February 23, 2012

You are here: Home / Archives for Blog / Cyber Safety

Carrier IQ: The Spy In The Machine

December 2, 2011 By 2 Comments
Carrier IQ

Carrier IQ

Software that tracks each key you press on your smartphone is installed on millions of mobile devices including Android, Nokia, RIM and older Apple Devices. The software called Carrier IQ records everything from keystrokes, web history and text messages then sends the information back to your carrier. It cannot be uninstalled and may very well be in violation of Federal wiretap laws.

The information gathered is presumably anonymous and is used to determine when and where calls drop, when programs crash and how we use our phones. Carrier IQ is considered a diagnostic tool for companies to figure out how to make your phone better, but many consider it a breach of privacy.

Former Justice Department prosecutor Paul Ohm told Forbes, “Because this happens with text messages as they’re being sent, a quintessentially streaming form of communication, it seems like exactly the kind of thing the wiretap act is meant to prevent.” He goes on to say, “When I was at the Justice Department, we definitely prosecuted people for installing software with these kinds of capabilities on personal computers.”

Sounds pretty ominous. Is it? According to InformationWeek.com, Carrier IQ has responded to the accusations saying: “Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment. While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools.”

Contrary to Carrier IQ’s assertion, a video by IT systems administrator Trevor Eckhart shows how the software tracks your usage. It quickly made its way around the internet, reigniting privacy concerns about Carrier IQ. Carrier IQ Tracking

So, it should be no surprise that the U.S. Senate is demanding answers from Carrier IQ. Senator Al Franken (D-Minn.) has asked the company to explain exactly what they record, who they give the information to, and how consumers can stop it.

When asked, Apple responded by saying that it has abandoned using Carrier IQ with the upgrade to the iOS 5 operating system. The company also plans on releasing a software update that will remove Carrier IQ from all of its mobile devices

Gee, I feel safer and less violated already. Sadly, it is currently unknown exactly what information is being transmitted to wireless carriers and manufacturers. AT&T and Sprint acknowledged that they use the software, but don’t collect any personal information. According to MSNBC, AT&T stated that it only uses Carrier IQ’S software to “improve wireless network and service performance.” Sprint stated that the software is used to “… analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don’t provide a direct feed of this data to anyone outside of Sprint.”

That’s nice. On the other side of the river, Verizon said that Carrier IQ is not installed on any of its devices and it doesn’t use any of the program’s data. And, both Nokia and RIM insist that they don’t ship their phones with software pre-installed.

So what’s the bottom line? Ultimately, Carrier IQ is diagnostic software used by many companies to track how their phones and networks perform. While customers don’t have many options to stop the data collection from happening, chances are that it isn’t being used perniciously. But, in our sensationalistic, sound bite, social mediated world … you’ll have to judge for yourself.

Filed Under: Blog, Cyber Safety

What We Can Learn From Leiby Kletzky’s Death

July 18, 2011 By Leave a Comment

Leiby Kletzky

Leiby Kletzky

At almost nine-years-old, Leiby Kletzky was flexing his muscle. He wanted to walk home by himself. His father practiced the route with him and, on a fateful day in July, it was agreed that his mother would meet him half way.

As you know, the plan went terribly wrong. Leiby got confused, made a wrong turn and ended up in the hands of a killer. My heart goes out to his family and loved ones. This is so profoundly sad.

After the story unfolded and the killer was caught, people started asking me about how technology could used to prevent this from ever happening again? Are there GPS tracking devices? What if there were more surveillance cameras? What if Leiby had a smartphone?

I cannot make any sense out of Leiby’s death, I don’t even want to try. And, I certainly do not want to second guess his parents or play “what if.” However, I would like to answer some of the questions I’ve been asked.

First, I am a father of three and a grandfather of two and I can tell you, without hesitation, that nothing I am going to discuss here can be used as a substitute for astute parenting. This is so important; I’m going to say it again. The tools I am going to talk about may actually put your kids closer to harm’s way. Why? Because they work so well, you may use them as a “crutch.” Do not rely on technology to safeguard your kids – that’s your job!

That said, it’s time to lobby Mayor Bloomberg and get him to lift the cellphone/smartphone ban for school kids. I truly understand the downside of putting a device of this power in the pocket of a kid at school. Some will say it’s a really bad idea. I say, let’s get the Board of Ed to work with Apple, Google, Microsoft, HP and Nokia and start incorporating smartphones into the schoolwork. It will make classes seem more relevant to digital natives (kids born after 1989 whose world has always been completely digital) and it will add a layer of 21st century safety tools to school security. Yes, kids will lose their devices or have them stolen. Yes, this will cause a remarkable amount of grief for everyone involved. Yes, it will take time for the bureaucracy to learn to deal with the tech. Of course, we’re going to hear Sturm Und Drang about haves and have nots, and cost. However, if one life is saved, it will all be worth it.

A free app like Google Latitude would have given Leiby’s parents his approximate location. No need for him to make a call. Loci or InstaMapper would have been even more accurate.

My three-year-old granddaughter has a pretty good handle on her iPad, she will be Facetiming me by herself in the next couple of months. Making a call will be old school to her by the time she’s nine.

Even an old-fashioned feature phone (like a flip phone) can be easily programmed for one-touch speed-dialing. Press one for Mom, two for Dad, etc. Super easy – super safe.

Really don’t want a phone, try “Little Buddy Child Tracker.” For about $50 bucks on Amazon, you can put this jump-drive-sized device on a necklace, in your kid’s pocket or backpack and you will always know exactly where they are.

What about “Leiby’s Initative,” the new tax credit proposed by Brooklyn lawmakers? The goal is to help subsidize more surveillance cameras in NYS by offering a tax credit for installing and maintaining a camera. Awesome!!! It would be great if these cameras were digital and all fed into a central database that had face recognition software available to it, but that’s for another column.

All in all, there are plenty of tools we could deploy to technologically empower us to track our kids. Many of them are relatively inexpensive and excellent. Use them or don’t use them, but remember – no tool can ever replace common sense or good parenting. Technology usually breaks at the worst possible moment – street smarts tend to work all the time.

Filed Under: Cyber Safety

Guarding Borders With Social Listening Posts

July 15, 2011 By Leave a Comment
Facial Recognition

Facial Recognition

There was an interesting article on the AP this week entitled, “Israel blocks airborne protest, questions dozens.” It described how Israeli security used social media sites to compile a “blacklist” of undesirable individuals and then prevented many of them from entering the country. It’s a good read if you’re interested in Palestinian/Israeli politics. I have no plans to discuss that here. What interests me is the ease with which they assembled the data, identified the people and literally stopped them at the border. Social listening posts have come a long way in a very short time and, although you may not agree with the politics, it’s a very cool use of the technology. That said, is it “Big Brother-ish?” Yep. Is it data-driven police work? Yep. Is it legal? Should it be?

Then there’s MORIS, the Mobile Offender and Identification System by BI2 Technologies, LLC. Sean Mullin, CEO of the Plymouth, MA firm says that his software can identify a person via facial recognition, iris recognition or fingerprint recognition using an iPhone App. Police nationwide are testing this technology. Is it “Big Brother-ish?” Yep. Is it data-driven police work? Yep. Is it legal? Should it be?

How does it work? SIFT (Scale-invariant feature transform) files have been around since 1999. SIFT is a very popular computer vision algorithm first published by David Lowe. Depending upon the quality of the data, a system that uses SIFT files for 2D and 3D object recognition can be very accurate. Clever programmers have written incredibly efficient, scalable Apps that use SIFT files to identify everything from logos to landmarks, and fingerprints to retina scans. In fact, if a digital camera can see it, there’s a very good chance that a computer can be programmed to recognize the it.

So, once again, we find that our technology is way ahead of our laws, and even our strategies for the doing of life. If my iPhone can identify people with criminal records, shouldn’t it do so before I tag and friend them on Facebook? If someone is a registered sex offender (and they are in the photo of my kid’s birthday party that I just posted on Flickr) shouldn’t the system tell me?

Of course, recognition software by itself doesn’t do anything. You need a database of images and metadata (the data that describes the images) to compare to the image you want recognized. Who is the keeper of that database? Who has pictures of bad guys? Who decides who the bad guys are? How is that database going to be protected? If you accidentally end up in the bad guy database, how do you get out?

I don’t have good answers for any of those questions. But they need to be asked.

In a world where identity theft is a front and center issue, I am having fun imagining the kind of insanity that will ensue as hackers add “good” people to the “bad” people database. And, it doesn’t take much to imagine several nightmare scenarios for people caught on the wrong side of this technology.

As we transition from the industrial age to the information age, we are going to be faced with these kinds of choices quite often. In fact, since the rate of technological advancement is accelerating exponentially, these legal, moral and societal issues will come faster and faster and we will just have to learn to deal with them.

There are legitimate concerns about privacy, illegal search and seizure, and the constitutionality of the application of some of these advanced search tactics. There is also a valid argument that says, “Technology is inherently neither good, nor bad.” You’ve heard it put a different way, “guns don’t kill people, people kill people.” Ahh … if life were only that simple.

What to do? Well, I know that most of our elected officials are busy arguing about the debt ceiling, but jot your Senator or Congressman a note or email or, just tag a picture of them on your Facebook profile and put the message in the caption or on your wall … they’re sure to see it there.

Filed Under: Cyber Safety, Techno-politics

Zen in the Art of Digital Privacy

May 20, 2011 By Leave a Comment
Online Privacy

Online Privacy

First, apologies to Eugen Herrigel, this article is in no way a reference to his exceptional book, Zen in the Art of Archery. I am not a Zen Buddhist (neither was he) and this is not an exploration of a particular religious teaching. It is, however, a request for us to look at privacy through a Zen-like lens. For those who are more comfortable with Western religious references, we now need King Solomon-like wisdom to help us navigate the complex problems associated with privacy in the Information Age. And, as with King Solomon’s dilemma, there is no way to, “cut the baby in half” and have anything of value survive.

To continue with imperfect metaphors, you can’t be “a little pregnant” or “a little dead.” Information simply can’t be, “a little private.”

Is there a reasonable expectation of privacy in the 21st Century? No. Is there any hope of online privacy? No. Is there anyway to guarantee that anything we do is private? No. In the Information Age it is almost impossible to transact business or “do life” in private.

Before we get too crazy, it is important to define privacy: “The state or condition of being free from being observed or disturbed by other people.” This is very specific. Can an electronic funds transfer be private? Can it be anonymous? No and no. A cash transaction can be private. You simply meet in a dark alley do your business. Is there an electronic equivalent? No.

So, what is online privacy? Or, to broaden the question appropriately, “What is Information Age privacy?”

We, as a society, are going to have to struggle to answer this question to the satisfaction of the majority. It is going to be hard.

Can information published be private? In 20th century terms the question is an oxymoron. In the 21st century there are people who are standing on soap boxes screaming at the top of their lungs that a Facebook post should come with a certain amount of privacy protection. If you publish information to a universe of 2 billion broadband connected computers and 4 billion cell, feature and smart phones why would you expect it to be private?

Many will push back right now and say, “Hey stupid, we’re talking about people and organizations taking our information without our knowledge and using it for their own purposes without our permission!” So, you want a “little privacy” because you certainly were happy to post your info for a large group to see. Would you want to control the group you published your information to? Maybe treat a Facebook post like a confidential report that is marked “confidential” and only distributed to a certain, select, group of executives?

Here’s where Zen in the Art of Digital Privacy comes in. We must, as a society, become masters of the media we publish. Our credit card transactions may be private, but they are not anonymous. Someone at the financial institution knows exactly who we are, who we are dealing with and the amount of the transaction. If they make that information public, is it a crime? They give it to the credit reporting companies. Should that be allowed?

If you use your EZ-Pass to pay for a toll at point A and you arrive at the EZ-Pass toll booth 70 miles away 40 minutes later, it is easy to calculate that you were speeding. Is that a violation of your privacy? If you Tweet that your doctor says you “may need bypass surgery if your stent doesn’t hold your artery open,” and your medical insurance company scrapes the Twitter feed and denies you coverage is that a violation of your privacy? If someone took a digitized copy of the white pages and published your address and phone number online is that a violation of your privacy? If, if, if …

Obviously, this game of “what if” can go on forever. And, I’m sure it will. We need to study and learn the discipline of living in a digital world. It is different and new and exciting and dangerous and decidedly un-private. How? First, pretend you’re a movie star and that everything you do is being watched (It is, every key click, every remote control click, every online behavior, all of it). Assume that the paparazzi are waiting for you everywhere you go. (Security cameras are). Assume that you should never write anything you don’t want incorporated into the permanent body of knowledge of mankind and, never, ever txt, tweet or email anything that is not for public consumption. As for voicemail, assume it is a digital audio recording on a remote server and you have given permission to the recipient to distribute this file like it was a hit song on Bittorrent.

Can we live with this level of personal privacy vigilance? Should we have to? Isn’t it the role of government and law enforcement to protect us so we don’t have to do all of this ourselves? I don’t think so. That’s sort of like relying on the government to warn you about obvious stuff like, making sure toddlers don’t play with small, bite-sized, plastic toys, or content warnings on videos, or the little notice on cigarette packages that tells you it may not be a good idea to suck smoke into your lungs, etc.

We now have an Office of Privacy Policy, a couple of bills about online privacy and a bunch of examples of serious security breeches in the news. But this issue is not going away. It’s going to be news for years. When will we get it right? When we find the Zen balances between personal and public, anonymous and private, open and closed. Of course there’s never a Zen Master around when you really need one.

Filed Under: Blog, Cyber Safety, Featured

Apple is Tracking iPhone and iPad Users: FUD Times!

April 23, 2011 By 5 Comments
Shelly's iPhone Tracked by Apple

Shelly's iPhone Tracked by Apple

Restless leg syndrome, Vacuums that lose suction, Iraqi Weapons of Mass Destruction and most recently, Apple knows where you are and where you’ve been! It’s all FUD-mongering. (FUD is an acronym for fear, uncertainty and doubt.) And Apple has inspired a huge FUD cycle. It’s not surprising. People are always looking for things to be scared of. But this shouldn’t be one of them.

We’ll get into a non-technical description of what Apple is actually doing in a second. But before we do, let’s try to understand data-driven advertising and its close cousin, the location-based app. In order for a location-based app to use your location to help you achieve your goals (i.e.: finding a restaurant, movie theater, gas station, weather report, local time, etc.) it needs to know your location. This is accomplished in many ways, such as triangulation from cell towers or utilization a special GPS chip inside the device. It is important to understand that knowing your precise location at a given moment is not something that a computer can use very well. It needs to store the data in a database so that it can access it when it is required. How many locations and times should be stored? Well, it depends upon what kind of application you are running and what job it is trying to do. Is your current location and five previous locations enough? Should it be 10? How about everywhere you’ve ever been with the device?

Let’s move on. What other information might a location-based app use to deliver an emotionally satisfying result? User preferences? Past behaviors? Credit card balance? Available debit card balance? Time left on your auto lease? Where you parked your car? How many times you checked into a location on Foursquare? How many time you Tweeted from the vicinity? Etc, etc, etc.

When you combine hyper-personal information with location, you get a wonderful opportunity to customize applications and user experiences. When you store this information and learn from it, you get an even better opportunity to improve the user experience and add value. This is the only goal of location-based apps and data-driven advertising.

Can the information be used in a malicious way? Yes. But it is really, really hard to do. And, it requires a very motivated malicious individual or organization to do it.

Can this information be used for good? Absolutely. And, it almost always is.

Just for the record, Apple is not tracking you. Your iPhone and iPad (assuming they are 3G enabled and running iOS 4) have been keeping a time-stamped record of where you have been neatly tucked away in a file. It is not being shared with Apple or anyone else. And, BTW, you are asked if you would like this information to be made available to your apps every time you run them. So, let’s not get crazy. Apple (and almost every app maker) knows they are being watched by “big brother” watchers and they take privacy very seriously.

Can someone steal this data, or just look at it? 1) Not without a fair bit of computer expertise. 2) Not without the password to your computer. Wait, you don’t password protect your computer? Stop complaining about this issue, actually, stop talking about it all together. If you don’t have a strong password protecting your computer and your smart phone, you do not have standing to comment on this subject.

Should people who take reasonable precautions to protect their digital lives be worried? No. Not unless a court of competent jurisdiction has subpoena power to seize your personal property as evidence. If so, then by all means, panic. Otherwise, take a deep breath and a step back and remember, we are living in a digital world where there is no reasonable expectation of privacy.

Phone companies keep track of every call you make and wireless carriers store every call, every txt message and your location at all times. This is not new and it’s not a secret. The only difference between what Apple and the phone companies are doing is that Apple is storing your information on your devices and the carriers store your information on their devices. Can the info be accessed? Third parties would need a subpoena in both cases. Where is it safer? It is equally safe in both places.

But these two guys from the UK just made an app that shows where I’ve been! Yep, they did. Not a bad piece of programming. Since your computer and your iPhone and your iPad are password protected, so is your data. Want to do more? In iTunes, click your device’s icon (iPhone or iPad) and enable “Encrypt iPhone/iPad backup.” That pretty much covers it.

But what about the bigger question of privacy? Should Apple be collecting this data in the first place? I like this question. It’s “the” question of the 21st century. Are we willing to accept the benefits of location based services at the cost of our privacy? As I just said, in the 21st century, there is no reasonable expectation of privacy. If you’re below the socio-techno divide (under age 40) you are less likely to care about this kind of privacy issue, and you are probably already learning to trust the benign reality of our technocracy. If you’re over the age of 40, there’s a very good chance that this issue really bothers you and you are going to (for personal reasons) be a FUD-monger about it.

I don’t mean to downplay best practices and good digital citizenship. I believe that the biggest tech companies, advertisers and media companies have a duty to get out ahead of this and stay there. Data collection and data mining are already big business and, as we become more digitally dependent, it is going to get even bigger.

But remember, you leave an electronic trail with everything you do. Security cameras see you every day. EZ Pass knows how fast you drive. Banks know everything about your finances. Several organizations have your social security number. Credit card companies know what you purchase, when you purchase it, and exactly where you purchase it, which by the way, provides a much better picture of your intentions than anything Apple is doing.

What’s going to happen? Privacy online and offline is going to be the biggest bipartisan campaign issue. Everyone hates the idea of “big brother” and Facebook, Google, Apple, Microsoft and the other tech giants are big, easy targets. You know how to get votes, spread FUD. But this issue is not new. As David Pogue said, “Yes, Big Brother is watching you. But he’s been watching you for years, well before the iPhone log came to light, and in many more ways than you suspect. And you know what? I’ll bet he’s bored to tears.” Shelly Palmer


    Filed Under: Cyber Safety

    Weapons of Digital Destruction

    October 8, 2010 By Leave a Comment

    Cyber SafetyI’ve just finished reading an article by Mark Clayton in the Christian Science Monitor entitled, Stuxnet malware is ‘weapon’ out to destroy … Iran’s Bushehr nuclear plant? In the article, Mr. Clayton says that cyber security experts have identified a sophisticated “cyber worm” designed to attack and destroy a physical, real-world target, like a factory or nuclear power plant.

    The worm named Stuxnet, was discovered in June and has been closely followed since. One expert believes that Stuxnet may be responsible for the attack on Iran’s Bushehr nuclear power plant. I wrote an article back in February entitled, Cyber-Terrorism vs. Cyber-Warfare: Defending The United Networks of America which predicts this … perhaps it’s time for a quick re-read. So here it is:

    Seven-year-old, Mark Fielding looked up from his computer. He was very annoyed. “Mommmm!” He yelled in a way that was sure to get her attention. “The Internet is down again.” It was the last thing she heard before the lights went off. Mark turned on his iPod touch and opened a blank Safari window to use as a flashlight. He found his mother by the front door. She was looking out on a darkened landscape. Neither of them had any idea just how dark it truly was.

    Ten minutes earlier, a remarkably powerful computer virus had destroyed six of America’s most important data centers. Five minutes earlier, a different piece of code killed every caching server on the three biggest CDN’s. At Zero Hour, the attack culminated in the computer-controlled destruction of the entire power grid in North America. It would take days to fix, months to fully repair and the cost would be measured in Trillions, not Billions.

    America’s days as an economic super-power had ended. All the financial data at the IRS was destroyed, six of America’s major financial institutions could not access their records. No one could find a digitized medical record in any database with proper metadata (the data that describes data). With our data destroyed … our economy ceased to be. The breakdown of social services was immediate and devastating. The doing of life would never be the same. America, as we knew it, was gone.

    Who did this? The Chinese? The Russians? Religious Extremists? No. It was a small group of unaffiliated, highly motivated computer hackers. Who did they work for? Anyone. Who paid them? No one. Why did they do it? Because they could. What was their punishment? Sadly, they were never found.
    What an emotionally unsatisfying way to end a great science fiction story. No enemy? No villain? No narrative? Try selling it to Hollywood. What bad writing!

    Perhaps, but this is not science fiction, this is a very real probable future for The United Networks of America. Which is were we all live right now!

    Most people interface with The United Networks of America through the world wide web. However, you can also gain access through your wireless phone or over the public Internet. You may think of the Net as Google, Yahoo, eBay, Amazon or CNN.com, but there are literally millions of private, local area and wide area networks that all have access points on Al Gore’s information superhighway. These networks contain all of the information that describes us. I called it Metamerica in an article I wrote last year. Metadata is data that describes other data, and Metamerica is the information that describes us.

    If you need a good way to think about metadata and data, consider this. What use are the data on your iPod without a directory to tell you what songs the data represents. Let’s say you have 10,000 songs on your iPod, without the directory of songs (the metadata) the data (your music files) are practically useless. In the information age, America without Metamerica would also be practically useless. Where is Metamerica? It is in the data centers at Google, the IRS, our banks and financial institutions, medical facilities, business networks and even on our home computers. And, for all practical purposes it is unprotected and unprotectable.

    This fact alone should be enough to scare any thinking person. But I have not yet begun to describe the hard part of the problems we are facing.

    What is a war? The dictionary says it’s an “armed conflict between nations.” The dictionary does not say what they have to be armed with. What is terrorism? What is a crime?

    In the Information Age, what is a country? What is a state? What is a nation? What is a tribe? What is a community of interest? What is an enemy? Where do they live? Do they need to be people?
    What are weapons? What are military targets? What are civilian targets?

    The US Defense Department’s Quadrennial Defense Review, published this week, highlighted the rising threat posed by cyber-warfare on space-based surveillance and communications systems. “On any given day, there are as many as 7 million DoD (Department of Defense) computers and telecommunications tools in use in 88 countries using thousands of war-fighting and support applications. The number of potential vulnerabilities, therefore, is staggering.” the review said.

    “Moreover, the speed of cyber attacks and the anonymity of cyberspace greatly favor the offence. This advantage is growing as hacker tools become cheaper and easier to employ by adversaries whose skills are growing in sophistication.”

    Defensive measures have already begun. Last June the Pentagon created US Cyber Command. But … how will we know when we are being attacked by a country, an enemy, a terrorist, a criminal, a mob, a gang, an individual? When would the military know it was supposed to get into the fight? CIA? NSA? FBI? Google Security? A consortium of concerned citizens with anti-virus software on steroids? How can you tell an invasion from a teen-age prank?

    William Lynn, US deputy defense secretary, described the cyber challenge as unprecedented. “Once the province of nations, the ability to destroy via cyber now also rests in the hands of small groups and individuals: from terrorist groups to organized crime, hackers to industrial spies to foreign intelligence services … This is not some future threat. The cyber threat is here today, it is here now,” Lynn said.
    I spend a fair amount of my time counseling my clients on how to deal with the fact that 2010 is the middle of the analog to digital transition. Today, we have analog leaders and digital citizens. Analog commanders and digital soldiers. If the pen is mightier than the sword, the “digital pen” is mightier than a million ball points! Forget the threat of cyber-attacks for a second and think about how an enemy might use the power of social networking and the ability to instantly publish any type of message globally to their advantage.

    It’s time to rethink the public Internet, computer networks and the infrastructure of our digital world. The currency of information is as important and valuable to our economic sovereignty as tangible stores of value. Bits of gold dust or bits of information … in the super-digital age, they deserve equal protection.


      Filed Under: Blog, Cyber Safety

      Cloud Life Chronicles Part 2: Audrina, The Facebook Ninja

      May 17, 2009 By Leave a Comment

      Facebook

      Facebook

      In our last episode, Debbie’s Facebook account had been hijacked. She would receive random notes from her friends telling her that they suspected that her account had been hacked, but everything looked fine. Then, the cybercriminal opened a chat to me from her account typing, “… still stuck in London.” Since, at that very moment, Debbie was standing next to me, it was pretty obvious we had a problem.

      We immediately walked over to Debbie’s computer, to find her Facebook account gone. Had the hackers actually stolen her entire account? Within seconds, she received a “real world” email that looked like it was from Facebook. It said:

      Hi Debbie,

      Our systems indicate that your Facebook account has been compromised by cybercriminals attempting to impersonate you. These criminals often will try to trick your friends into sending them money by claiming that you are stuck in a far away location and need assistance. It is possible that your email account was compromised as well. As such, we have sent this email to all email accounts recently associated with your account. Obtaining access to a victim’s email is one of the primary ways these cybercriminals have been operating. Please change the passwords to any email addresses associated with your account.

      There was some additional information in the email with links to webpages that were not helpful without access to Debbie’s account. Curiously, the email ended with this request:

      In order to regain control of your Facebook account reply to this email with the answer to your security question: What was the name of your first pet?

      Thanks,
      Audrina User Operations

      You want me to email you what? Is it not the first rule of Internet security that you never email anyone personal information about an account? Why would a real security person ask for this in an email? They should have pointed us to a link inside of Facebook where Debbie could enter the information directly into her profile. How could this email be from Facebook Security?

      Erring on the side of caution, we replied to the email as follows:

      Facebook team,

      This is from a person I believe is posing as a member of your security team. She’s asking for me to answer a security question that I’m not going to answer. I believe this is the same person who hacked into my Facebook acct. I have not heard from anyone at FB since the first email. I cannot log onto or even get onto FB at this point.

      I’d like to know why I’m being targeted twice and what you’re going to do about this?

      Best,
      Debbie Palmer

      A couple of days later Debbie received the following:

      Hi Debbie,

      You do not need access to your Facebook account to contact us. We have suspended the account until we can prove ownership. I understand that you are skeptical of our correspondence, but please be assured that you are dealing with a legitimate Facebook representative. If you would like us to reevaluate the status of your account, please reply with the requested information. We appreciate your cooperation.

      Thanks,
      Audrina
      User Operations
      Facebook

      Audrina’s email address is “abuse+njjntt1@facebook.com” we dubbed her The Facebook Ninja.

      Over the course of the following week, after a draft copy of Cloud Life Chronicles Part I started circulating around the blogosphere, Debbie was contacted by a different Facebook staffer (who asked her to pick a new security question and give the answer — all using email). It was impossible to tell who was a hacker and who worked for Facebook. The email headers were cryptic; the email address had a “plus” sign in it (not an illegal character, but highly unusual).

      Was Audrina stuck in London asking Debbie’s friends for money? Is there an Audrina? We’ll never know.

      Several days later, when Debbie regained control of her account, her profile picture was changed. This freaked her out. How did a different picture become her profile picture? Her Facebook friends didn’t believe that she was the real Debbie. It took the better part of this week to get everyone settled down.

      THIS WEEK:

      For Debbie, Facebook is different now. I’m not seeing as many updates from her in my news feed, no pictures were uploaded and far fewer wall posts. Is she gun shy? Obviously. Will she get ever regain trust in the integrity of her Facebook account? Time will tell.

      THE FUTURE:

      For me, this episode brought several interesting issues into focus.

      1) If you have an active user-base that is the size of a large country, does it need a government? I grew up in a town (that had a government) that was in a county (that had a government) that was in a State (that had a government) that was in a country (that had a government). There were four levels of government all overseeing my hometown. Facebook has more than 200 million active users; who represents me?

      2) Is Facebook improperly designed? This is a loaded question. Facebook is awesome. Security issues aside, when Facebook is functioning as designed, the experience is wonderful. I am really thinking about the deeper design issues. Facebook offers me a place to put my photos and stuff for free, they give me free disc space for my database of friends and store my internal-to-Facebook faux emails. Does that make sense? Should I have a way to back up my stuff? Should I have a way to keep my stuff on my computer and only share it with my Facebook friends? Should Facebook be more of a replicated version of my local database as opposed to a cloud-based application?

      3) Would I pay for a better version of Facebook? Would you? If so, how much? Is there a frequent flyer program or a paid premium version of Facebook in our future? If I had a better security experience or a set of features that let me back-up the things I have on Facebook, would I be willing to subscribe?

      4) What does the next Facebook look like? All the buzz is about Twitter right now. Facebook is making public relations noises that are eerie echoes of missives published by MySpace as Facebook was starting to eat MySpace’s lunch.

      I wanted to ask Audrina, the Facebook ninja some of these questions, but alas, like all good stealthy warriors, she vanished into thin air. She may be gone, but the questions remain. How big is too big? How quickly will we move on to the next new, new thing? Will Debbie ever embrace life in the Facebook cloud again? Shelly Palmer


        Filed Under: Blog, Cyber Safety, Technology