Posts Tagged ‘privacy’

Simple And Secure Identity Protection: LastPass + YubiKey


How many online accounts do you have? How many of them use the same password? Is this password a simple word like ‘Bananas123’? Thought so. Your’re screwed.

If you’re reading this post, you’re probably an ‘internet person’, use many online services from banking to Facebook and let’s face it, probably have insecure passwords to most of them. After years of hearing my friends moan about…

  1. forgetting their password to a particular site
  2. having to type a long password
  3. not wanting to use a securer password since it’s too complicated to remember
  4. rejecting a semi-secure password I’ve generated for them (see #3)
  5. getting hacked

… I realized that I too, have some of those problems. Most critically, my passwords aren’t really that secure and could be brute-forced relatively quickly. In addition, I reuse my passwords (guilty).

The first step is realizing you have a problem. Time for solutions. Read On…

Dear FB, My Data, Please!

I’ve been following Europe Verses Facebook for quite some time now and very much approve of the notion. I requested a copy of my data about a month ago and received a dry reply today. Not surprisingly, I was directed to use the profile download tool to get a copy of “all the data that we believe necessary to comply with the requirements of data protection law“.

Like hell. I’m more interested on what goes on behind the scenes. Luckily, there’s a dumbed-down version on how to persuade Facebook to do peoples bidding.

Now to the month long wait, again…

You can access your data immediately any time, free of charge. In this download, we’ve included all the data that we believe necessary to comply with the requirements of data protection law. Please note that this tool provides you with data that is currently held in your profile (timeline).

Please note that we are currently undergoing an audit by our European data protection regulator, the Irish Data Protection Commission.  This includes an examination of the categories of data that should be provided in response to a subject access request. This may result in changes to the download tool in the future.

- Email from Facebook to Ando Roots

Note: Facebook has made it more and more difficult to send an access request since the beginning of your campaign. The legal deadline of 40 days is currently ignored. Users get rerouted to a “download tool” that only allows to get a copy your own profile (about 22 data categories) but does not provide you the data Facebook is collecting and storing in the background (about 35 data categories).

- From

Update: I didn’t hear back from Facebook after the legal deadline so I wrote to them on paper. A bit more difficult to ignore now. P.S! You owe me 1.09 €.

Update (26. Jan 2012) I just received another email from Facebook about my data request(s)… which, by the way, doesn’t specify if it’s a response to the online form (my 2nd attempt) or the above handwritten letter. The email says, in the nicest of terms, that I should find all the information I want by using their online data download tool.
Please note that as this reply contains all the information necessary for you to exercise your subject access rights we will not enter into further correspondence about your specific data through this email address.
We’ve built a convenient self-service tool to offer people who use Facebook the opportunity to access the personal data we hold about them in accordance with the provisions of EU Directive 95/46/EC.
 In this download, we’ve included all the data that we believe necessary to comply with the requirements of data protection law.
- Annotated excerpts from the email
However, from
Facebook is sending out e-mails in which they claim that you can download all data via the “account settings” page on their web page. In fact you only get a minimal amount of data when downloading this file (about 22 data categories instead of more than 76!)
I’ll have to wait some more until 40 days from my third data request (1: online form, 2: e-mail to, 3: handwritten letter) pass, then I can (and most likely will) file a complaint to the Irish DPC.
Update Received another letter from Facebook, by electronic mail, basically thanking me for my interest and directing me to use their download data tool… again. I’m not going to waste the effort on filing a complaint on them, but I am terribly disappointed.
From their own policies:
“You will delete all data you receive from us concerning a user if the user asks you to do so, and will provide an easily accessible mechanism for users to make such a request.”, section II, paragraph 12
As far as I know, the first is impossible with their own service and the second – really darn hard as the above saga proved. Way to set an example…

Another reason to distrust open WiFi


I connected to a wireless open network in a very busy part of Tallinn just moments ago. Something unexpected happened that made me once again thank Tux I’m slightly paranoid.

Image by miniyo73 via Flickr



As you undoubtedly should know, wireless networks – especially open and weak (WEP encrypted) ones are dangerous. Dangerous in a sense that everything you send over a network is as visible as if you were giving a lecture. Think it over.

No-one (except maybe Google) cares that you search for restaurant reviews. But what about sensitive information like sent passwords or any other kind of data I have access to, such as…

I was taught the basic skills on how to intercept digital data that’s traveling between networks on the first semester of the freshmen year. In fact, any kiddie could pull it off. Because of that knowledge, I tend to avoid logging in to anything unencrypted during my stay outside the pseudo-safety of my home network.

  • Login information (Facebook, mail, blog, travel, ANY kind of site)
  • IM message sessions
  • Vulnerable services running on the machine (file server)

Some More Background

As you might (not!) know, Facebook only just recently added a very important security feature (of course, you have to opt in for it – funny, usually one has to opt out of new ‘features’). Enabling secure(r) browsing means that the communication channel between your computer and the Facebook server is unreadable to the dude sitting behind the next table.

I’m sure you have connected to a free WiFi hotspot and seen the default welcome page that seems impassable unless you click on the “Yes, I take full responsibility for my actions while in your network” button. That's all warm and fuzzy, but it's also possible to configure the welcome page like so that it redirects you to a website of the owner’s choosing after you click on the button. That’s usually the companies website.

So what the hell happened?

With that background comes the main point of the post. The network I connected to had decided that the redirect page (after I click “Agree, let me use your WiFi”) should be their Facebook page. Okay, all well and good.


Remember that the connection to Facebook is not encrypted by default? And since I was already logged in from earlier, the data would have moved openly across several network hops, for everyone with motive to see, capture and/or modify.

Even if I weren’t already logged in, extensions like LastPass do that automatically. As if the initial request weren’t enough, there are loads of hidden background queries to and from the Facebook server – the chat window, friends online, notifications… all moving over the unsecured HTTP, wireless.

Not scared? You should be. Identity theft could sound like an obscure idea, but think of what you’d do if you had a day to live and no responsibility for your actions. You’d probably rob a bank or something.


Weren't it a beautiful world of rainbows and butterflies if everyone knew at least a little about the threats in (open) networks? If you must check in with your digital social life, opt in/enable the goddamn encryption. It’s a one-shot deal, doesn’t cost you anything and is a hell of a lot better than explaining to Tim that you are not “It’s complicated” with his wife.

Also, a note to the unnamed coffee shop – please don’t pull stunts like that – throw the visitor to the wolves… or at least give a five second warning or something!


P.S I’d like to know more about what Facebook actually does when the user is idle – what type of queries move between the server and the client. Please leave a comment below if you know something about it.

On Facebook and privacy

Everyone is in Facebook. If you're not in Facebook, you're nobody.

That's the reason many users of the popular social network site, Facebook, are still sticking to it. It's not that it offers something that we cannot live without or couldn't find an alternative to – we're there because everyone we know – and often, don't know – are using the site.

Facebook has lost it's original purpose – connecting friends. People as in individuals, to other people and more importantly, a network of friends. What started out with Mary knowing Tim has become The Internet knowing Mary. Friend lists have grown, with the average number of friends being 130 (1). Companies apply increasing pressure and invade into what was supposed to be a network of persons, but has become a target group for products , services and campaigns instead.

How many people do we really interact with on a weekly basis? And how many of them are truly what could be described as "a person attached to another by feelings of affection or personal regard" (2)? Nowadays, it's not uncommon for me to see people accepting friend requests of others they barely know, seemingly only to increase the counter. Do they realize they give the person access (and the ability to cause harm) to their personal life?

The answer must obviously be no, for how else could we see such a high disregard and low awareness on different security and privacy issues? The bad guys love Facebook too. It's an ideal incubator for all sorts of profitable things. Just take a look at some of the articles published in my favorite IT security blog NakedSecurity – scams spread like a wildfire and what's worse – even the obviously fishy ones get customers.

To be fair, the same can be said about the virtual world outside Facebook… but I, as a user, don't feel any more secure in there than in the wild… Look at it this way: Windows (XP) is the most widespread operating system on the planet. What's the most popular target for malware, adware, spyware, viruses…? The matter is not improved by the companies jumpy privacy policies, it's default settings and amount of scams able to reach the network through compromised accounts and applications.

In the light of all that whining, am I trying to say that people should ditch Facebook? No. The service is like a car, in a way: use it right and you can open new opportunities, drive drunk and it doesn't end well…. but unlike driving, neither Facebook nor the Internet require a certification process.

If you're like me – just a tiny bit paranoid and protective about privacy – you might have heard of a project called Diaspora. Essentially, it's a replacement for Facebook, designed to give you and only you control over your data…but that's a poor way to put it. Prof. Eben Moglen can explain the reasons behind it a lot better.

To cut the length of the rambling, here are some of the points I'm not happy about:

  • The amount of noise far outweighs any useful information I signed up to get…even though my friends list, likes and authorized applications count is relatively small
  • No verification process for applications – do I really want them to access my personal data?
  • Uncertainty about privacy settings – the default ones are too open, they're confusing and change often. Only post stuff you'd be willing to see in a local newspaper?
  • Invasiveness – recommendations to give out my phone number and connect to my accounts on Twitter / Gmail etc
  • HTTPS off by default
  • Inability to bulk-delete my data…without deleting my account

The concept of a social network is a fabulous one on itself…but Facebook's policies about it leave reason for dissatisfaction.

With all my heart, I hope you continue to exercise your role as a Facebook citizen, but please do so responsively. Realize that the information you give out will stay there and you are not in control of it any more.


  1. (23. 05. 2011)

Disclaimer: This is an article of personal opinion. The aim of the article is not dishonoring the reputation of Facebook.

%d bloggers like this: