Maxim Fridental

There are quite a lot white papers about security on software level. You know, all those situations when an attacker sends some information not in the format expected by the software, and the latter fails; or passing some pieces of code in the registration form in places not intended for that and ending up with executing this code, or similar issues.

There are much less works describing security of some existing and popular Web 2.0 services (Facebook, Flickr, Google+, Picasa, Xing, LinkedIn, etc). But at least there are some.

What seems to be absolutely absent are white papers describing security (and more specifically, privacy issues) of the Web 2.0 ecosystem as a whole. Meanwhile, the situation there is quite remarkable. Fans of conspiracy theories would immediately assume that intelligence services of many countries are currently holding their breath observing rapid and voluntary de-privatization of many netizens; gathering all the information and preventing hackers from publishing their findings. Well, if it should be true, you are currently NOT reading this text, because it wasn’t successfully published. A more rational explanation would be, that just lazy me didn’t do any research before writing this blog post and has instead just bluntly asserted that there are no white papers on this topic to made his blog post more appealing.

Anyways.

To depict the current status quo, I’m going to show a couple of legal techniques to gather private information about a person from public sources.

1. Profile Scouting. This is obtaining links to public profiles of a target person, in a given Web 2.0 service:
                a) By known real name. Many Web 2.0 services allow (and even motivate) their visitors to search profiles by known real name. This step can be either performed manually for each Web 2.0 service using the corresponding search field, or automatically using pipl.com.
                b) By known username. Some Web 2.0 services display the username publicly, either in the web page itself, or at least as part of the public profile url. So, either public profile url can be constructed manually and checked if a given Web 2.0 service would return a profile or a 404 page, or some automated service can be used for this task, for example namechk.
                c) By known place of living, company, school or interests. Many Web 2.0 services allow to search using these kind of metadata; from the resulting list of persons the target person has to be found using some additional information, for example their known appearance (looking at the profile photo). A variation of this method is using groups or forums; for example, if a target person is interested in some dance type, and some Web 2.0 service offers a group, it is possible to find them by looking up the members of the group.
                d) By tagging. For example, a group photo on Facebook might be tagged with corresponding profiles; knowing appearance of the person of interest, it is possible to obtain their public profile. Another variation of this method is tagging of Flickr photos, where tags containing person names, cities and event names are used.

2. Profile Mapping. Having a profile in one Web 2.0 service, it is often easily possible to find out profiles of the same person in another Web 2.0 services; for example, by searching the same known real name. Many folks out there use the same username (or same couple of usernames) across several Web 2.0 services, so that their profiles can be mapped that way. The easiest way to map a profile is just a link, for example, it is possible to enter a link to Flickr account in the Facebook profile, and make it visible for everyone.

3. Social Graph Leveraging. This means, analyzing the “friends” of a target profile. This technique has the following shapes:
                a) Leveraging Faulty Security Concept. For example, the target person has closed their photos on Facebook for public viewing, but opened them for their friends. A friend of the target person has a publicly available timeline and comments on a photo of the target person. Faulty Facebook allows anybody to follow to this comment and to see the original photo, even though it ought to be visible only “for friends”. I believe, this bug Facebook has at least since I’ve joined it in 2009.
                b) Leveraging Different Privacy Settings. Let’s say the target person has closed their photos for public, but their friends haven’t. Some friend would publish their own photo, showing themselves, but also the target person (perhaps in the background or showing their back, but not necessarily so). Another variation of this technique is consuming the publicly available timeline of a friend of the target person, if it is known they interact closely in the real life (for example, study in the same university). By observing events, life style and mood of the target person’s friend, it is possible to conclude that the target person themselves should also have comparable mood, life style and perhaps participate in the same events.
                c) Second Level Scouting. Let’s say, the target person A doesn’t want to publicly befriend another person B (due to any reason whatsoever). But, A’s friends C, D and E don’t have this constraint and all have B in their friends. By analysing common friends of the friends, it is possible to find a missing link. This technique has quite limited usefulness, as your typical Facebook profile has 100 to 200 of friends, the total number of friends of friends can be around 10000 in the worst case, which is way too much to be analyzed manually, and I don’t know any ready-to-use software that would automate such a “friends scouting”.

Combining these three techniques sequentially, it is possible to achieve impressive results. For example, it should be possible to start looking up the target person A by searching their real name and current city on Flickr. By a lucky chance, one could find only a couple of photos, and most of them would depict the target person. One then could go to the Flickr profile of these photos’ author, person R, and map their profile to Facebook. On Facebook, by a lucky chance, one would be able not only read the public timeline and obtain more photos, but also discover a couple of friends of R who would live in the same city, for example persons H and D. By mapping of H’s profile to spaces.live.com it could be possible to obtain additional photos, and by mapping D’s profile on a Web 2.0 service for travel reports, one could obtain additional information about some events happened.

I do believe these techniques are quite legal, because they leverage only the data made publicly available by respective owners / copyright holders. If this should be “problematic”, then Google and other spiders should be even more questioned and investigated.

On the other hand, depending on exact situation and on what exactly the researcher will do with the information found, this might be anything from being perfectly moral to being absolutely cruel. In any case, often it is the case that information flow is not as intended by the target person, and that’s why I think this issue is a security issue, and has to be publicly discussed and addressed.

I don’t know any handy solution for that, besides of trying and opening my own social profiles to the most possible extent. If I cannot prevent this kind of information gathering, at least I want to lead and control it by providing the most of information myself “from the first hands” and thus minimizing any possible misunderstanding or misinterpretations. But I do see that this approach is not suitable for every kind of situation.

So what do you think about it? I’m kindly requesting for your comments.

• I liked a @YouTube video http://t.co/TNrIri8a Mirror’s Edge Theme– Alcorus: Shine #
• I liked a @YouTube video http://t.co/X6fpvDhl Solar Fields — Mirror’s Edge Theme (Introduction) #
• I liked a @YouTube video http://t.co/5VIyYDjK Solar Fields — Edge & Flight #
• …and if Ford had spoken with his dealers, they’d have asked him for horses with integrated internet radio. http://t.co/EjInHqKZ #
• RT @TechCrunch Samsung To Make Bada OS Open Source And Part Of Your Smart TV? http://t.co/7B32Ux7p #
• I like 搜 “search” more than the usual magnifying glass icon: it’s “holding fire (looks more like a candle) in a house with both hands” #
• Es fehlt nur noch eine Stunde bis “immer” http://t.co/m5hu9zUs #
• How many chinese learners before me marveled comparing 考 and 拷 ? Some things remain the same across cultures. #
• Netflix! RT @TechCrunch: Reed Hastings: We Are Bringing Netflix To Facebook, Except In The U.S. http://t.co/eCFLyAR0 #
• They should make it stiffer and sell as expander RT @TechCrunch Murata’s Flexible Remote http://t.co/y3i6cTZv #
• I favorited a @YouTube video http://t.co/3o58tS5m 12. Angela Zhang — Journey #

Powered by Twitter Tools

I am very picky about art. An artwork must engage me emotionally. I can’t stand these modern kinds of art only targeted to your intellect, but producing no feelings. And a great artwork must fully own me; if it is sad, I must cry, if it is funny, I must laugh so much I can’t breath, if it is thrilling I must have cold sweat and trembling hands.

Combining these high expectations with my perfectionistic wish to consume only the great art, it is no wonder that I would rarely enjoy (and go see) artworks currently popular in the press. I might find something great once in a year, often even more rarely.

When I say art, I mean books, movies, music, pictures, live performances, and any special kinds of modern art. And computer games. Games are mostly sport and hobby, but some of them are also art.

Great art can be “immersed” into, kind of daydreaming about the virtual world created by the artwork, and this helps to endure life. Computer games are by design perfect means for such escapism. In fact, reportages about WoW show how some specifically designed games can pose a real threat to ordered and healthy lifestyle. Besides, being a software developer myself, I can better than many others see how games are just meaningless crunchers of tons of bits and bytes.

So, hopefully, you’re impressed enough to hear me calling Mirror’s Edge the great art I was playing in in the last couple of months. At the time being I have finished the full game four times (on easy level, or hard level, without killing anyone, and with killing everyone), and also qualified in all speed runs, and earned tri-star rating on each time trial.

Yes, this took a lot of time – time I’d rather invested in a more reasonable things. But may be it has saved me from cracking up? And anyways, this wasn’t something I could control. And it still isn’t. I’m already waiting for the second game, which, unfortunately, seems to be delayed for unspecified time. And I’m extremely envious of the game creators; it was a once-in-a-lifetime-experience for them, and I also hope to become such professionally successful in my carreer.

If you don’t plan to play this game, this video will give you some impression about it. If you do plan to play, look at the following.

• I liked a @YouTube video http://t.co/gKZi72O 王菲 — 假如我是真的 #
• Holding my breath, this can be based on smalltalk RT Google to launch Dart: new language to replace JavaScript http://t.co/q0yAYnU #
• Microsoft seems to have implemented my internal optimistic scenario and added more. Will download win8 tomorrow. #bldwin #
• First reactions are so euphoric it looks like a bug shift. Will watch videos and look at those ultrabooks to make my own opinion #bldwin #
• Join the campagne “WinXP must die” similar to anti-IE6 and write more non-XP-compatible software! Together we can win over IT departments! #
• 休息还是修习 ? ? #
• nay, that was the pessimistic scenario RT @BuildWindows8: More on metro style browsing..plug-in free browsing. http://t.co/hyS3hgSh #
• Deutsche Telekom hat das ISO mit Win8 lokal zwischengespeichert und schenkt mir jetzt die Download-Geschwindigkeit um 90 Mbps. #
• WHO CARES? RT @TechCrunch: Did Case-Mate Just Leak The iPhone 5? http://t.co/oNRX8lgl #

Powered by Twitter Tools

• 利他和利自只有一个汉字不一样. #
• Just saw a pregnant accompanied by two small children, using subway at 5pm on Friday. Impossible in London or any other bigger city. #
• @bobuk стандартный Share из Gallery чем не угодил, или он только на HTC? #
• @bobuk тогда google+ #

Powered by Twitter Tools

• Nice typology: http://t.co/ceD1yot #
• @PatrickMoorhead If the rumored TV set from Apple will have the same content as the iPad, it will be hardly relevant anywhere except US #
• A very interesting development: the new Explorer showcases a UI equally well usable for touch and mouse @BuildWindows8 http://t.co/w3sshXM #
• hatte auch den Eindruck, dass Samsungs ziemlich langsam sind. Neustart 30 sekunden! RT @HolgerSchmidt: Smart TV http://t.co/DmIXf6S #
• RT @XaocCPS nice RT @wmpoweruser: Delta Airlines releases a Windows Phone 7 app http://t.co/ANPXu3u #
• Positive dynamic in worker exposure doses at Fukushima: http://t.co/Dsi8dZC #
• Other nations would leave their contaminated property around Fukushima forever, just in case. Not Japanese. They stay and plant sunflowers. #
• Sunflowers extract from soil isotopes and accumulate them in roots and leaves. Japanese scientists also developing other cleanup tech. #

Powered by Twitter Tools