To use ReclaimPrivacy.org’s privacy scanner, you have to drag a JavaScript bookmarklet to your browser and click on it once you’re logged into Facebook. Running a bookmarklet from your browser is the same as downloading an executable to your desktop and running it. Wait, it says it’s “an independent and open tool” and “the source code and its development will always remain open and transparent.” How many out of the 112,000 that shared this (at the time of writing) on Facebook and probably 10x that that used it looked at the source code? How many people out of that small percentage were jQuery buffs who understood what was going on in the code?

Wait! You’re concerned about your privacy on Facebook to the point you will blindly run executing code on your personal computer.

If I were Matt Pizzimenti, I would have posted whatever was on your clipboard as your Facebooks status just to teach you a lesson in trusting “open and transparent” code. But seriously, kudos for Matt trying to address the privacy concerns of others. From what I’ve seen this tool is well put together with the best intentions. That being said, I’m about to rip into his misleading nomenclature and copy. Please remember I mean to help.

I ran the privacy scanner. I had already adjusted the new privacy settings last week so I wanted to see what his tool would say. Let’s go top to bottom:

insecure Instant Personalization is currently sharing personal information with non-Facebook websites.

I know. I set it that way. That doesn’t make it insecure. I might be one of the few people who likes that Yelp knows who my Facebook friends are and can automatically friend me on their service and show me what reviews my friends have made. I am, after all, most likely going out with those people to eat. That scares some people but I look at it as being able to forever bypass importing my email contacts to see if my friends are already using this service.

caution some of your personal information is exposed to the entire Internet, you should tweak personal settings

Go ahead and tweak your personal settings until the cows come home. Some of your personal information will always be exposed to the entire Internet. That kind of statement is misleading. Even the most private of private people still have some personal information floating around the Internet. It is inevitable whether you like it or not. Tweaking your personal settings on Facebook will only protect the next stupid status update or profane interest from being cached by a search engine.

caution some of your contact information is exposed to the entire Internet, you should tweak contact settings

Again, I know. I’m old enough where I’m not afraid to be contacted by strangers and have enough confidence in my spam filter that my privacy is not being compromised by sharing some contact information. At this point you might be thinking (or screaming), “Of course you don’t care! You have websites that bare all and don’t take privacy seriously!” I actually do take privacy somewhat seriously but more importantly realistically. If it took a few tech blogs to wake you up to the reality of how un-private your life is when it comes to data, you should really start paying closer attention.

caution some of your friends, tags, and connections information is exposed to the entire Internet, you should…

get the point by now. If you don’t want to be associated with one of your friends, de-friend them. If you’re embarrassed about a picture you’re tagged in, untag it. If you’ve listed Can’t Hardly Wait as one of your favorite movies and don’t want anyone to know, do not tell them. Facebook is not out rummaging through your used DVD sales or tracking what Hillary Duff album you recently deleted from your iTunes library. They are simply organizing and connecting information you provide to them.

insecure your friends can accidentally share your personal information

At this point, I am honestly to the point of, “so what?” What are they going to share about me? If this is bringing on flashbacks of junior high, that’s because it is extremely juvenile. Some of your friends are gossipers sharers but instead of spreading lies rumors it might be something you, again, chose to share. And finally my favorite that conveniently wraps this all up:

secure you have blocked all known applications that could leak your personal information

What does that even mean? The author actually “changed ‘good’ settings to say ‘secure’ since people were getting confused about whether ‘good’ was the highest setting”. This is a real joke of security. He apparently forgot to consider Facebook as an application. That application HAS leaked your personal information which is why he built this tool to begin with!

That is the entire reason people are upset with Facebook! Facebook does not respect your privacy. They could leak share your information at any time. More importantly, they could get hacked any time and your information wouldn’t just get shared but stolen. Now what setting do you change to prevent your information from being stolen?

The Internet was founded on principles of open and free communication. Now that our lives are stored on it, and Facebook has cavalierly opened them up for sharing. If you remember that they cannot share what you do not post, your privacy is not at risk (at least on Facebook). Information is gold on the Internet, and as my grandfather says, he who has the gold makes the rules.

First, a little background on their current process as I understand it. When a merchant has their Groupon sale, they set the number of Groupons that must be purchased in order for the deal to go live. After Groupon has sold all of the coupons, they mail the proceeds minus their fee along with a list of valid Groupon numbers to the merchant. It is then the merchant’s responsibility to accept and validate Groupons that customers present whether they are printed or displayed on a device such as through Groupon’s iPhone app.

The problem, as I pointed out in my last post, is that many, if not all, merchants don’t verify the Groupon number at the time of sale. If they were presented with a fake Groupon number or a number that has already been used, they won’t know until the transaction is completed and the customer is out of site. Groupon’s stance is that they do not want to burden the 99.9% of people who follow the rules just to protect against a few rotten apples.

There are two main sides to consider when approaching this problem. First, it can’t affect the customer’s experience. Waiting longer to checkout, jumping through more hoops, or creating a situation where the merchant is distrustful towards customers is not going to work. The other side is the merchants. They don’t want to invest in hardware or software, or teach their employees some advanced procedure just to verify a Groupon. Keeping these restraints in mind, I’ve come up with three ideas for merchants to plug Groupon’s loopholes.

1. API

Everyone has an API these days. It’s how things get done on the internet. Groupon could develop a simple API that accepts the venue and coupon number and return valid, expired, used. Give this API to developers and let them integrate it into existing apps or allow them to build their own.

Existing services such as OpenTable.com could allow people to indicate they plan on using a Groupon and enter their coupon number (having it validated in the process) when they make a reservation. Salons and spas who have online scheduling tools like ScheduleThing could accept and verify Groupon numbers as well. Merchants with PCs, smart phones, or tablets could run the code through a simple URL in a browser like http://groupon.com/merchant/validate

2. SMS

Cell phones and text messaging are ubiquitous so an SMS verification option would be extremely easy to implement for a merchant with a budget. You would text the Groupon number to an SMS shortcode and receive a verification back if the number is valid, expired, or used. Think of My Coke Rewards only simpler.

Scenerio: waitress comes to drop off the bill, you present your Groupon, she whips out her cell phone and texts in your code, she gets a response almost instanstly (it’s going to space give it a minute), and the bill can be adjusted accordingly. Simple, easy, almost frictionless.

3. POS

Point of Sale systems are typically proprietary, closed, and expensive. They are the last option for integration with simplicity as a goal. This doesn’t mean they can’t play a part in validating Groupon numbers.

Perhaps the POS would work with another solution to create a papertrail for management. When the waitress who texted in the code in my earlier example, she has to adjust the bill for a new amount. Her boss needs to know why, and the POS could report this. Tracking the use of Groupons with a POS would also expose to management how many of the Groupons they sold have been used.

With Groupon’s recent $30 million funding, perhaps they would be able to approach POS vendors to include a custom software piece for validation. It could be built direclty into the interface so a waitress or bartender or salon stylist or other generic register operator wouldn’t need to do anything differently than they do to add a milkshake or bloody mary or boy’s haircut or widget to the bill.

Those are just some quick but realistic ideas for making Groupon better and more secure for merchants. Groupon has a great and trustworthy community, but as it grows more people will test the boundaries of the system at the expense of the merchant. For a company projected to have $100 million in revenue this year, I would think they’d look into fixing some of their security issues.

Update

Forget $100 million in revenue. Groupon has now been valued at $1.35 billion.

A Month of Training

The first five weeks were actually all training. It was like boot camp for corporate life. We were showered with branded writing utensils, a locked down company laptop, and a corporate AMEX while being introduced to the endless online portals. It took a few days to cover the company’s core values and overall structure. I still pause when people ask me what “group” I’m in (simplest I can put it: Technology Consulting -- Security -- Identity & Access Management). There were two weeks of learning the “Solution Delivery Fundamentals” which was really encouraging to see how serious they were to sticking to good development practices. The final two weeks were spent out at the Q Center in St. Charles, Illinois with  230 other new analysts from across the world.

Core Analyst School was challenging for me, but we made sure to have fun. My technology background came in handy for a total for 2 hours for the entire 2 weeks. There was a lot of team building, business workflow, and mock client meetings. They put together this video at the end along with a photo album that kind of sums up the rest.

www.youtube.com/watch?v=nWdr1Gqhflg

(at 7:51 you’ll see my idea they used for our section’s mascot )

A Month on the Bench

We finished up CAS on December 18th just in time for Christmas. And New Years. And the week after New Years. One of the downsides (perks?) of consulting is that you don’t go to an office M-F 9-5 but if there isn’t a project going on you don’t work at all. I learned that nothing really gets done between the week before Christmas through the week after New Years, and then it takes another week to put together logistics. I got a little stir crazy but ended up helping out on a few tasks that people in the security group needed done.

A Month on a Project

Finally on January 18th, I was on my first project! The waiting paid off as I got to escape from the cold Chicago winter to sunny Los Angeles from Monday through Thursday for four weeks. The work wasn’t glamorous, but the nightlife made up for that. I think that’s one of the biggest misconceptions by kids right out of college. They think they’ve put in their time and now it’s time to have a dream job, but that’s not really how it works out most of the time. You have to put in your time and wait for your dream assignment. If you’re in a field you really like (or love) then waiting shouldn’t be hard.

What I’ve Taken Away So Far

There’s still so much to learn about -- business, technology, security, career development, networking (people kind), the list goes on. I’m taking it all in but so far:

1. I’ve tried to not put a whole lot out there about my new job on Twitter, Facebook, or this blog. I’m still feeling out what’s acceptable and working on security related projects makes that even harder.
2. Corporate America (esp. a tech company) love TLAs -- or three-letter acronyms to the layman. Every day I hear a new one or at least some sort of abbreviation for a word or phrase.
3. I didn’t think “building my network” was going to be enjoyable or worthwhile, but I was totally wrong. I might just make it as a people person after all

Now I’ve started the next chapter in my Accenture experience at a new project here in Chicago. I was a little bummed to stop traveling (i.e. rewards points), but the work is more interesting and challenging. I also hear Chicago has a summer if it ever stops snowing.

Think about it. They are approaching half a million users which is great but doesn’t compare to the multiple millions other social media services have. Bumgardner’s dozen or so fake accounts caused a little disruption and made a few people mad, but if his tactics were taken to the extreme by a large botnet the service would become unusable. Every location could be overtaken by fake accounts. Real users would get lost in all the fake check-ins. The only way to stop the onslaught would be shutting off the API, but even then Foursquare would be left cleaning up their venue and user databases for days if not weeks trying to figure out what’s real and what was generated by a bot.

I’m not advocating anyone go out and kill Foursquare. But it wouldn’t be hard to round up a couple hundred thousand bots by the end of the day and maybe a million by the end of the week. I don’t see how Foursquare could combat it with their current security policies (are there any?).

Why would someone want to shut down a fun service like Foursquare? Well there are some jerks in this world and then there always the money motivator.

Hey Foursquare Founders,

I’m the one responsible for overrunning your service and making it unusable thanks to your poor security practices. I see you got a million dollars in angel funding a few months back. Give me $1 million and I’ll undo all the harm I’ve done and everything will go back to normal.

Same scenario happens to banks every day and it’s cheaper for banks to payoff the hackers than admit to the public how insecure they are. If Foursquare wants to keep making business deals with companies like Zagat, they’ll do the same thing. Established companies aren’t going to pair with insecure startups that can be shut down by script kiddies just like the people aren’t going to deposit their money into an insecure bank.

Bumgardner offers a few suggestions on how Foursquare could improve their security like adding a CAPTCHA to the sign up process. (I was really surprised they didn’t even have that in place.) Foursquare founder Dennis Crowley even commented on the blog to assure people that the team was working on some of these flaws, but he seemed more focused on geo-accuracy than anything else.

I would really hate to see Foursquare lose out in the location based social network race because they couldn’t put together some decent security practices. I also hope other services like Gowalla take this seriously since they have about a third of the users that Foursquare does. Is it likely a botnet will take them down? Not really. Is it possible? For sure.

One of the problems I found in getting replies after inquiring about a Craigslist listing is that you don’t get a response from the Craigslist generated email address (i.e. gigs-yvmsq-1541740782@craigslist.org) you originally emailed. I also found that most people didn’t keep the same subject line and didn’t include what I originally wrote which is what made this scam so hard to spot. If I hadn’t been answering so many different ads and hadn’t actually been looking for Craigslist paid surveys, I would have immediately marked this as spam. Here’s what the email said:

Craigslist Paid Survey

Dear Applicant

Thank you for your recent online application on Craigslist dated 3rd November, 2009. We appreciate your quick response as we believe it portrays good sense of responsibility and efficiency.

We are a dynamic Organization Development and Management Consulting firm involved in helping Companies achieve market leadership and Improve connections between professional services firms and their client organization. Our company is currently conducting a survey on Money Gram Outlets to help measure and improve effectiveness of the services they provide to the general public. This is as a result of complaints from some of Money Gram reliable customers about the behavior and orderliness of most Money Gram outlets.

The survey involves you visiting a Money Gram Outlet in your area to patronize their business services as a customer and give us feedback on your overall customer experience by filling a simple online questionnaire. Each survey takes a maximum of 20 Minutes to complete and you’ll be paid $85 for every survey completed, No Sales Involved and this will not inconvenience your present occupation.

If you are interested in participating, please send us a reply with your Full Name & Email Address, we’ll get back to you after receiving this information to confirm your participation in the survey.

Your faithfully,

Terry Schultz

Research Analyst

RSM Research

14621 Firethorne Path

Fort Wayne IN 46814

260-494-3832

It’s a pretty legit sounding email and they end it with only needing my email address and full name (nothing too personal and come to think of it they should already have it if I responded in the first place). I willingly responded and a few days later got this very real looking email:

Survey Date

Good Morning,

This is to confirm you have been selected as our Survey / Evaluation agent in your area. You will be evaluating Money Gram outlets in your neighborhood and the survey date is November 13, 2009.

Please note that you will be required to visit one Money Gram outlet within your neighborhood to patronize their business services as a customer and give us feedback on your overall customer experience with them by completing a questionnaire.

Funds to cover all expenses needed to conduct this survey will be delivered to you on the surveydate by USPS. Deduct your compensation of $85 after receiving the funds and proceed to the nearest Money Gram with the remainder of the funds to complete the actual survey evaluation, further information on how to proceed will be emailed to you on the survey date.

Respond ASAP to this email on your acceptance and willingness to carry out the survey with your Full Name, Mailing Address, Phone Number where the funds and guideline to completing the surveyshould be mailed to.

Thank you and hope to hear from you today.

Your faithfully,

Terry Schultz
Research Analyst

RSM Research
14621 Firethorne Path
Fort Wayne IN 46814
260-494-3832

I gave out my address and my Google Voice number. (I don’t consider my apartment that I don’t have long term plans of staying at very sensitive information and my Google Voice number isn’t real either since it just forwards to a number of my choosing.) Now a flag should have started to go up when I didn’t hear anything after a few emails, but then an update came a week later.

Money Gram Survey Update

Good Morning,

We apologize for the postponement in the survey date, it was due to a logistic arrangements error by our courier. The survey funds will  be delivered today or tomorrow by USPS. Follow the below instructions to complete the Evaluation as soon as you receive the funds.

Attached below is the Money Gram form, study the questions carefully before conducting the actualsurvey on Money Gram and have the form filled out and emailed back to me after completion of thesurvey.

1.1 Write your Name & Address on the pay to Column of the Money Orders and fill in the return name and address on the package on the Sender Column before cashing them at your bank.

1.2 Deduct your pay of $85 after cashing the Money Orders.
1.3 Deduct another $65 for transfer fees.

Locate a Money Gram Outlet near you to conduct the survey by patronizing their business services, you are to appear as a potential customer making a Money Gram transfer to a relative outside the country. Below is the transfer information you need for the wire.

Transfer Amount : $1650
Receivers Last Name: Adams
Receivers First Name: Jonathan
Destination: Pretoria, South Africa 0180

Be sure to observe how long it took you to get services, Smartness of the attendant and Customer service professionalism during the transfer process and Under no circumstances should the Money Gram Agents know this evaluation is being carried out on them.

Email me as soon as you make the transfer with the following information;
Reference #, Amount Sent, Name And Address Of Sender.

Thank you and get back to me as soon as the survey is completed today.

Your faithfully,

Terry Schultz

This is about the point where all my flags went up that this had all been a scam when I saw they wanted me to send money to South Africa. I have nothing against South Africa, but when you’re on the same continent as Nigeria you become scammers by association. It also didn’t add up why a company in Fort Wayne, Indiana would have me send funds to a different continent. I marked this email as spam and moved on with my life.

That is until I received an overnighted USPS envelope the next day with two postal money orders inside totaling $1925. The scam plot continued to thicken as both  money orders were from a Cary Ross in New York City but the envelope was sent from Carla Killeen in Joshua, Texas.

I initially thought, “Oh no, some poor woman has been scammed! But maybe I can get her her money back…” I did some googling to see if I could find any information about either sender. Unfortunately, I didn’t find much. The NY address was for an apartment building and the TX address was out in the middle of nowhere. Neither name returned anything in either city or state either so I was stuck.

In my frustration, I started examining the postal money orders and noticed how cheap they looked. I had never seen or used one in my life, but have seen some counterfeit money and fake IDs in my time. I quickly brought up the postal money order security features and saw the Ben Franklin watermarks were missing and that the vertical thread looked more stamped on than weaved. To confirm my suspicions, I called the US Postal Money Orders hotline (1-866-459- 7822) and entered the serial numbers, amounts, and ID to verify they were fake.

This is the point where I could have just walked away, but I figured that these scammers had wasted enough of my time that I could try to turn them in somehow so I called my local FBI field office. A few seconds into my story, they cut me off and knew exactly what I was about to tell them. In true government fashion, I was told to visit http://www.ic3.gov and file a complaint and to keep the fake money orders as evidence.

Like I already said, if I hadn’t been answering so many craigslist posts this would have never happened. I wanted to post their emails verbatim so search engines could index them incase other people get them. When I was searching for information about the NY and TX residences, I found out that the first email I received was a scam but it didn’t look like anyone had become as involved as I did.

Nothing ever came of my complaint (not a big surprise). I’m glad someone didn’t get scammed out of any real money. I’m REALLY glad I didn’t try to cash those fake money orders. I hope someone finds this post before they get involved in a dumb scam or can at least get out of it if they are already involved. In closing, here’s some tips from the United States Postal Service for protecting yourself against money order fraud.

Source: Flickr

Before I continue, I will say once again that Mac OS X’s Time Machine with Apple’s Time Capsule is the easiest and most thorough backup solution around. Set and forget it. Never worry again about anything. I love it and highly recommend it to everyone I know (and those I don’t). When I got my new Macbook Pro, instead of having to spend a day or two configuring settings and installing new software I was able to just plug it into my Time Capsule and tell it I want it just like my Macbook and in a little over an hour I had an exact clone. It was a real time saver!

On to the problem at hand, what happens when Time Machine can’t back up anymore because there isn’t enough space on your Time Capsule? I called Apple Support for ideas and of course their first answer was to buy a bigger Time Capsule. The 1 TB model would suffice and the 2 TB model would probably be best, but I don’t have an extra $300 – $500 at the moment to buy another one.

The other solution was to erase my current Time Capsule and create a fresh full backup. This would erase months of backups which means I wouldn’t be able to restore to previous versions of files or recover files I had accidentally deleted. I was comfortable enough to do this so I took the following steps:

1. Turn off Time Machine in System Preferences
2. Open Airport Utility and select your Time Capsule from the list of devices on the left
3. Click “Manual Setup” and then the “Disks” tab at the top
4. Click “Erase…” and choose which level of security you want

AirPort Utility

I chose the quick erase option since I was going to be putting the exact same sensitive information back on the hard drive. This also is the quickest method so you can get to the next step. After it has been erased, connect your Mac to your Time Capsule with an ethernet cable if you’ve been doing this wirelessly thus far.

WARNING: Performing a full backup over WIFI will literally take DAYS

Once they’re connected via ethernet, go turn Time Machine back on in System Preferences and select your disk once again as the backup destination. This first full backup will still take a few hours when you’re connected via ethernet so you might want to leave it running overnight.

That solution is really just a “bandaid” and won’t last long term. Sooner or later, I’m going to need a bigger external hard drive. It doesn’t have to be another Time Capsule, but it’ll be easiest if it is. So what do you do with your old Time Capsule?

• Use it to backup another Mac with a smaller hard drive and expand your home network range
• Use it as a network storage drive for media, etc. and expand your home network range
• Sell it to a close friend or someone who isn’t very tech savvy

Why do I say that? Even if you use the most secure erasing methods, your data is really never gone. If you think about what Time Machine is doing, it’s not just keeping every single file that has been on your Mac but also the different versions you’ve had of it. If you’re one of those naughty children who keep a text file named “passwords” on your desktop with all of your passwords in it, someone could not only recover what your most recent passwords are but look back at what different passwords you’ve used in the past. From there, they could look for patterns in your passwords and maybe even guess future passwords.

If you noticed in my screenshot, we have tons of other Apple products spread around our house that makes our WIFI network awesome. When you’ve outgrown your current Time Capsule, turn it into a media server to store all those pictures and videos that are accumulating from weekends and vacations. I’ll probably dedicate mine to all the HD video my Mino Flip HD camera takes so I don’t have to worry about filling up another hard drive.

For you hardware hackers out there that probably thought this was going to be a post about cracking open your Time Capsule to throw in a much bigger hard drive, it has been done already. My only warning is that when I took my TC in to the Apple Store to check an ethernet port, the Genius technician told me that if you try to pop open your TC to change the drive you’ll probably break it completely. Apple doesn’t want you in there so they’ve designed them accordingly. That’s my only word of caution from the horse’s mouth.

Backup, backup, and backup again!

I follow a few discount hunters that often turn up great technology deals. Today, I came across a deal from FatWallet.com for Kaspersky Internet Security 2010 Legit 1 year key on 22nd Oct. I hardly use Windows anymore, but when it comes to antivirus software, Kaspersky is the first name that comes to mind.

For full disclosure and FTC compliance, I’m not being comped to write this. This is a true testimony to Kaspersky’s PC defense. When I was in high school, I used to wander through what the Indiana University IT Security Policy Officers considered the “dark alleys of the internet” (read: IRC). So, I stopped and lost my edge on landing a real security job.

The first time I heard about this crazy awesome antivirus program from Germany, I had no idea how weak Norton and the rest of Symantec were to defending from script kiddies. When I would be associating with other individuals who were wreaking havoc with super simple tools like Sub7, our first test was whether it passed through the latest Norton, then the latest McAfee, and if you had a build that got through Kaspersky you really had something on your hands.

After Sub7 builds got picked up every afternoon, folks got into bots that included rootkits for poorly managed linux servers. Associates of mine on IRC could control thousands upon thousands of “bots” with a few favors from friends (read: the stuff you read on the news now 5 years later). When enough people had been “in the game” long enough, they started writing their own custom bots that did what they needed. Some wanted to automate clicking ads, others wanted to take down sites (read: DDOS), and some just loved the voyeuristic aspect of watching what everyone typed.

The key to rolling your own bot was being undetected from antivirus networks like Symantec, McAfee, and Kaspersky. The dumb AVs would take days if not weeks to recognize a new suspicious malware app. If you scanned your custom bot (aka virus aka malware aka bad thing) with Kaspersky, it would be picked up and added to their database within hours. So if you, the badass coder, gave your buddies your new creation and they scanned it too often, too quickly it would be flagged as a threat. Awesome for stay-at-home moms, terrifying for stay-at-home hackers.

When I was evaluating PC antivirus software on a daily basic (full disclosure: from a somewhat malicious point of view), I only respected Kaspersky. Symantec was a joke, McAfee wasn’t much better, and I knew I had something when Kaspersky missed it. Maybe things have changed, doubtful I’ll get a good hacker to poke his/her head up to tell me differently, but I still hold my alliances with Kaspersky when it comes to Windows defense. Maybe I’ll do more research on the better Mac AV (Kaspersky doesn’t have one >:[), but until then I’ll defend my virtual machine with the best antivirus software I’ve ever attacked.