:Ben Metcalfe Blog

Archive
March, 2009 Monthly archive

Seesmic for Facebook desktop client

By: Ben
Sat, Mar 14th, 2009
Links, News
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License

Here at SxSW we’ve just launched a glimpse into some future product direction we’re working on at Seesmic. During the Facebook panel, we announced Seesmic for Facebook.

Seesmic for Facebook screengrab

Seesmic for Facebook lets you keep track of your friend’s Facebook status and easily update your own. It is based on the technology behind Twhirl, our popular desktop client for twitter, seesmic and indenti.ca.

This is very much a beta release from us (for those who remember the old skool definition of beta). We wanted to get something out soon, to gauge people’s reactions and product requirements. We’re not sure (/not saying!) where this is all heading but rest assured we’ll be bolting on a lot more functionality onto the Facebook client as we further develop it and the Facebook API matures further.

You can try out Seesmic for Facebook by checking out the application on Facebook. It’s based on Adobe AIR, so you will need to have that installed already (don’t worry, it’s free and painless).

Read More

“hey! 23/Female. Come chat with me on my webcam thingy” attack on Twitter

By: Ben
Fri, Mar 6th, 2009
Links, News
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License

Can’t believe this hasn’t been picked up by the major blogs yet, but I’m seeing a lot of friends having their twitter account compromised with this unauthorized tweet:

hey! 23/Female. Come chat with me on my webcam thingy here www.chatweb*********.com

(redacted by me).

A quick search on Twitter Search shows this is happening to a very large amount of people. (If you do visit the site, be aware it’s NSFW).

How is this happening?

The most likely vector of this attack is probably via one of the numerous 3rd party Twitter services that ask for your username and password in order to provide additional functionality (statistics, alerts, etc).

It’s unlikely that any reputable service would have done this intentionally, but very likely someone was able to maliciously gain access to their database and steal all of the twitter username/passwords. Because these services must authenticate with Twitter directly it’s not possible for them to store the passwords hashed.

The answer to this is oAuth, which Twitter is in the process of launching.

A most recent check of Twitter search shows that the last message was posted 2 hours ago of the time of writing, which probably means Twitter put a stop to this – presumably by blocking any posting of the specific string of text. That doesn’t mean the attackers won’t try again with a different message

My advice is:

  • Change your password, especially if you have been attacked by this.
  • Never use the same password you keep for Twitter anywhere else
  • Limit the number of sites you put your Twitter username/password into.
  • Change your password often to stop old sites you don’t use still having access to your account
Read More

Why you want to have crackers in your security team

By: Ben
Thu, Mar 5th, 2009
Thoughts and Rants
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License

A couple of thoughts on today’s news that Jason Calacanis employed John Schiefer, at Mahalo (or more accurately, that he didn’t fire him when he found out about his past). For those who don’t know, before he worked at Mahalo Schiefer got caught up in creating a botnet that was later used to raid people’s financial accounts.

I usually give Jason Calacanis a rough ride – the guy wants to be a “jock of the internet”, comes across as such and so the nerds are going to throw shit from the peanut gallery. I don’t get what why that’s really a big surprise – I just get frustrated that I just become part of the spin as I feed into it.

But on this one I actually congratulate Jason for having the courage and the integrity to make a decision based on the actual situation rather than bowing to ‘keeping a front’ that would be more media and investor friendly.

As Jason points out in his blog post, many of us with powerful technical skills and understanding have at least experimented with putting those skills to less-savory uses. We all have a past, even people like me who don’t work directly in any IT-security related areas of the industry. But from what I can tell John was employed to work in a security-orientated position and those are the very people you want to have a past in this area – so they know their field of expertise inside or out.

I’m not sure I’d hire any engineer or ops person to work in a security-related position who I knew didn’t have a history on the other side of the line. Of course, I would want to know they are done with that part of their lives.

This is true for other areas in technology: If you’re building an online music store you’d hope that your product people download a lot of music illegally using bit torrent and kazzar (so that they are totally across the other options out there). If you’re developing Windows OS for Microsoft, it would be a good idea to regularly use Apple and *nix operating systems to understand what’s out there. This is a design pattern I don’t see anywhere near enough in business, and it’s the root to a lot of failures.

Back to the Schiefer story: some folks in the media, such as Rafe Needleman on Webware, have spun up a load of FUD around whether Schiefer had access to personal information and the level of ‘supervision’ he was given once Calacanis found out about his past.

What Rafe and others needs to consider is that all technical employees at a company have full and complete access to their customer’s data. In fact they have the root and master accounts, so they don’t even need to know any cracking skills to gain access. The fact Schiefer could crack doesn’t give him any greater access to this data.

Now, the argument could be raised that Schiefer’s history meant he shouldn’t be trusted. But I ask you to consider what %age of Google, Facebook or any other tech company’s engineering team is made up by people who have dabbled in illegal technical activity? The fact they may or may not have been caught shouldn’t reflect on whether you trust them more or less. The bottom line is most people are not caught. One of the biggest employers of engineers who have been caught committing cyber-related crimes are governments.

Further still, what about people with the same level of ‘master’ access at companies you patronize who have committed other crimes of moral turpitude? This even follows through not only to engineers but non-tech staff too, even as far down as call center staff.

The bottom line is that all companies need to have measures in place to protect their customer’s data inside the firewall, as well as outside. And it varies as to how good a job they do.

But to take issue like this specifically because someone had a history of cracking shows a vast naivety of the business. You want people who have this kind of history in your security team.

Read More

Facebook’s ‘open’ move into the data mining space

By: Ben
Wed, Mar 4th, 2009
News, Thoughts and Rants
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License

It’s been interesting to read many people describe the recent Facebook announcements (including today’s) as “Facebook opening up”. While it is true, they are – and should be congratulated for it – there are greater reasons for them doing so than just for ‘pure alteruism’ as some people have suggested.

It seems pretty clear to me that Facebook’s business model is shifting towards one of data mining and analytics – where they are able to leverage the collective thinking of everyone contributing their ‘stuff’ into the Facebook bucket.

Let’s take a quick look at the theme of Facebook’s recent announcements:

  • early Feb: Terms of Service changed to give FB perpetual right to keep all data you give them (later repealed due to public outcry)
  • Feb 19: Commenting on public pages with FB Connect
  • Mar 4: New Publisher (twitter like) and Highlighter (ranking content) functionality,

Let’s take a quick look at what those announcements gave us:

First off was the ToS changes – which for me was a clear indicator Facebook wanted to do more with the data it holds then just display it to your friends and use it to make recommendations on other content you might be interested in. If Facebook is going to move into a data play then it needs to make sure it can retain all of that data despite what the user might want to do with their view of it. It becomes tricky to have to remove arbitrary data from the cube because a user requests it, plus it devalues your model – and why would you want your model devalued?

OK, so they backed off with those sweeping changes, but only because of the fallout it created for the company. At that point, they had still partially shown their hand.

In addition to the data Facebook keeps inside it’s database there is also the metadata that Facebook can gather about what’s going on outside it’s domain – and that’s where functionality like commenting on external pages, released at the Facebook garage come into play. Putting Javascript calls on foreign pages also allows Facebook to match up visitors with a Facebook cookie and track their usage of that site even if they never interact with any Facebook powered functionality.

Today’s announcement of the Publisher functionality built on top of rudimentary twitter-like functionality with status requests that we’d begun to see with the Facebook comment boxes used during the Presidential Inauguration and more recently the live streaming of Demo 09. Highlighter also further aids the recommendation and collaborative filtering of content by peers in order to work out what is currently most interesting and most engaged with. Facebook call the subset that you can see of your friend’s output as your “social lens”. This is true, but at the macro level of the system, Facebook ends up with a complete lens of what everyone is filtering and sorting and ranking.

So where is this all going?

Facebook is moving into a new gear, encouraging constant flow of status updates and conscious thought (publisher, status messages), creating deeper indicators of intent and interest (highlighter, like functionality, etc) and behavioral indicators (integration with location based services such as brightkite, events, etc).

What this gives Facebook is the ability to gauge what is hot, popular and current in real time. It also gives Facebook historical data to track changing interest and attention over time. There are many uses for this data – including in the financial and trading sector, brand management, competitor analysis, real time consumer attention tracking.

Twitter is also doing this, but they have one dimension of data (text). Facebook has many dimensions of data that can go into their cube, and their sample size is much higher given their 175 million users vs Twitter’s 4-6 million.

I spent a lot of time working with MySpace last year, and one of the things that impressed me the most was their ability to monetize their pages with advertisements – ones that used a combination of technology (for user targeting) and business development (for high-yielding ‘take over pages’, sponsorships, promo tie ins, etc). They’re probably the best in the business at it.

However advertising on it’s own is a Web2.0 business model, and while I don’t want to go so far as to say data mining is going to be the Web3.0 business model, I do think we’re going to see a greater use of it moving forward – with industries who can benefit from it becoming a lot more receptive and engaged with the process in the same way that the digital agencies became popular as advertising wanted to move into the online space.

Risks for the ecosystem

The benefit of being ‘open’ and part of the ecosystem is that everyone gets to play and share and new 3rd party innovation and business can be created with it. While this is true, those 3d party participants in that ecosystem need to be careful not to loose sight of their own ability for commercial success. All of these announcements have included new ways to leverage the Facebook APIs to help users shovel more stuff into the Facebook Bucket. Those ‘spades’ must be clear how they will make money given that they will not have access to the data or ability to monetize it like Facebook will.

I’m not trying to be bearish on the Facebook API or platform – far from it. I merely wish to offer a sense of perspective and to urge developers to consider carefully the business models of everyone within the stack they are participating in. There is opportunity and success in here for everyone, but we must all be cognizant of where it lies and to what extent each level in the stack is able to capitalize upon it.

Read More

Recent entries

Categories

Recent comments

licensed under creative commons Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License • powered by wordpress • hosted by benmetcalfe.net • proudly served from london, uk since 2000

ben metcalfe