Today I was visiting a friend’s Facebook Group, when out of nowhere a popup appeared, asking me to take a survey. Being on a Mac, I’m pretty sure it wasn’t spyware or a virus. I checked the other sites I was on and none seemed to be the type to do this, and Facebook was the last site I had any activity on. The ad popped up right as I entered the particular Facebook group. I’ve contacted Facebook and am awaiting clarification on this. Is Facebook testing popups amongst its users? Could this be from one of their ad partners? Has anyone else seen this? Here’s the ad:

Back in March, I reported the occurance of a new worm on Facebook, which surfaced due to a phishing scam, and took over users’ profiles.  It would appear that a similar scam is surfacing on Twitter as we speak.  The scam comes in the form of a direct message to a user’s followers, stating “hey! check out this funny blog about you…”, followed by a URL.  When you click on the URL it takes you to a phished version of Twitter, looking exactly like the original Twitter site, which collects your username and password.  I’ve received about 5 of these just in the past hour so it is spreading rampantly. Twitter just reported the incident here.

Asking those that have sent the message, it would appear most of them filled out the form thinking they were logging into Twitter, so it is most likely one person that sent such a message to all their followers, starting the domino effect of spam and password collection.  This begs the question, though, which I’ve brought up multiple times in the forums and Chris Messina blogged about today on the urgency of Twitter requiring OAuth or similar Key-based authentication in the API.  It would take any application, similar to Twtply, to be sold to a spammer, full of usernames and passwords to set off such a worm.  Essentially, any application which collects your username and password right now has the potential to turn its users into Twitter zombie accounts, similar to this worm spreading currently, spreading false information, collecting bank account information, or you name the possibility.

I hope Twitter has this as their number one priority currently - stopping this worm is important, but implementing some sort of key-based authentication such as OAuth should be the next thing on Twitter’s mind, and in my opinion, that should occur even before the new API push they are getting ready to launch.  Twitter - it sounds like you need a patch applied to your service!

UPDATE: See the comments below. Pandora’s CTO responded with the following explanation - while I haven’t shared much, I can see it being a spyware issue of someone I’ve shared having spyware on their computer - he has a good point.

“Hi there, I’m the CTO over at Pandora. Saw a link to this post on Twitter. I can tell you with absolute certainty that we never have and never will sell, give away, trade or disseminate in any way our listeners email addresses. We also do routine security audits; your email address absolutely is not available anywhere on public systems.

We do however hear of cases like this a couple of times a year and I’ve worked other places where similar complaints would come in. In my experience the cause is almost always spyware on a machine that at one time received an email from the address in question. For example, if you’ve ever used Pandora to share a station with a friend, or invite someone else to use the service, your pandora email address would be on the email we sent to your friend. If that friend has a machine infected with Spyware it’s likely that your email address made it into some spammers directory. Of course we also send you a welcome email, if there’s spyware on your machine that’s another possibility. The final (and least likely) possibility is a simple dictionary attack — since the email address you’re using is pandora@stayinalive.com it’s possible that some spammer was just iterating on dictionary words against your mail system.

It’s a terrible situation that we live in an environment where it’s nearly impossible to keep our personal email addressses out of the hands of spammers.

Feel free to write any time, with any concern. Predictably I’m tom-at-pandora.

Could Pandora be giving out or selling their users’ e-mails? They say they don’t, but I got a disturbing e-mail yesterday that I’m still trying to figure out. When I sign up for services, I usually sign up with the e-mail address, servicename@staynalive.com so that I can detect where my spam is coming from. Yesterday, I received a weird piece of spam from “news21.tv” in what I believe to be French. The subject states, “News21.tv des vidéos pour les Expatriés, DRH, Exportateurs… A découvrir”. What caught my attention though, is that it was sent to “pandora@staynalive.com”.

There’s only one site I ever gave that e-mail address to, and that’s Pandora. Could Pandora be selling e-mail addresses to spammers? Could there be a leak at Pandora, where my e-mail address somehow accidentally got out to spammers? Or is this just a fluke where some spammer decided to randomly send e-mail to pandora@domainname.com where domainname.com is all wildcard e-mail addresses they’re aware of? I can’t tell, but it’s troubling - I’ve never had a spammer actually use an e-mail address for a service I actually belong to. This makes me wonder if it actually is an issue at Pandora.

I mentioned this on FriendFeed, and a Pandora rep actually did respond (Does your company track FriendFeed?). Here was the thread:

Me: “wtf??? I’m getting Spam and it’s to my Pandora address. Did Pandora sell my e-mail address? NOT HAPPY”
Pandora Radio: “Hi Jesse - We *definitely* never sell or give away listeners’ email addresses. Feel free to email support@pandora.com if you’d like. - Lucia, from Pandora”

I want to believe Pandora. They seem like a pretty ethical company, and have supported some good causes in the past. It makes me wonder however if somehow, some e-mail addresses got out of their system that they weren’t aware of. Perhaps my e-mail address is on a public profile somewhere on Pandora’s website? Has anyone else experienced this, and do you have any ideas how this could be happening? The text of the e-mail can be found here.

With all the recent talk of spam and viruses lately it appears Facebook has truly hit mainstream. You know when the spammers have hit there is truly value in a service. Today I noticed a new trend on Facebook, previously only known to the likes of Snail Mail and E-mail itself, the chain letter. It wasn’t in the form of an application or even a bot of some sort as you would expect on the service. Surprisingly, it was hand-written by who-knows-who and had somehow made it around to my wife’s cousin, who sent it to me. Subsequently, several of my other friends seem to have got it, because I received it from a few others as well.

The letter goes like this:

“Subject: ATTENTION ALL FACEBOOK MEMBERS August 20 at 8:13pmReply Attention all Facebook members.Facebook is recently becoming very overpopulated,There have been many members complaining that Facebookis becoming very slow.Record shows that the reason isthat there are too many non-active Facebook membersAnd on the other side too many new Facebook members.We will be sending this messages around to see if theMembers are active or not,If you’re active please sendto 15 other users using Copy+Paste to show that you are activeThose who do not send this message within 2 weeks,The user will be deleted without hesitation to create more space,If Facebook is still overpopulated we kindly ask for donations but until then send this message to all your friends and make sure you sendthis message to show me that your active and not deleted. Founder of FacebookMark Zuckerber”

It is sent via the traditional Facebook mail, which the API has no access. I asked my wife’s cousin if they sent it, and indeed, they actually did forward it to 15 of their friends as the e-mail directs. Therefore it appears this one, amazingly, is being spread, manually, from person to person on Facebook.

Now, I’m probably preaching to the choir here on my blog, as I sincerely hope none of you would fall for this. Typically, anything that says, “forward to x number of your friends” is not for real and you should report it or mark it as spam immediately. “Mark Zuckerber” is not going to know you forwarded it to all your friends, and Facebook is not tracking this mail in anyway. Your account will not be deleted.

This seems to go back to the days of the Microsoft lottery e-mail hoax that basically said if you forward to all (or any number of) your friends, you get entered for the chance to win a million dollars (or similar amount of money). Supposedly in this e-mail Bill Gates was able to track the e-mails you sent and they were using this to track the number of e-mails that went out.

This does beg the question though - how do normal users of Facebook know for 100% clarity that a message comes directly from Facebook, if they ever need to send something to their users? Is there an “official” method for distributing such messages? Thus far I’m only aware of various blogs on the Facebook site to announce this information.

Now, when people compare Mark Zuckerberg to Bill Gates, I’m not quite sure this is the way he wants to be portrayed. In such a controlled environment as Facebook, do messages like this have any excuse?

Have you seen anything similar? Share your stories here. You’ll find me on Facebook at http://jessestay.socialtoo.com.

TechCrunch and several other publications recently blogged about new worms surfacing that target Facebook through various means. Some are sent via e-mail with links to malicious videos, while others link directly to phishing sites that look just like Facebook and take the username and password of those thinking they are logging into Facebook. I’ve noticed the recent come-back of one I blogged about 5 months ago called the “Secret Crush” worm - I’ve received 3 wall posts just today from this, along with one or two from the recently announced phishing worms. I can’t help but wonder if the two are related.

The “Secret Crush” worm seems to log into unsuspecting users’ accounts, send wall posts to their friends, and even some times, as was the case with my Aunt 5 months ago, change the user’s status as well. All posts seem to link back to a blogspot-hosted site that tries to get more information from the user to find out who their “secret crush” is. Google seems to be removing these almost as fast as they are being put up though.

In the case of all the recent worms, it goes without saying that having a strong password is very important - if you have been hit by any of these worms, change your password and notify Facebook, immediately! In addition, the following pointers should help prevent you from being infected:

Make sure your password is strong!

As mentioned, always make sure your password is strong, and don’t use the same password on Facebook and other Social Networks as you do elsewhere on the internet. This will prevent you from having more than just your social identity stolen.

Never, ever, click on links in e-mails, even from Facebook, unless you’re 100% sure where they are going to.

Don’t just look at the web address you see in the e-mail, but rather mouse-over the link and see where your browser says it’s going to go to. Even then, when in doubt, copy the url and paste it into your browser - if your e-mail client supports javascript for some reason it can still deceive you.

Always be sure you’re on the site you’re supposed to be on before you enter your log in information after clicking on a link from an e-mail.

This is how many of these worms get you - they link to a site that looks and feels like Facebook (or other site), but instead have linked you to something like Faceinbook.com that is collecting your information. Once they have access to that they have access to everything in your Facebook profile.

Make sure you have Spyware and Anti-virus software installed!

Facebook is not immune to Anti-virus software. There is actually a well-known spyware application called “Secret Crush”, and there’s probably a very likely case these two are related. If you are infected with Spyware or a virus there is an easy opportunity for these apps to steal your login information as you log into these sites.

Just as with your PC, it is your responsibility to ensure yourself, your computer, and now with social networks, your friends, are protected from viruses, spam, and spyware. You now have a social responsibility to ensure this doesn’t get spread to your friends on these networks.

Have you been infected? What is it that you think caused the infection? Please share with us in the comments below and on FriendFeed.

The iPhone seems to have created a huge security and privacy problem recently that I think many more people should be watching. By launching a developer platform and SDK, Apple has essentially created one of the largest social network platforms in existence, bringing even more powerful and personal data than ever before to the developer. Apple is essentially enabling the developers themselves to create the iPhone social network with almost no power whatsoever given to the iPhone user on how to enable or disable that data.

I became amazingly aware of what a huge issue this is when I, like many other iPhone early adopters, downloaded the Loopt application from the iTunes App Store and signed up for their service over my iPhone. Before I knew it, I had realized I just SMS’d about half of the contacts on my iPhone, including important business contacts and more that I would just rather not have an Application have access to. I couldn’t necessarily SMS them an apology, as that would just add to the issue I had just created. In fact, my Mom, who doesn’t have an SMS plan on her cell phone called me later that day to ask that I not send her SMS text messages to her cell phone, when in reality, I had no idea it was sent to her! Loopt had assumed that it would be okay to allow their users to send their friends SMS messages inviting them to Loopt (in a very ambiguous manner), when after mass complaint, Loopt quickly retracted from their efforts.

I argue this wasn’t Loopt’s fault though. Of course, Loopt does have some responsibility to satisfy their users, but despite having to apply to be in Apple’s directory, there is nothing stopping them from being malicious with the way they are handling the data on your iPhone. I know Loopt had no ill intentions, but this could have been any App out there with ill, or even not-so-ill intentions. Apple has no privacy controls on the iPhone giving the user control over what Applications can and can’t access, and as we’ve seen already, this is coming back to haunt them.

The iPhone has some very powerful features, accessible via the API, that make it an extremely valuable and unprecedented Social Networking tool. I’ll list those here:

Location, Location, Location - the Profile

First of all, the iPhone has access to your location and where you’ve been, which, I argue, is much more valuable information than any other Social Network profile in existence can provide about an individual user. The iPhone makes the people in the “Social Network” real.

The Contact List - your Friends

The iPhone has one of the most realistic contact/friend lists available in existence. The iPhone contact list contains information about people you actually talk to and interact with in real life. It also imports your other contact lists from other locations such as Gmail. No other Social Network in history has that type of completely real information about those you truly interact with on a daily basis.

Multimedia - the big picture

The iPhone has the most up-to-date photos, audio, and other multimedia in existence. Think about it — every social network you belong to currently probably has photos that originated from your iPhone or other camera. They are on your iPhone before they are on the Social Network. The iPhone also has real-time listening habits of users, along with your mail, your internet history, your stocks, the weather in your location — I could keep going on and on!

As you can see, the iPhone provides an extremely rich set of data integration points which any Application can take right now, and use as they please, and the user has absolutely no control over it (minus one prompt if the application is trying to get your location data). This is actually quite scary if you think about it!

Apple really needs to take a lesson from Facebook on this. One of my favorite features of Facebook is the fact that I can click on a single link and control all the information I save on Facebook right then and there. As a user, I can feel comfortable that no application I install will share my information in any way I don’t want Facebook to share it. Facebook takes pride in this, and it has even caused them problems as they have tried to fight this with the likes of Google’s FriendConnect to protect this data and keep it in the hands of their users if the users do not want it shared.

Never in history has there been such a phenomena as the iPhone SDK being opened. It’s brand new, and it’s unprecedented, so issues and flaws are to be expected. I only hope that Apple can, in the end, respect their users’ privacy and place a little more control over what data the Apps you install are allowed to access. Doesn’t this concern you?

I’m going to step away from my normal focus on Social Media because the inner-geek in me just couldn’t resist. Recently Chris Pirillo posted a challenge that I just couldn’t help taking on. In it, he criticizes a post by Preston Galla of ComputerWorld stating “5 Reasons Vista Beats OS X”, and he makes some very good points. I admire Chris a lot because he’s one of the most unbiased Geeks I know, except when it comes to the Mac. Chris and I would get along well.

I too am a Mac user, in fact, the post I am typing at the moment is on MarsEdit on a Macbook. I absolutely love my Mac, and thus far have not found a preferred Operating System for development and desktop environment to work on, at least as a software developer (I should note that actually, most of my software development is over Terminal on the Mac, over to a Linux Server, my preferred server OS).

I will be the first to admit however that the Mac does have its flaws, in particular Leopard. I do run a Vista Ultimate machine, and I love it too, but for different reasons. Let me give 5 real reasons, and Chris, if you’re reading I would love to hear your response to this, why Vista, at times can be better than a Mac, in particular Leopard. Here are 5 reasons in response to Chris’s challenge that I think really make sense:

1. It’s all about the media. Chris, I’m not sure if you’ve used Windows Media Center to its full extent, but sit down, set up a Windows Media Center machine/server, and then set up an Xbox 360. Be sure your server has a good TV card or two in it as well. Now, sync the two, and begin watching TV live over your home network. Add on a Media Center Extender to another TV in your house and begin streaming live TV on another channel to that TV as well. Now, on one of the extenders, open up some music, maybe even from your iTunes library on your PC (assuming it’s not DRM protected, stupid Apple). Go on over and visit the videos you have stored on your PC. Install some MCE plugins, and begin browsing your videos on Youtube, or even Netflix watch now movies. Got HD? MCE supports it. Go to the sports section, see all the sports games playing currently and what their scores are, surf through all the sports channels (all in HD!). Go in and schedule to record your favorite TV Series. AppleTV isn’t even near ready for this (although I so desperately would love to see them do it!). Heck, turn off MCE even and start playing some games, or rent a movie. If you can point out a Mac combination that can do that, I’ll jump for joy!
2. The corporate environment. As a CTO and entrepreneur, I simply cannot force everyone onto a Mac. I have first, the expense of the learning curve and integration between Mac and PC, and second the cost of the Macs themselves. I can get a PC for under $500 these days. The closest equivalent to that is the Mac Mini, which still, at the equivalent PC level is more expensive. Now, add to that the expense of Parallels so those that need Windows apps like Quickbooks Corporate editions and others. True, integration with Exchange is possible, but is still pretty limited when compared to Windows. In the end I’m looking at a pretty expensive IT budget. Again, I think a Mac is an excellent development machine, and would still encourage a Mac for my developers due to their need to develop in cross-platform environments, but it just doesn’t make sense cost-wise across the entire company.
3. Hardware compatibility. I agree - there are a lot of options when it comes to supporting hardware for a Mac, but, can I just get a decent wireless print server that works with the Macs in my household? What about print drivers that work across the network with Windows-connected printers? Leopard fixes some of that, but it’s still not anywhere near compatible as the Vista machines are. Is it Mac’s fault? No, but it is a strong point to buying Vista. What about shuffling around every time I need to connect to a projector because Macs use the non-standard VGA/DVI adapters? I’m sure the readers can come up with more unsupported hardware.
4. Finance Software. I touched on this a little earlier, and Galla very broadly covered it in mentioning supported software, but his claim was not backed by specific examples. Simply saying, “Vista runs more software” is an opinion, and Chris, as you point out not necessarily proof that Vista is better. However, one thing I do have issues with is the vast array of Windows Finance software (aka Small and large business versions of Quicken and Turbotax) but lack of within Leopard. I run a very small business at the moment, and frankly, Quickbooks for Mac is simply too much for me. I’m looking for something more like Quicken Home and Business until my business gets large enough for me to hire an Accountant. There’s also the flip-side to that in that if you run a very large business, there are no enterprise versions of Quickbooks for Mac. This is why both my Father, and Father-in-Law who are CPAs do not use Macs. For now, I’m stuck to slowing down my machine with Parallels any time I need something like that, which, IMO is a hack.
5. It’s all about the animated wallpaper! Can your Mac run animated pictures of waterfalls, running streams, or flowing lava? My Vista machine can. Come on - you have to admit that’s something my Vista machine can do that my Macbook can’t, don’t you? So long as we’re going to praise the Mac UI this is one really cool feature I’d just love to see on my Mac. There are also other cool UI features on Vista that I like, even though I think Mac trumps them as a whole.

So, those may or may not be big things to some, but that is my list, and you asked Chris. Of course I could always come up with 10 more things that Mac beats Vista in, but my point is, as they told us when I was a Sales person at Computer City as a teenager, there are strengths to each OS - it’s important to evaluate what works best for you and your situation, and choose accordingly. Now, I ask my readers, are there any reasons (supported by true, concrete facts) that you feel Vista beats Leopard or the Mac in general?

My recent blog post on the possible “Facebook Worm” seems to be making an effect in security circles. Within 24 hours I quickly got this e-mail from Zango making sure their name was not associated with it:

Hello Jesse,

I am writing to you about the above entitled post. I first want to clarify that we (Zango) had no involvement with the “Secret Crush” Facebook widget. Matt Hines of InfoWorld clarified that in a blog post in January. You should take a look at: http://weblog.infoworld.com/zeroda)y/archives/2008/01/zango_strikes_b.html.

Mr. Hines’ blog post was spurred by our thorough investigation, which began with a blog post (http://blog.zango.com/PermaLink,guid,94c0e12c-c69e-484f-81b8-b8b58953d71b.aspx) and ended with another post (http://blog.zango.com/PermaLink,guid,b148693d-dbb7-48b9-a102-af336768a424.aspx) and press release (http://www.easyir.com/easyir/prssrel.do?easyirid=83181A68A6B07C97&version=live&prid=345840&releasejsp=release_21).

So to answer your question: Since Zango was not inovlved, we are not associated in any way with Secret Crush. Now, could Secret Crush be doing dubious things? Very possible. Have you contacted Facebook to let them know? If not, I will do just that, as we’ve had some contact with them.

I hope that you’ll revised your post in some way and, as always, am available to discuss further, etc.

Thanks,

SJS

Steve Stratz

Director of Public Relations

Zango

The following day, I received an e-mail from the security company, Fortinet, asking if they could publish a security advisory on the threat. They mentioned they didn’t think it was necessarily a “worm”, per se, but rather what they call “Spam 2.0″. This brings to question, are we in a new age of Spam? Now, instead of hijacking a person’s e-mail account and sending out spam messages over SMTP e-mail, spammers are now hijacking your Facebook and other social accounts, and posting their links and messages on your walls, and statuses.

The question now becomes, is it still related to the Secret Crush application? I find it hard to believe with the problems they had in the past, and with them posting “totally hooked on the crush calculator” within the user’s status message that they wouldn’t have some involvement, but then again, the spammer could just be using a hijacked application at the same time they are using the hijacked user’s account. As Fortinet mentions, this has been happening on Myspace for quite some time now - it is only recently that we’re starting to see the same on Facebook.

The advantage these social networks have over traditional e-mail to combat spam is that your account requires a password to hijack. If you keep a good alpha-numeric, non-dictionary-based password, spammers can’t exist! You can read more from the Fortinet article here:

http://www.fortiguardcenter.com/advisory/FGA-2008-08.html

Also, PC Magazine’s blog wrote on it recently:

http://blogs.pcmag.com/securitywatch/2008/03/facebook_worm.php