Facebook: seek and ye shall find

Over at Facebook, Robert Scoble, recently posted a video asking this question:

If you search for “Bill Gates” on Facebook you’ll find lots of entries. But, let’s say you were looking for the guy who started Microsoft. How could you tell which one is the “real” Bill Gates?

According to one comment on the video, your search is likely to lead you here: http://www.facebook.com/s.php?k=10080&id=502040841. And, to answer your question: “no, I didn’t send a friend request to Bill”. That’s not to say we wouldn’t get on, I’m sure we would…I’d like to podcast with Bill, but that’s for another time!

Now Robert hasn’t told us anything that we couldn’t of worked out ourselves, therefore what he has done isn’t illegal. But what it does demonstrate is that even if you wish to remain anonymous on a social networking site such as Facebook, simply by looking at your circle of friends, an individual can easily find you. That’s not to say all social networking sites are like this. LinkedIn, for example, promotes the notion of “introductions”, whereby one of your “connections” can introduce you to one of theirs – you are unable to see the profile of the person you are being introduced to. Facebook, at the time of writing, suffers from poor privacy because I can easily view my friends friends and their friends too. With big names like Bill Gates, as Robert kindly demonstrates, I can easily work out who might know somebody and within a few clicks, voila, I have the person I am looking for. It’s just too easy.

Elsewhere in this blog I have already discussed the security concerns raised by the social networking sites. Microsoft’s Steve Lamb has picked up on it too, spreading his ammo over four posts relating to Facebook applications, Facebook friend requests, Facebook privacy and in the same domain, his mother’s maiden name. Clearly Steve is as worried about the opportunities that social networking sites are providing for would-be criminals as I am. There’s so much personal information available on the Internet already…now it’s just propagating as the masses swarm to the social networking sites leaving all sorts of personal information littered over a plethora of profiles. It’s a big problem.

My foray into the social networking world primarily revolves around Facebook (others are under consideration) and what its “value add” is in terms of Community. It has mileage, for sure. It’s a good thing, privacy and security issues aside. I do like it. But I have lots of questions: How is it affecting our daily lives? What are people getting from Facebook itself and from Facebook Groups? Why are there so many social networking sites? These are all questions I hope to answer over the coming months, but in the meantime, please feel free to comment about your experiences in the social networking world.

Technorati Tags: , , , , ,

Chris Seary’s Ten Important Tips for Securing a Web Application

I left my 5mp digital camera running at DDD5 and managed to catch all of Chris Seary’s session. The video quality isn’t that good, but if you use it in conjunction with these slides and this blog post you should be fine. The audio is reasonable.

I’m looking into getting a better camcorder that is more suited to this kind of filming. May be at the next DDD you’ll see me there with a camcorder! (PayPal donations will be gratefully received!)


Video: Ten Important Tips for Securing Your Web Application

Technorati Tags: , , ,

No, I will not wear *that* uniform…

If life in IT wasn’t hard enough with every man and his dog asking you for help, the friends of the family and neighbours asking for help sorting out their infrastructure problems, imagine the hassles this guy must have:

Spotted whilst walking in London from Kings Cross to Holborn, heck, I bet he gets total strangers walking up to him…”about this mobile ‘phone, can you…?”

You wouldn’t catch me wearing a polo shirt like that. No siree.

It’s worth noting that I don’t actually mind friends of the family and neighbours asking for help, I kinda like it, especially when it usually involves “come ’round, fix my PC, have a few beers”!

Technorati Tags: , , , ,

RBS Internet Banking – the card reader has arrived!


My Royal Bank of Scotland Internet Banking card reader arrived today. It a Xiring unit, a numeric keypad with a small LCD at the top and a slot for my bank card. More information about the Xiring products can be found here: http://www.xiring.com/o2s/en-GB/index.php

Using this kind of unit has the advantage of being totally independent of any operating system – listeners to my recent podcast with Barry may recall that we lamented about the fact banks often send out equipment that will only work with Microsoft Windows XP. These units have no physical connection to the PC, so will even work with the operating system used by Apple Macintosh computers.

Authentication before the card reader
Previously, I used a 4-digit PIN and an 8-character password. Authentication consisted of providing 3 selected digits from the PIN and 3 characters from the password. I was occasionally asked for additional characters if I wanted to do something that wasn’t a run-of-the-mill transaction (e.g. add a standing order). Essentially, this form of authentication relied on something I know. The trouble with this approach is simple: the bank also know this information. Which does leave it open to abuse, either via employees “taking it with them when they leave”, or the material simply appearing in the trash. I’m not saying that this has happened at the RBS, however it has happened to other banks, as is widely reported.

So what’s the authentication process now?
Well, nothing has really changed for day-to-day transactions. However, the following items require the use of the card reader: Add a new Payee, Amend a Payee, Create New Standing Order, Change Security Number and Change Password. I authenticate and login as I did before, however using any of the aforementioned features, I have to use my card reader. I insert my card, push the Respond button and enter my card’s PIN. I then have to enter a number into the card reader – it’s provided by the RBS Internet Banking web-site. Once I enter that number into the card reader and press OK, it then displays a number that I must enter into the web-site. There’s a better explanation over here.

So now, whilst the basic authentication remains the same, for certain features, the authentication is relying on something I have, in this case the card reader, the card and my card’s PIN. This makes it a little harder for those people who have discovered my on-line banking PIN and password to transfer money to a new payee.

I can only assume that the types of fraud that have been affecting the major Internet banking operations revolve around the creation of new payees, direct debits and standing orders. Certainly in the few cases I’ve been close to, the creation of a new payee followed by a single transaction, or more likely two transactions, this would ring true. This card reader will help alleviate those kind of fraudulent transactions. The need for a perpetrator to have my bank card and the PIN for it do add an extra layer of security. I won’t need the card reader that often, most of my payees are already set up, however it will mean that when I do need to add a new payee, I will need the card reader present.

What’s next? Bio-metrics: the third tenet of authentication, something you are, e.g. fingerprint, voice-print, retina scans.

More information
http://www.rbs.co.uk/reader
http://www.secureidnews.com/news/2006/05/03/mastercard-allinone-includes-xiring-authentication-solution-to-enhance-security-for-us-online-banking/

Further reading
http://blog.jazzle.co.uk/why-i-might-leave-my-bank-the-natwest-card-reader/

Technorati Tags: , , , , , , , , , ,

010 – Community Podcast – Albert Tafila

In this show, number 10, I was speaking to Albert Tafila. Albert helped Zi organise the GrokTalks at DDD5. It’s a little short as Albert was waiting on a taxi! We talk about the sessions Albert enjoyed and the importance of community events such as DDD5.

Download the podcast here. Transcript to follow.


I have a new podcast feed available too, you can subscribe to it here – and it works with Apple’s iTunes!

Related posts:
Podcasting – great advice
001 – Community Podcast – Dave McMahon, NxtGenUG
002 – Community Podcast – Ravi Nar – VistaSquad
003 – Community Podcast – Guy Smith-Ferrier – DotNetDevNet
004 – Community Podcast – Barry Carr, Gary Short, Hamish Hughson – North East of Scotland User Group
005 – Community Podcast – GeekDinner/DDD5 – Adrian Sutcliffe
006 – Community Podcast – DDD5 – Mike Scott – Gary Short
007 – Community Podcast – GeekDinner/DDD5 – Four Cool Guys
008 – Community Podcast – Post-GeekDinner – Ben Hall – Chris Gaskell
009 – Barry Dorrans – aka blowdart

This podcast:

Technorati Tags: , , ,

009 – Community Podcast – Barry Dorrans: Win a ticket to TechEd

Yesterday, I managed to corner Barry Dorrans and convince him to let me record a podcast with him! Barry didn’t take much convincing…and as he admits himself, I took his podcast virginity!

Recorded live, in The White Hart near the Tottenham Court Road tube station. There were other folks in the pub, they didn’t know we were podcasting so you can hear them in chatting away in the background…apologies for that.

We talk about social networking, social networking fatigue, Facebook security, Cardspace, portability of cards, USB/smart card authentication, secure certificates, hardware authentication, BBC iPlayer (we touch on DRM for a second), UAC, Windows Vista, DDD5, conferences in Ireland, social security numbers, banks calling you and a whole host of other things. Barry’s a humorous guy who manages to inject that humour into this podcast!

Download the podcast here. Transcript to follow.


I have a new podcast feed available too, you can subscribe to it here – and it works with Apple’s iTunes!

Related posts:
Podcasting – great advice
001 – Community Podcast – Dave McMahon, NxtGenUG
002 – Community Podcast – Ravi Nar – VistaSquad
003 – Community Podcast – Guy Smith-Ferrier – DotNetDevNet
004 – Community Podcast – Barry Carr, Gary Short, Hamish Hughson – North East of Scotland User Group
005 – Community Podcast – GeekDinner/DDD5 – Adrian Sutcliffe
006 – Community Podcast – DDD5 – Mike Scott – Gary Short
007 – Community Podcast – GeekDinner/DDD5 – Four Cool Guys
008 – Community Podcast – Post-GeekDinner – Ben Hall – Chris Gaskell

This podcast:

Want to win a TechEd ticket? Try your luck here: NxtGenUG

Links
Charteris plc
Microsoft
DeveloperDeveloperDeveloper
subtext
hackathon
mailinator
CardSpace
NxtGenUG
Twitter
Robert Scoble

Technorati Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Password security – even big names fail

Great mate Barry and I did a podcast yesterday. In and around the podcast, we chatted about password security, a subject not missed by fellow great mate Alan – he’s a great fan of pass phrases (i.e. a sentence instead of a single word). So yesterday, whilst in London, Barry picked up an Oyster card application form – I’m kind of interested in getting one, if only to maintain the stereotype of a Scotsman (although Mr Smeaton has changed that!)

Imagine my surprise at reading section 3. Password:

What’s this all about? A password is now called an answer. The password can’t be longer than 18 characters and cannot use spaces or punctuation? Adding a space or two and some punctuation is the first step to making a strong or secure password. Limiting it to 18 characters, including numerical values, rules out pass phrases (which are harder to guess and less prone to dictionary attacks). But, the other answers on this part of the form, can include spaces. Your mother’s maiden name? Does it have spaces?

Better wording of this question and more flexibility for the password are required…surely?

Technorati Tags: , , , , , , , , , , , , , , , ,

Help me hack a web-site…please?

Via http://www.developerfusion.co.uk/forums/thread/156127/, you have to wonder what sort of responses this kind of post would get:

Dear sir,

Please some body E-mail me how to hack another computer through my computer in the internet and how to get another computer IP address through in my computer and how to access to anther computer.

Please don’t misunderstand me, as I’ll never do unnecessary thinks if I learn this. I want to know and take knowledge about this. Please E-mai me – ****@yahoo.com

Thank you,
******.

I am amazed that people still ask this kind of question…and expect us to cough up with an answer.

[Update: Barry has just reminded me of a post over at his blog – where it seems that there’s a lot of demand for a tribalwars hack…]

Technorati Tags: , ,

Job: Scotland: C#, ASP.NET, SQL Server,AJAX,Visual Studio .NET, UI

The Company
Xceliant Scotland

The Job
We are looking to build a network of contractors for our SimpleWeb.net Enterprise Social Network platform. This is part of our new venture being set up in Dundee in the last quarter of 2007.

Key skills required are:

1. C#, ASP.NET, MS Visual Studio .NET
2. MS SQL Server, Windows Server
3. AJAX, JavaScript
4. User Experience Design

Further Information
Ian Smith
CEO
Xceliant Limited
e: ian DOT smith AT xceliant DOT com
t: 0131 718 6056
m: 07785 264 0957

Technorati Tags: , , , ,

Win a ticket to TechEd Developers with NxtGenUG and Microsoft

Win a ticket to TechEd Developers with NxtGenUG and Microsoft.

NxtGenUG is offering one lucky winner a ticket to Microsoft’s premier European developer conference : TechEd Developers in Barcelona : November 5th – 9th 2007. To be in with a chance to win the ticket register on the NxtGenUG site and enter the TechEd ticket treasure hunt. [Terms and conditions apply]. Visit the NxtGenUG TechEd home page for more details…

http://www.nxtgenug.net/TechEd07/default.aspx

Technorati Tags: , , ,