Older blog entries for pjf (starting at number 593)

New Facebook Privacy and You
Facebook are in the process of changing how their privacy settings work, and today, I was given the option to migrate my account over to the new scheme. These were announced on the facebook blog about a week ago, and sounded quite promising. Unfortunately, I actually feel creeped out by the new system.

I'm going to start with the good thing. Yes, that's right, there's only a single good thing about the change that I've found. When making status updates, one now has fine-grained control over who sees them. I can have a status update that's only seen by my family, or only seen by my friends who like to dress as pirates, or by everyone except my friends in Sydney. This is something that a lot of people have been asking for, and it's great to see it implemented.

Unfortunately, the rest sucks.

I've some some blogging about Facebook privacy in the past, as well as a conference presentation and radio interview. In all cases, I've recommended using the (difficult to find, but incredibly valuable) button marked Do not share any information about me via the Facebook API. When ticked, that would block almost all the information I could gain about a user with my tools, which try to squeeze as much information from the Facebook API as possible. Admittedly, there were some leakages, but not many.

That setting is now gone. All the applications, installed by all your friends, now have access to your "publicly available information", and there's not a damn thing you can do about it.

Publicly available information includes Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. What's more disturbing for me is that the new Applications and websites settings don't provide a control for sharing of events. In fact, some of the volunteers for my privacy study have gone from me not being able to see anything about them, to me being able to see their past, current, and future events! That disturbs me, not least because I want to control who can see which events I've attended.

The other thing to dwell on here is pages are now publicly accessible. Pages are things that you can fan, such as companies, or bands, or even privacy researchers, and newsletters. To be honest, these were creepy to begin with, because the owner of a page could access all sorts of bulk demographic data about their fans, and even export it for processing with other tools. But now, the list of pages you've fanned are public.

Public information in Facebook is available to everyone, even users who haven't logged in, and third party applications and websites. That's bad. You may have have fanned pages that relate to controversial beliefs or sexual preferences. Your probably don't want a potential employer to be able to see these, but now there's nothing you can do about this either, except for un-fanning those pages. I recommend you do this now.

What's also conspicuously missing are the ability to control is what goes onto the recent activity section of your Wall. I'm looking at one my volunteers now who previously never had their like events posted to their wall, and it's now covered with them. This gives me a wealth of information about who they're interacting with, which in turn is very useful if I'm planning to do any social engineering.

In fact, it even links to events and posts that my friends like, but that I can't see. I can even extract Facebook IDs (fbids) of the target posts. While this doesn't in itself let me access the information directly, I can certainly tell when two of my friends are liking the same post. Based upon what I know about my friends, I may be able to infer more than that, or ask one friend what another friend has just "liked".

You can manually remove recent activity from your wall, but you have to do it manually by finding the event you want deleted, and selecting the 'Remove' option that appears when you hover to the right of it. Joining groups also results in recent activity (without the option of turning it off), and there's a chance that other events may appear there as well.

In fact, talking of groups, I can't find any privacy controls for them either. For some of my friends, they're visible. For some of my friends (and apparently for myself), they're not. At the very least this is confusing, and it may simply represent different friends being at different stages of the privacy migraation. Group information gets leaked all over the place anyway (recent events, groups recently joined, and publicly visible group lists), so regardless how this is being controlled, I can probably find out which groups you're a member of regardless.

What I find most disturbing of all is that my friends list has gone from completely private to completely public. While I've found the control that allows me to no longer display my friends on my profile, since they're now "publicly available information", they're still accessible by other means. I actually consider my list of friends to be very private; and I'm not at all happy that's changed.

Oh, and for those who remember me talking about dark stalking to infer the existence of other users who had otherwise completely hidden themselves from view? Well, it's not that big an issue anymore, since I can now directly navigate to their pages (from their UIDs that I'd found previously), and see their "publicly available information". Good work in protecting their privacy, Facebook, good work...

Recommendations
So, you might be wondering what I recommend? Well, to begin with, make sure that you're happy with your new "publicly accessible information" really being public. If you don't want your grandparent, work colleague, potential employer, stalker, dog, guild, or whoever else seeing your Name, Profile Picture, Gender, Current City, Networks, Friends, or Pages, then change or remove them now. They're available to everyone, including unauthenticated users, "facebook-enchanced applications and websites", and via the API.

Go to your profile page. Scroll down until you see Recent Activity. Anything you don't want to see there, delete it now. Anytime you join a group, or like an event, or fan a page, or change your relationship status, or sneeze, go back to Recent Activity and check if you're happy with that being broadcasted.

Go through all the new privacy settings, and think about each one. Some of them may not have even been mentioned in the migration tool. My date of birth had unexpectedly went from being completely private to compeltely public.

Stay informed. If you want updates from me, then join my privacy study or subscribe to the relevant google group. Make sure you fan the Facebook Site Governance page, since that's where many updates are posted, and is a hub for user feedback. If you want another perspective on the changes, the Electronic Frontier Foundation have also posted their analysis of the changes.

Finally, be aware this is not the first time a major website has changed their privacy policy, and it certainly won't be the last. If you really want something to remain private, you might want to avoid putting it on-line in the first place.

Perl 5.11.1
I've been behind in my blogging; time seems to fly when one is having fun, and I've been having a pretty good time recently. Most of it's involved working with people and science, rather than technology. After I finish my taxes (not yet overdue), this may change.

In the meantime, I can't go without mentioning that Perl 5.11.1 has been released. This isn't a stable version of Perl, but it's a point release on the way toward 5.12.0. I'm quite excited about 5.12.0 for many reasons I'll go into later, but they all involving modernisation of the language.

Of note in 5.11.1 (and hence 5.12.0) is that deprecation warnings are turned on by default. This isn't scary; it means that if you've got old code that's going to break in the future, then Perl will start warning you about that well in advance.

Of other note is a minor point, and that's the ability to include version numbers in package declarations. One can now write package Foo::Bar 1.23, rather than having to do cumbersome things with the $VERSION package variable.

Teaching Perl in Sydney
I've just spent the week teaching Perl in Sydney. It was good. Actually, it was really good. My class were close in ability, asked intelligent questions, thought through problems, asked for assistance when needed, quizzed me about advanced topics during the breaks, and generally showed themselves to be awesome. It felt just like the good ol' days.

Fun with QR Codes and Perl
Short blog today, but cool tech. I've been playing around with 2D barcodes recently, and have just pushed a Perl Tip on generating QR Codes with Perl. Given how incredibly easy this is, I'm tempted to generate huge numbers of these and go sticking them around town for my own nefarious purposes. ;)

29 Sep 2009 (updated 29 Sep 2009 at 15:03 UTC) »

Today I broke a world record, and got on TV

Achievements for today:

Perl for Android

I have an Android phone. I love it. After scanning a barcode it now runs Perl. Sure, the example Hello World program dies with an error, but there's already a patch to fix that.

This is a massively exciting achievement for me, and is even better for it having all of ninety seconds. It's now tantalisingly easy to do some pretty amazing things from my phone. I don't think I'm going to be short for a project any time soon.

Talk like a Pirate Day
This Saturday was International Talk Like a Pirate Day, as well as Software Freedom Day. This year I sided with the pirates, donned a particularly swashbuckling outfit, and joined about 150 other pirates to march through Melbourne, fight off ninjas, and singing the only sea-shanty known by every member of our scurvy crew.

Afterwards, there was the world's best pirate cake, crafted by jarich.

I have some pictures of the day and the party, including the Jolly Tux. For those people on Facebook, there's a lot of photos on-line.

What's new in Perl 5.10.1
For those who missed it, Perl Training Australa has a new Perl Tip on What's New in Perl 5.10.1.

Rocking out at MXUG
For a while, Melbourne has been running MXUG, the Melbourne X Users Group, where X is a technology you're interested in. It has a nice format: 15 minute talks, timed, with five minutes for questions. Then beer, pizza, lightning talks, and a trip down to the pub.

Despite me apparently living in Melbourne, I've never attended a MXUG meeting, but I'd been hearing good reports about them. Apparently one can become a speaker just by adding themselves to the speakers list (which is editable by members), and so I aggressively volunteered to give my (still formative) talk on facebook privacy.

The talk went really well. The audience was warm, interactive, and laughed at all my jokes, even the really lame ones. Since I judge my self-worth on the size and enthusiasm of my audience, I decided that I really liked MXUG. Normally, that would be enough for me to call the night a success.

However enough people asked me about how I used my wiimote as a presentation device, so I volunteered for one of the five minute lightning talks. I had no slides. I did no preparation. I spent all the time I'd normally be working on my talk eating pizza, drinking beer, and talking to MXUG members.

So I was especially happy when I showed off how to use Xwii to enable a tilt mouse, and as a presentation device. I then showed off how I could use the wiimote to control my music player, and sung a few bars from "I've got a feeling" from Buffy on stage. That would normally be enough to count the night as doubly-awesome, but oh no! It gets better.

My last Xwii profile showed how I can hook into a Guitar Hero controller, "but I don't have one of those here, so I can't show you". Sure enough, someone produces a guitar out of nowhere. A few seconds to pair it with my machine, a few more seconds to start up Frets on Fire, and I am rocking out on stage in front of a cheering crowd of 50 people.

I then got to sit back down in the audience, and read about my exploits on twitter. ;)

That, ladies and gentlemen, was my thrice-awesome night at MXUG.

Facebook Privacy talk at BarCampMelbourne
This weekend at BarCampMelbourne I gave a talk on Facebook privacy, and what information I was able to extract from the API using some reasonable simple Perl programs. Due to the incredibly fast efforts of Avi Miller, this talk is now available on-line. If you're reading this blog on my main blog, then you can also watch it below:

<embed src="http://blip.tv/play/AYGgggoC" type="application/x-shockwave-flash" width="480" height="390" allowscriptaccess="always" allowfullscreen="true"></embed>

You can also watch the talk on the BarCampMelbourne channel on blip.tv.

As mentioned at the end of my talk, you can be kept up-to-date on my research by joining my facebook study privacy group, or the google group, as well as my blog.

Dark Stalking on Facebook
For a while I've been using Facebook's API and Facebook Query Language (FQL) via Perl's WWW::Facebook::API module to run fairly innocent queries on my friends. If I visit a town, I'd like a reminder of who lives there. If I want to go rock-climbing, it helps if I can easily search to see which of my friends share that hobby. This is good, innocent stuff, and makes me glad to be a developer.

Last week I decided to play with event searches. If a large number of my friends are attending an event, there's a good chance I'll find it interesting, and I'd like to know about it. FQL makes this sort of thing really easy; in fact, finding all your friends' events is on their Sample FQL Queries page.

Using the example provided by Facebook, I dropped the query into my sandbox, and looked at the results which came back. The results were disturbing. I didn't just get back future events my friends were attending. I got everything they had been invited to: past and present, attending or not.

I didn't sleep well that night. I didn't expect Facebook to share past event info. I didn't expect it to share info when people had declined those events. I haven't found any way of retrieving friends' past events using Facebook's website, but using FQL made it easy. Somehow, implicitly, I thought old events would fade away, only viewable to those who already knew about them. I didn't expect them to stick around for my code to harvest, potentially years into the future.

Finding my friends' old events crossed a moral boundary I honestly didn't expect to encounter. Without intending, I really felt like I was snooping. It didn't matter that these friends had agreed to share this information under the Facebook terms and conditions. I would personally feel uncomfortable with this much information being so readily available, and assume my friends would feel the same.

However my accidental crossing of moral boundaries wasn't the only thing that kept me awake last night. I was also kept awake by wondering just how much information could I tease out of the Facebook API. What could I discover? What if I were evil?

However I'm not evil, so I put my code on hold for a while and made a call for volunteers. I'd be restricting myself to just using the Facebook API, and without them installing any additional applications. I wouldn't share their data in any way, but I'd be able to inspect and use it, and would try to provide them with a copy when I was done. To be honest, I was surprised by the response; I now have almost two dozen people who have agreed to participate, covering a wide range of lifestyles and privacy settings.

The results have been very interesting. I expected to be able to obtain personal information, including things like events, photographs, and friends; it doesn't take much imagination with the FQL tables to find those. What was most interesting are some of the more creative queries I was able to run.

Most recently, I've been able to obtain status feeds, even for users who have very tight privacy settings, although I had to tweak my own application's privileges to do so. I don't know how far into the past these go, but they also come with likes information, and comments. This gives me a wealth of information on the strength and types of relationships people have. A person who comments a lot on another user's posts probably finds that user interesting. If I descended into keyword and text analysis, I may even be able to determine how they find that user interesting.

But by far the most interesting part of all of this have been dark users. Like dark matter, these users are not directly observable, usually because they've completely disabled API access. In fact, some of these users are completely dark unless you're a friend. They don't show up in search results. They don't show up on friends' lists. You can't send them messages. If you try to navigate to their user page (assuming you know it exists), you get redirected back to your homepage. These users have their privacy settings turned up real high, and are supposed to be hard to find.

However like dark matter, dark users are observable due to their effects on the rest of the universe. If a dark user comments on a stream entry, I can see that comment. More importantly, I can see their user-ID, and I can generate a URL to a page that will contain their name. I can then watch for their activities elsewhere. Granted, I can't directly search for their activity, but I can observe their effects on my friends. For want of a better term, I've been calling this "dark stalking".

What makes this all rather chilling is that I'm doing all of this via the application API. If your friend has installed an application, then it can access quite a lot of information about you, unless you turn it off. If your friend has granted the application the read_stream privilege, then it can read your status stream. Even if a friend of a friend has done this, and you comment on your friend's status entries, it's possible to infer your existence and retrieve those discussions through dark stalking.

While I've always considered people's own carelessness to be the biggest threats to their own privacy, in the social 2.0 world it seems we need to be increasingly worried about our friends, too!

I'm preparing a detailed paper with the results of my research (which is still ongoing), but I will be presenting my preliminary findings at BarCampMelbourne, this weekend (11-12th September 2009), with a further update at the University of Tasmania Computing Society (TUCS) on the 2nd October. A conference talk will invariably follow.

If you want to keep track of my research, then you can join the facebook group, or the facebook privacy group. I prefer comments and questions to directly to the facebook privacy group, or to me directly.

BarCampMelbourne and Social 2.0
In a week's time I'll be attending BarCampMelbourne. Registrations close on September 7th, so if you want to attend, now's the time to register.

Now, BarCamps are pretty cool, but I'm particularly excited about this one because I'm going to be doing a talk on something I've been playing with for a while, which is having an Augmented Social Life, or just Social 2.0.

In the last few years, social networks have flourished, and an unprecedented amount of private data is available on-line. I'll be demonstrating how to use modern social networks to improve your social life. That includes techniques on turning Facebook into beer.

However what I find most fascinating is from a privacy standpoint. Whenever I find a social network, I go looking for an API, and some APIs are more revealing than others. In particular, Facebook provides Facebook Query Language (FQL), which allows for some incredibly powerful queries. What makes it particularly scary is that with the default privacy settings, one can mine a huge amount of private information by having a friend who has installed an ethically bankrupt application.

I'll be giving some rather real-world examples of using and abusing facebook. Some are good, like reminding you which friends are in a city you're visiting, or which friends share a particular hobby. However many are more scary. I can demonstrate how to find people you've met at events, based purely on their first name. How to look into other people's past, and see what they were doing years ago. How to find out what applications your friends have installed.

Of course, I'll be doing all my examples in Perl, many using the excellent WWW::Facebook::API module.

584 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!