March 2008 - Stay N Alive

The Emergence of "Spam 2.0"

38197-spam.pngMy recent blog post on the possible “Facebook Worm” seems to be making an effect in security circles. Within 24 hours I quickly got this e-mail from Zango making sure their name was not associated with it:

Hello Jesse,

I am writing to you about the above entitled post. I first want to clarify that we (Zango) had no involvement with the “Secret Crush” Facebook widget. Matt Hines of InfoWorld clarified that in a blog post in January. You should take a look at: http://weblog.infoworld.com/zeroda)y/archives/2008/01/zango_strikes_b.html.

Mr. Hines’ blog post was spurred by our thorough investigation, which began with a blog post (http://blog.zango.com/PermaLink,guid,94c0e12c-c69e-484f-81b8-b8b58953d71b.aspx) and ended with another post (http://blog.zango.com/PermaLink,guid,b148693d-dbb7-48b9-a102-af336768a424.aspx) and press release (http://www.easyir.com/easyir/prssrel.do?easyirid=83181A68A6B07C97&version=live&prid=345840&releasejsp=release_21).

So to answer your question: Since Zango was not inovlved, we are not associated in any way with Secret Crush. Now, could Secret Crush be doing dubious things? Very possible. Have you contacted Facebook to let them know? If not, I will do just that, as we’ve had some contact with them.

I hope that you’ll revised your post in some way and, as always, am available to discuss further, etc.

Thanks,

SJS

Steve Stratz

Director of Public Relations

Zango

The following day, I received an e-mail from the security company, Fortinet, asking if they could publish a security advisory on the threat. They mentioned they didn’t think it was necessarily a “worm”, per se, but rather what they call “Spam 2.0”. This brings to question, are we in a new age of Spam? Now, instead of hijacking a person’s e-mail account and sending out spam messages over SMTP e-mail, spammers are now hijacking your Facebook and other social accounts, and posting their links and messages on your walls, and statuses.

The question now becomes, is it still related to the Secret Crush application? I find it hard to believe with the problems they had in the past, and with them posting “totally hooked on the crush calculator” within the user’s status message that they wouldn’t have some involvement, but then again, the spammer could just be using a hijacked application at the same time they are using the hijacked user’s account. As Fortinet mentions, this has been happening on Myspace for quite some time now – it is only recently that we’re starting to see the same on Facebook.

The advantage these social networks have over traditional e-mail to combat spam is that your account requires a password to hijack. If you keep a good alpha-numeric, non-dictionary-based password, spammers can’t exist! You can read more from the Fortinet article here:

http://www.fortiguardcenter.com/advisory/FGA-2008-08.html

Also, PC Magazine’s blog wrote on it recently:

http://blogs.pcmag.com/securitywatch/2008/03/facebook_worm.php

Free T-Shirts, Fudruckers at Utah OpenSocial Hackathon

I just wanted to briefly mention that I now have 30 OpenSocial T-Shirts from Google for the Utah side of the West Coast Open Social Hackathon tomorrow night. Also, in addition to that, I hear Bungee Labs will be providing Fudruckers to eat at the event, along with Guitar Hero, Rock Band, Halo 3, and Call of Duty on 2 40″ screens. Come on over to hack and learn or just have fun! Learn more about the event here:

http://staynalive.local/articles/2008/03/21/announcing-the-first-west-coast-opensocial-hackathon/

UPDATE: I also have 2 free tickets to Google I/O for two lucky winners we’ll draw from a hat (transportation, meals, and lodging NOT included)

Yahoo Joins OpenSocial, Google Announces OpenSocial Foundation

Today Yahoo announced that they are joining forces with the OpenSocial platform, and will be joining both Google and MySpace to build “The OpenSocial Foundation”. This new foundation “will seek to ensure that the technology behind OpenSocial remains implementable by all, freely and without restriction, in perpetuity.” It is modeled after the current industry-supported OpenID foundation. As an addition to that announcement, Google has released “opensocial.org” to promote the development of OpenSocial on a standard platform away from the Google environment.

Read more about it over at OpensocialNow!

Are We Seeing the First Facebook "Worm"?

Today I received some interesting wall posts that claimed to be from my Aunt. The first looked like the following:

hey do me a favor and try the new crush calculator, don’t worry its not some annoying facebook application that makes you invite all your friends, the crush calc works with your mobile phone and it uses a special scientific way to find the person near you that has a crush on you, guess what? it actually worked, for me and 4 friends, yes this is for real you gotta see this, try it right now and see for yourself, its too crazy. http://www.fkgcp.com

The second looked like this:

i finally found the best source out there for all the latest ringtines for my phone at http://www.vyzxw.com they dont sound bad like the ones from my actual phone company, these are 100 times better and they have thousands and thousands of ringers to choose from and when you use them the first time you get 20 free ringtones. stop paying so much for your ringtones,don’t be a sucker, get them from my place, http://www.vyzxw.com

I checked with my Aunt, and she thinks someone may have stolen her password and hijacked her account to send out those messages to all her friends. My brother got a few of these posted to his wall as well from her Account. I also noticed that her status was changed to, “totally hooked on the crush calculator”.

Then, I did some research on Google for “crush calculator” and came up with this article on CNet. It appears that there used to be an Application on Facebook called “Secret Crush” that would install Spyware on peoples’ computers. Facebook quickly removed the application, but it appears they may be retaliating.

Doing a search for “crush calculator” on Facebook reveals a few groups users on Facebook have set up to apologize to their friends for someone hacking into their account and sending messages to all their friends about the “Crush Calculator”.

So, this could be a few things:

  • Could the Zango application have been installed on these users and they are now using that retrieved Facebook data to hack into users’ accounts, scrape the Wall, and post to all of their friends’ walls?
  • People related to “Secret Crush” are retaliating, finding easy passwords, and hacking accounts to send messages to all the friends of a user and get those users to go to the sites listed above.
  • Third-party hackers are getting paid to hack into these accounts and send out messages.
  • This could truly be one of the first “Social Worms”, instead of circling the internet, following your list of friends and their friends, spreading as it harvests information from those profiles for more damage in other areas.

It’s also very interesting that since I was now known to this “hacker”, or “worm”, whichever it may be, I am now for some reason getting lots of spam Skype messages. The only place I really list this in the open is on my Facebook profile, which is only visible to my Facebook friends. Could they have harvested my information as well? A social worm is truly dangerous!

There is nothing stopping one of these applications from collecting a bunch of user data and sending messages out to each of the friends of the users that added the application. Facebook does track this and puts a quick end to them, but just like any other application you install on your computer, you have to be careful of the Applications you install on your Facebook account! Verify that you know the sending user well, and ask them their experiences first.

Most of all, check your passwords! Be sure you always have a strong password for your Facebook login, and this probably won’t happen to you. Have any of you experienced similar issues?

Well Done Guy! Chris DeVore is a Cheapskate

I just caught this article from Mashable and I just had to pipe in. In the article, Mashable’s Kristen Nicole claims Guy Kawasaki paid too much for the development of AllTop, at $10,000. They compare it to Askablogr.com, claiming Chris DeVore only paid $7500 for the development of Askablogr, with its rich feature-set.

I was blown away by this! Not that Guy Kawasaki paid $10,000, but that Chris DeVore only paid $7500 for Askablogr. Now, I don’t know Chris, so take this with a grain of salt, but some call it a deal. I say he’s a cheapskate! For something that will be your primary revenue source and your main line of business, $10,000 for something like Alltop.com is a steal! The fact that Chris DeVore only paid $7500 for his development means he’s either hiring offshore, doing the development himself (in which those costs are way under-inflated), or he’s very much underpaying a bunch of gullible developers that probably don’t believe much in the product they’re working on.

As a business owner, when supporting a technology-based business, it is of utmost importance that you put your developers and IT staff at first priority. They are your bottom-line, and should be the superstars of your business. You have to keep in mind that for top notch developers and technology, you’re competing with the likes of Google, Facebook, Yahoo, and others to get the best talent. By not paying your developers, you will either a) lose your developers very quickly, b) have a revolution at one time in your future and your developers will all back out on you in rapid succession, or c) not get the best work and skills you could be getting, and you’ll definitely run into scalability issues as your site grows in the future.

I recently finished the book, “My Startup Life“, by Ben Casnochas. I bet Guy’s read it and Chris hasn’t. In it, Casnochas talks about the lessons he learned by not paying his lead developer well. He quickly had threats of the staff to leave, and they quickly ran into scalability issues due to the unexperienced offshores they were hiring overseas. In building a technology-based business it is of utmost importance that you pay and treat your IT staff well or it will come back to bite you in the future.

So, Kristen, I say Guy is the smart one in this case. I am willing to bet his site scales better, his developers are happier, and more likely to work with him in the future. Guy’s likely to get millions for Alltop.com in the future, should it succeed, so $10,000 is a very small price to pay to get good developers on staff.

UPDATE: See Chris’s comment here: http://staynalive.local/articles/2008/03/21/well-done-guy-chris-devore-is-a-cheapskate/#comment-2126. I probably inappropriately labeled Chris a cheapskate while trying to defend Guy. It turns out (and I should point out, unless I read it wrong, that the Mashable article did not make this very clear either) that Chris’s project was a project built simply to point out how cheap something could be developed. In that case it would make him an intentional cheapskate, not that there’s anything wrong with that. As I mentioned, I’m a cheapskate too – I just don’t see the reason to short projects in development costs when it is the core to the business. It is an interesting experiment regardless. Thanks for visiting Chris!

Announcing the First West Coast OpenSocial Hackathon

Utah Social Media DevelopersAfter meeting up with Bess Ho, founder of the Silicon Valley Web Builders and Facebook Developers Garage, we decided a joint hackathon, focusing on OpenSocial would be a great opportunity for both of our groups. So I’m proud to announce that next week, March 26, from 8pm MST to 1am MST the Utah Social Media Developers Group (formerly Utah Facebook Developers Garage) will be joining with the Silicon Valley Web Builders live via Ustream.tv and Qik for a great night of OpenSocial hacking!

We’ll kick off the event with a presentation by Jason McGowan, lead developer at the Facebook App, We’re Related. He’s going to talk about some of the work they’re doing on OpenSocial. We’ll follow that with a presentation by Ted Haeger, Director of Developer Relations at Bungee Labs. I’m told he’s going to show us some cool new features of the Bungee Labs developer tools that integrate with OpenSocial, in a 15 minute timeframe. Bungee Labs will be hosting the event and providing snacks and drinks. Here’s Ted’s Bio:

Ted Haeger directs Bungee Connect’s developer program and leads Bungee Labs’ team of evangelists. An avid technologist, Ted is keenly interested in the rapidly evolving social dynamics and changes to human culture coming about as the Internet continues to develop. Prior to his work at Bungee Labs, Ted directed the open source advocacy program for Novell. He still keeps strong ties to friends throughout Free Software community and regularly speaks at various international and regional open source events.

The rest of the night will be spent just hacking and coding on OpenSocial, with the help of other developers there in both Utah and Silicon Valley to help getting started and continuing your development in OpenSocial. Both Google and RockYou have generously offered to provide Swag for the event (MySpace was offered the opportunity, but supposedly they “have already met their goals for the number of developers on their platform”. MySpace – the offer is still out there if you want it!). Thanks to them for their generous help in getting this event together. So the evening should be full of education, swag, snacks, and coding, a developer’s dream! If you’re a business that would also like to offer some Swag or something else contact me and we’ll add your name to the Sponsors list!

So if you’re a developer already or looking to develop in Social applications in Google’s Open Source platform, OpenSocial, come on over and code with us! Those interested in meeting developers are also invited. Bungee Labs, Google, RockYou, and my Social Media Applications Agency, SocialOptimize, will be Sponsoring the event.

Before coming don’t forget to sign up for the sandboxes you are interested in developing on – they often take a few days to get approved. You can find links to those environments here. Be sure to check out the tutorial here.

An interesting Fact – based on comparing numbers with Bess in Silicon Valley, it appears that Utah has the largest group of Social Media developers next to Silicon Valley on the West Coast. Our Facebook Group actually has more than they do! Let’s all get together and show the developers in Silicon Valley what Utah is all about! Please be sure to RSVP for the event on Upcoming or Facebook (join our group there!). You can find directions to Bungee Labs here:

625 E Technology Ave B2300
Orem, UT 84097

Facebook Getting the Vote Out – but is it Good for Developers?

You’re seeing it here first folks – this morning Facebook announced a new tag on its wiki called . I imagine an announcement from Facebook will come soon on their purposes for this. From the wiki, :

Displays a Rock the Vote widget inline in your application. The text inside the tags is formatted as a hyperlink. When the user clicks the link, a Working Assets US Voter Registration dialog appears. When the user is done, they are prompted to share it with their friends. Then they are returned to your page.

This is particularly suitable for political apps or any app that wants to encourage voter registration.

Now, I’m not that familiar with the whole “Rock the Vote” organization, and I’m very for encouraging voter registration, but isn’t this also giving preferential treatment to other big organizations on Facebook? How did “Credo Mobile” get their sponsorship on this? Does this mean apps and organizations like my company’s client, “Takes All Types” will have their own tags for developers to use too? Has FBML been turned into an advertising tool? As a Facebook Developer myself I’m a little concerned about this one.

To implement the tag, you would do something like this (from the wiki):

Register to vote!

The link looks like this:

 link

And produces a form that looks like this:

rock the vote form, top

The second half of the form looks like this:

rock the vote form, bottom

It’s a Boy! The first full, live Twitter Birth

Baby 4.0It’s a Boy! Yes, we gave birth to a beautiful, healthy baby boy last night, March 19th, 2008, at 3:24am. He was 6lbs 4oz, at 19″. We’re still figuring out a name – it’s now between “Jesse III” (after my grandfather, continuing his legacy), “Joshua Timothy”, and “Joshua Gregory” (my Dad’s name is Gregory).

We pulled out full stops for this birth Socially. I believe, except for maybe Scoble, it was the first full, “live” birth broadcast on Twitter. Twitter was an easy way to get the word out, and since the hospital had wifi I could use Twhirl to update Twitter, Jaiku, Pownce, and Facebook all at the same time. We also live-broadcasted parts, including a few heavy contractions by Rebecca (SFW – just turn the sound down because she’s loud!), all via Ustream.tv. The Twittergrams and ustreams were all taken just right as the baby was born – you were there when it happened! I also posted items and pictures to Facebook. The baby’s nickname right now is “Twitter”. I had to have hundred of my Twitter friends and family wishing us luck, wishes, and congratulations last night so I can’t thank you all individually. Thank you for your wonderful wishes!

We’ll continue doing a few live streams via Ustream.tv, and you can keep track of when we go live, what’s going on in Baby 4.0’s life all by following me at http://twitter.com/jessestay, or typing “follow jessestay” and sending to 40404 on your cell phone. Here are a few videos to tide you over:

http://ustream.tv/xVmJRVOkN4vty.4Ug.PQlA.usv

http://ustream.tv/ukWPPvGTH5BF1pPXwIFqAvy3Yp3fmvH9.usv

You can also check out the pictures on Picasaweb:

http://picasaweb.google.com/jessestay/20080319Baby40?authkey=f197LRVdBWM

Facebook Works to Reduce Spam Further With "Feed Forms"

Today, a new way of posting to the News Feed in Facebook appeared on the Facebook Developer’s wiki. Facebook introduced “Feed Forms”. To use a Feed form, you simply create a regular form as you would any other form, but add a special “fbtype” attribute to the form. The only documented value listed thus far is “publish”. Facebook then intercepts the form, reads the url in the action parameter, and prompts the user, asking them if they want to publish the story to their friends.

To use a “feed form”, the url in your action parameter for the form should return content in the form of JSON with a simple feed response. The example they give for return JSON data is this:

{ "method": { "fbtype" : "publish",

           "next": "http://my.canvas.com/next_page.php",

  "feed": {"title_template": "{actor} published status",

  "body_template" : "New status is \"{status}\"",

  "body_data" : {"status": $_POST['status']}}

}

I created a sample form that looks like this, returning the above data (changing the url) in application/x-json format:

Unfortunately it doesn’t seem this feature is live yet (or I’m just doing it wrong), as my returned JSON data just gets returned back to me when the form is submitted. I will post screen shots as soon as I hear confirmation that it has gone live (I expect that to be next Tuesday, when they usually do pushes).

Does this mean Facebook is doing away with the automated posting of News feeds by applications, or is it just one more way, and better way to make your feed story more likely to appear in your user’s friends’ news feeds? There is no official word from Facebook yet as to how they intend to use this.

Twitter Looking Internally to Add Groups Functionality?

Today, on the Twitter developer’s mailing list, in response to the question:

“it would be cool to have Twitter groups so you could @group and d group”

It was answered by one of Twitter’s Engineers:

” This is on our radar, and third party developers have already done
several different implementations of this feature.”

This is on our Radar… Does this mean Twitter is looking to add group functionality in the future?  I have heard rumors, but never a confirmation like this.  This also brings to mind the question of what about other developers writing apps to provide this functionality?  Should Twitter leave this functionality out, and instead allow developers to create their own solutions?