Mazatlan’s Mondoblog

If you provide users with a password, you should probably think about telling them how to keep their password safe.  Teaching users how to avoid being tricked into giving away their account data - being ‘phished’ - can be difficult.

Social engineering is a method of obtaining access to a secured system by exploiting a person’s trust.  It consists of deceiving a person into granting access to a system by some sort of pretense.  For example, let’s say I receive a rather desperate sounding phone call from an intern over in IT who has screwed up and lost their password and needs desperately to fix some problem for their boss.  They know I have an account and are hoping I would be so kind to log in for them, something which I might be happy to do for a colleague.  However, the person on the phone is not an intern in IT at all, and doesn’t even work for the company.  What’s more, the second I have given them access via my own username and password, all of the security precautions are now absolutely useless; the attacker has gained access to the system they wanted to access.  What if they pretended to be working at the bank?  They might goad me into letting them empty my bank account.

A second example of a social engineering attack is to exploit a person’s guilt - to make the person believe that they have been caught doing something wrong and may get in a lot of trouble if they do not cooperate.  This ‘cooperation’ may involve handing over their personal details.  This kind of attack can even work if the victim did not do anything wrong; the act of being ‘accused’ can put someone into a defensive state.  The desire to cover up any wrongdoing they have been accused of may distract them from the fact they are being conned.

The term phishing is used to describe such attacks when they are done over a message service, such as over email or text messages.  Phishing is also often done on a large scale; a would-be attacker sends an email to perhaps thousands of people pretending to be from the IT department, or a bank, or something, hoping that at least one person will fall for the scheme.  Some such schemes are wildly inventive, while there are just as many that are stock standard: ‘we need to confirm your account details’, or ‘we need to verify that your account is active’.

From the point of view of anybody involved in computer security, the fact that such attacks are so effective is depressing.  They are effective for many reasons.

One reason such attacks are effective is that, like with any security precaution, it is as weak as its weakest point.  In a large organisation in which lots of people have access to a system, only one person needs to slip up and accidentally give their username and password to the wrong person in order for the system to be compromised.

Another reason is that the users of a system may, being less confident with technology, be naturally inclined to trust and be a little fearful of somebody who both seems to know a lot more about technology and is in a position of authority; for example, someone from an IT department, or law enforcement, or who has access to their bank account.  The consideration as to whether or not the person who contacted them is legitimate takes second place to the desire to comply with this person who seems so much more knowledgeable about the system.

It may also be that people don’t realise that computer security does not stop at some unseen attacker trying to guess or steal your password; that in large part an attacker can just walk right up to you and ask for it.

So, what do we tell the users?

Systems administrators often use the phrase ‘we will never ask for your password’.  This is a good message, because it at least signals to users that there may be nefarious motivations behind someone offical asking you to confirm your password.

However, in most cases where someone is duped into giving their account information, they actually believe the person who has contacted them is legitimate.  The phrase ‘we will never ask for your password’ can quickly develop exceptions to the rule; an attacker might say ‘Oh, but our systems are down and we have to log people in manually today.’  As it is coming from a person genuinely believed to be legitimate, such an exception is easily accepted to be true both because it is plausible, and because the victim trusts the attacker to know more about the issue than they do.

I think that users should be instructed that if they are ever asked for their password, even by genuine system administrators, they should not give it over the phone or in reply to the email.  Instead, the receiver should call back the company on the known correct phone number and then give the password.  Let’s say that I call you up and tell you that we are in the process of deleting unused accounts and we need your password to confirm whether your account is used or not.  If you truly believe that my story is legitimate, you may ignore the advice that we never ask you for your password, because my story seems like a plausible reason for an exception to the rule.  But if you have been told that you should always call me back when asked for a password, you may be less likely to be convinced by my insistence that that isn’t necessary.  I might say that you won’t be able to call me back if you tried, or that the matter is urgent, but this may raise more red flags.

In terms of email phishing, too, we can instruct users never to click through a link to a site on which they have an account; instead, should they wish to visit the site they should type the site address or name into their browser.

Whether this is all effective is speculation, and it must still be remembered that no matter how security conscious an organisation is as a whole, it only takes one weak link: one uninformed or absent-minded person to slip-up and allow a breach of security.

It’s not feeds that I have a problem with, just using the term ‘RSS feeds’ or ‘RSS’ to describe them.

The term ‘RSS’ is hairy to begin with.  It isn’t sure if it should stand for ‘Really Simple Syndication’, ‘Rich Site Summary’ or ‘RDF Site Summary’.  That third one with the second acronym nested inside is particularly hideous.  Passable for people who work with RDF perhaps, but that isn’t many people these days.  Besides which, ’syndication’, and ’site summary’ just don’t seem to convey the right idea to me.  They don’t reach out and tell me about grabbing headlines and bits of articles from a site and viewing them in other ways.  ‘Site Summary’ is a fairly vague term which could just as easily refer to a website’s ‘About Us’ page, and ‘Syndication’ is not really what feeds are used for these days.

Then there’s the issue that not all feeds are RSS, and not even all RSS is RSS.  RSS is a name used by two separate, competing and incompatible formats (or more if you count previous versions which are not forwards-compatible).  RSS is therefore not only useless in referring to the concept of a feed, but it’s useless in referring to a particular format of feed.  Yet another format is called Atom - not RSS at all.  The term ‘RSS’ unfairly excludes other implementations of the same concept.

Feeds are being increasingly used by web users due in part to better integration of feed readers or subscription mechanisms for feeds into browsers.  But along with this we need to use an appropriate name for them.

I am a fan of the term ‘web feeds’.  Firefox 2.0 used the term ‘feed’ as in ’subscribe to this feed’.  The upcoming Firefox 3.0 gets more specific by calling them ‘web feeds’.  Internet Explorer 7.0 simply calls them ‘feeds’.  Opera 9.x muddies things by alternating between the terms ‘feeds’, ’subscriptions’ and even ‘newsfeeds’.  And last but not least, Safari 3.1 refers to them as ‘RSS’.  Not even ‘RSS feeds’ - just ‘RSS’.

Google Reader simply calls them ’subscriptions’ as far as I can tell, which is a decent term.  In other locations Google also uses the term ‘feeds’.  Wikipedia’s main page about feeds is now called ‘Web feed’.

With the exception of Safari, then, the major browsers and the other companies I mentioned have all opted to avoid the technically vague and misleading ‘RSS’ term and go with a more general term for the concept, with ‘feed’ by far the most popular, followed by ’subscription’ and trailed by variants upon the word ‘feed’ such as ‘web feed’ or ‘newsfeed’.

So, is ‘feed’ a suitable term?  The word itself doesn’t describe the function; feed could easily be something I give to an animal.  The usage of the word seems to come from the context of radio or television broadcasting, where a ‘feed’ is some content that has been sourced or ’streamed’ from another network.  It’s not an obvious link, to me at least, but once realised the analogy holds up.  I can subscribe to a feed of content sourced from another website.

What is certain is that the term ‘RSS’ really has to go.  It isn’t specific enough to be used as a technical term because it could refer to one of multiple competing formats.  At the same time, it isn’t inclusive enough as a general term as there are feeds that are not actually using any RSS-named technology.  With the exception of Safari, the term ‘RSS’ is not exposed to end users in any of the major web browsers, which instead opt for the more general ‘feed’ or ’subscription’.  Most of all, it’s a confusing, alienating three letter acronym that doesn’t become more self-explanatory after expanding it into any of its many alternative backronyms.

Ever been embarrassed by the sorts of things people could find out about you just by using Google?  I guess I had thought it was a problem affecting most people who use the web a bit, or whose friends do, until it occurred to me that for some particular people this isn’t a problem.

These are the people with names so common that it is impossible to tell them from the thousands of other web kiddies with the same name.  My name, my real name, is fairly unique.

What if you have a really unusual name?  Well, you could use a psuedonym that’s really innane, like James Connor.  Or Peter Smith.   Or you could anglicise your name: use the more common English name that is similar to yours.

I’m keeping an eye on you guys, the other day 63 of you viewed a page on this blog, or rather one of you viewed 63 pages. That’s a lot more than the one or two page views per day I usually get.

I’ve gone on my first ever overseas trip - New Zealand. It’s an appropriate first step, and I consider it the very first journey of many. It’s not too far away, and people speak the same language here, and practically even the same accent, with some amusing exceptions.

I gotta go and eat and look at museums and sights.

Any software application which encourages or requires you to pass on messages to your friends is a bad thing.  Facebook is a culprit because it promotes applications which do this.

Applications that do this are a bad thing because while the person using the application is not inconvenienced very much, it will annoy all that person’s friends.  They, unfortunately, had no say in whether they got this piece of advertising sent to them.  Because it came to them via a friend - someone they know - they feel they can’t complain.

It’s something that is pissing me off about Facebook at the moment, but before I go to that I wanted to talk about about viral marketing.

Although based on a pre-existing concept, the buzzword viral marketing comes from pre-2.0 web days, and refers to any marketing which is done by encouraging people to pass a marketing message on to their friends, voluntarily.

The idea that this is voluntary is key here.  Sure, perhaps none of the ‘friends’ solicited this advertising, but the idea is that the person passing on the message truly wants to spread the good word about a product or service.  Let’s say I eat a delicious meal of fish and chips.  If I recommend it to a couple of my friends, I am participating in viral marketing.  In order to put this into motion, the fish and chip shop had to create a product that was so compelling, its customers could not help but to spread the good word to their friends.

The problem worsens slightly when the passing on of such marketing messages is not entirely voluntary: it is influenced in some way. For example, a web application will suggest that the user forward something to their friends, making it easy to do so by providing a special form just for this purpose. This makes the passing on of the message less of a natural, evolutionary process where the best products will generate the most interest, and transforms it into a process where companies offer various gimmicks to encourage people to ‘forward’ messages to their friends.  The messages just start to get annoying.

I’m annoyed when I see that I have a message (email, SMS or some other online message) from a friend, only to open it and find out it is, well, spam.  I’m even more annoyed to suspect I’m not the only one who received the message: that my friend probably spammed a whole bunch of people, and I am only one of many.  It’s a small slap in the face to find that a message from a friend is not a personal message at all but was forwarded.  It’s a much larger slap in the face when it’s an obvious commercial or hoax message with little to no hint of personalisation from the friend - no ‘hey M. I thought you’d be interested in this cos you like horror movies’, just the impersonal forwarded message.

This is what the term viral marketing came to mean on the web.  Claiming on the surface to be a natural, non-intrusive process in which people only pass on messages to friends who they believe will genuinely and personally benefit, it’s grown into a group of industries that seek to exploit people by preying on their gullibility and the carelessness with which they will send on messages to their friends for a trivial reward.

Marketing is not the only motivation behind getting people to forward messages on to their friends.  Some people or companies do it just to get a kick out of seeing how far their message spreads.  This is the case with hoaxes and chain letters, both of which deceive people in order to get them to forward the message on to their friends.  The latter lie about various benefits the user will receive if they forward the message.  These can prey on the superstitious (’forward this to 20 people or your hair will fall out’), the greedy (’send a $1 to this person and before long you’ll receive over $300′) or otherwise gullible (’forward this message to all your friends so that Microsoft don’t shut down your account’).

Email itself can be a problem.  The relative ease with which somebody could forward a received message to their entire address book used to land countless chain letters in my inbox, though people seem to be a lot more educated about the problems of spam these days that it isn’t so much a problem - besides, there are far greater problems with email spam.

Facebook is a bad thing because it allows for applications to be built which require or encourage you to pass on messages to your friends. It is too easy for applications to exploit users into passing messages around the network, because every Facebook user is inherently connected with a network of friends, including friends who share trust, and are interested in communicating with each other.  Facebook users install applications which are written by third parties, with varying motivations for creating them. In many cases it appears that the application developer simply wanted to get a kick out of seeing how quickly their application would travel around the network.  Applications also derive income from advertising, which ties the developer’s bottom line to the number of people using the application.

Some of the fastest spreading Facebook applications are the most annoying. For example, the applications ‘Super Wall’, ‘Fun Wall’, any application which appears to be some sort of IQ or personality test (with the exception of the one actually called ‘IQ Test’), ‘Top Friends’ and more have spread quickly through the network due in part to the fact that in order to participate in them, your friends have to be involved too.  However, these applications exploit people as described below.

‘Super Wall’ and ‘Fun Wall’ lead users to believe that only by installing this application will they be able to send and receive wall posts containing videos, pictures or gifts, but these are all available in the regular built-in wall.  The only unique feature of these applications is the existence of a ‘Forward’ button below every post, which makes it easy for users to forward a message to not just one, but many of their friends at once.  The messages sent through these applications are therefore much less likely to be personal, as they are used to send messages at large to many people.  This has given birth to the phrase ‘click forward see what happens’, a gullibility test in itself which has failed enough people that hoax messages like these litter the entire network, proving to be an annoyance to everyone, not only those that fell for the lie.

A number of times have I installed an application that seems like a relatively fun and silly test - of my personality, for example - and have filled out the entire questionnaire only to find that in order to see any results I have to forward an advertisement to at least 20 of my friends. Presumably, the fact that I invested so much time filling out what I thought was just an amusing little test will outweigh the guilt of annoying a bunch of my friends with a promotional message encouraging them to install a certain application, and I’ll go ahead and spam them in order to get my results.  Not me though.  I will simply get angry and give up on seeing the results, concluding that I have just had ten or twenty minutes of my free time wasted in the name of trying to get me to spam my friends.

Perhaps if Facebook were not such a ubiquitous and otherwise useful medium I wouldn’t be nearly as annoyed.  I have received invitations to do various things in other social networking software and have just turned it down, because it didn’t seem worth using them anyway.  But nearly everyone I know my age has a Facebook account - I can only think of two friends my age who don’t. It’s becoming such a normal way to communicate with people.  Some friends even send out invitations to social events through it.

I guess that Facebook could remove the ability for applications to forward messages to many people at once.  But the entire network stands to benefit so much from the rapid take-up of its applications that I presume they’d be resistant to taking steps to limit this spread.

I maintain, however, that applications, such as Facebook applications, which encourage or require users to pass on messages to friends are a bad thing and should somehow be restricted.  There is no need to remove the ability for someone to tell a friend about an application altogether.  But it shouldn’t be allowed to be forced or encouraged, for if this is done it ceases to promote adoption of applications based on their true merit and becomes a competition in which application developers try to deceive or exploit people.

Further reading

• So sorry - didn’t mean to spam you David Sarno, Los Angeles Times 7 Jan 2008, Los Angeles
  ‘Facebook users, angry at being turned into junk-mail senders, prompt a change.’
• On Facebook, nobody knows your dog is spam Alan Jones, Digital Ministry 16 Jan 2008, Australia
• Dog Facebook spam ‘thatjonesboy’, Flickr.com user, 14 Jan 2008, Sydney
  Note: authorship of this piece of text is unclear since the same text appears in a number of locations.

Pre-release versions of Firefox 3 are now available, and they are looking pretty interesting. Here are a few warnings though if you are tempted to try upgrading now:

• Existing add-ons in the form of extensions or themes will probably not work anymore if you upgrade.
• It doesn’t yet ‘look’ polished. Firefox 3 will have a new visual appearance, which the pre-release versions don’t have yet.
• There are some annoying bugs, but aren’t there always. For instance you can’t yet drag and drop a bookmark into a bookmark menu.
• If you don’t like it and decide to downgrade to Firefox 2 again, you’ll lose access to bookmarks you created while you were using Firefox 3 (there is a way around it though).

With those warnings aside, here are some of the neat things I found.

• Rendering pages is faster due to the new rendering engine. If you have a decent enough internet connection you’ll probably notice the benefit.
• The address bar lets you search your browsing history, and shows titles and URLs of results. You can also bookmark things in one click using the ’star’ in the address bar.
• You can resize the search box (ie the Google search box) so it’s bigger.
• There is a list of automatic bookmarks which contains your frequently visited pages.

There are lots of changes to the way bookmarks and history are handled, and thankfully lots of these changes are not noticeable at all. There are also changes to the way secure connections are described, to avoid the implication that a site can be trusted if it is using a secure connection. There are also thousands of other bug fixes.

I really like following Firefox’s development because anyone can see how bugs are fixed and how patches to the code are accepted, and it somehow works - it creates a good product.