of your screen and choose “Account Settings”.

The next thing is to click on “APPS”.
On the right you will see a list of your installed apps.

Next to each app click the “Edit” link. You have to do this step for each individual app.

Now you see in the lower corner where this app is set to spam "Everyone"? I’m going to click on “Everyone” and change it to my new list “App Lovers Anonymous”.

Repeat this step for each app and now you will share with those who want the information and stop spamming the rest of the world!

Seriously, these apps don’t post all that stuff to save you the effort, they post to your timeline because it is free spam-vertising. These App publishers know that they can leverage you to spam all of your connections if you don’t limit their audience by choice. Please be considerate of your friends and only share the app messages with those who want to know it. Most of your friends probably don’t want to know what video you just watched, what songs you listen to all day, or what game you have been playing.

You can create separate lists for music, games, videos and social readers, or put them all in one or two lists. You really can share with your gaming buddies and stop annoying the rest of your friends!!!

If you want to use lists and I haven’t explained this well enough, leave me a comment here or contact me at Facebook ( and I will happily assist you!!!

Remember, it’s up to all of us to make Facebook a kinder, more respectful place by reducing the unwanted spam we can control! Share this with those who need the information, and use the information if you use apps!

Special thanks to my awesome friends Anders Nillson, Christina Ho, Kenneth Bechtel, Lisa Wolfenbarger-Wagner, Larry Bridwell, Mary Donovan, Natalie Moreno, and my sister (If I say awesome sister she’ll report to the FBI, again, that my identity was stolen by an imposter) for allowing me to use them as research guinea pigs for this article. I learned that you can’t use a group for app notifications, it has to be a list. Also, if you name a group “App Lovers Anonymous” Facebook with tell your friends that you added them to a group called “Lovers Anonymous”.

You may republish, or translate and republish this specific blog posting at no cost as long as you don't charge others for it. It would also be nice if you let me know if you republish. Thanks!

©2012 Randy Abrams - Independent Security Analyst

Wednesday, June 6, 2012

Dumb, Dumb, and Dumber

LinkedIn recently had a bit of a security problem that allowed people to access about 6 million user passwords. Actually they were unsalted hashes of passwords and that is technically different, but effectively about the same in this case. That was dumb. The passwords hashes should have been salted.

For the non-technical user a password “hash” is a code that the password is translated to. If I know the code I can figure out any coded password from the “hash”. A process called “salting” adds randomness to the hash, so knowing the code doesn’t let me crack all of the passwords from the hash.

On to the next “Dumb”. As an attempted “Public Service” Mr. Chris Shiflett (  put up the website so that users can check to see if their password was one of the ones that was compromised. In order to do this you have to type in your LinkedIn password. Sorry, but despite good intents by Mr. Shiflett, this is a dumb idea. You should never type your LinkedIn password anywhere other than at LinkedIn. If you are concerned that your password may have been one that was compromised, it is time to change it.

Now for the dumber… is not using SSL, or in other words it does not start with https. When you go to a website that starts with http nothing is encrypted. If you use public Wi-Fi then all of your data can be captured (unless WPA2 encryption is used). For this reason any reasonable web site that asks for a password uses https (encrypted) for at least the part where you send your password. LeakedIn uses http and that is really bad.

So, LinkedIn failing to use best practices when encrypting passwords was dumb. Asking users to type in their LinkedIn password anywhere other than at LinkedIn is dumb. Asking a user to you in their password on a non-SSL site is even dumber!

For the more technical users who have looked at the code on the web site, yes it is the hash and not the password that is returned to, but the problem LinkedIn has is that the unsalted hashes were leaked and LeakedIn is having users send their unsalted password hashed in plaintext across the web.

©2012 Randy Abrams - Independent Security Analyst