Friday, August 31, 2012

Facebook - Not So Private!

By Daniel Emery Technology reporter, BBC News

(CANADA) The man who harvested and published the personal details of 100m Facebook users has spoken out about his motives.

Ron Bowes, a Canadian security consultant, used a piece of code to scan Facebook profiles, collecting data not hidden by users' privacy settings.

The list, which contains the URL of every searchable Facebook user's profile, name and unique ID, has been shared as a downloadable file.

Mr Bowes told BBC News that he did it as part of his work on a security tool.

"I'm a developer for the Nmap Security Scanner and one of our recent tools is called Ncrack," he said. "It is designed to test password policies of organisations by using brute force attacks; in other words, guessing every username and password combination."

By downloading the data from Facebook, and compiling a user's first initial and surname, he was able to make a list of the most common probable usernames to use in the tool.

The three most common names, he found, were jsmith, ssmith and skhan.

In theory, researchers could then combine this list with a catalogue of the most commonly used passwords to test the security of sites. Similar techniques could be used by criminals for more nefarious means.

Mr Bowes said his original plan was to "collect a good list of human names that could be used for these tests".

"Once I had the data, though, I realised that it could be of interest to the community if I released it, so I did," he added. I am of the belief that, if I can do something then there are about 1,000 bad guys that can do it too”

Mr Bowes confirmed that all the data he harvested was already publicly available but acknowledged that if anyone now changed their privacy settings, their information would still be accessible.

"If 100,000 Facebook users decide that they no longer want to be in Facebook's directory, I would still have their name and URL but it would no longer, technically, be public," he said.

Mr Bowes said that collecting the data was in no way irresponsible and likened it to a telephone directory.

"All I've done is compile public information into a nice format for statistical analysis," he said

Simon Davies from the watchdog Privacy International told BBC News it was an "ethical attack" and that more personal information had not been included in the trawl.

"This is a reputational and business issue for Facebook, for now," he said

"They can continue to ride the risk and hope nothing cataclysmic occurs, but I would argue that Facebook has a special responsibility to go beyond doing the bare minimum," he added.

Snowball effect
Mr Bowes' file has spread rapidly across the net.

On the Pirate Bay, the world's biggest file-sharing website, the list was being distributed and downloaded by thousands of users.

One user said that the list showed "why people need to read the privacy agreements and everything they click through".

In a statement to BBC News, Facebook confirmed that the information in the list was already freely available online.

"No private data is available or has been compromised," the statement added.

That view is shared by Mr Bowes, who added that harvesting this data highlighted the possible risks users put themselves in.

"I am of the belief that, if I can do something then there are about 1,000 bad guys that can do it too.

"For that reason, I believe in open disclosure of issues like this, especially when there's minimal potential for anybody to get hurt.

"Since this is already public information, I see very little harm in disclosing it."

Digital trends

However, he said, it also highlighted a new trend that was emerging in the digital age.

"With traditional paper media, it wasn't possible to compile 170 million records in a searchable format and distribute it, but now we can," he said.

"Having the name of one person means nothing, and having the name of a hundred people means nothing; it isn't statistically significant.

"But when you start scaling to 170 million, statistical data emerges that we have never seen in the past."

A spokesperson for Facebook said the list was "similar to the white pages of the phone book.

"This is the information available to enable people to find each other, which is the reason people join Facebook."

"If someone does not want to be found, we also offer a number of controls to enable people not to appear in search on Facebook, in search engines, or share any information with applications."

Earlier this year there was a storm of protest from users of the site over the complexity of Facebook's privacy settings. As a result, the site rolled out simplified privacy controls.

Facebook has a default setting for privacy that makes some user information publicly available. People have to make a conscious choice to opt-out of the defaults.

original article here

Thursday, August 30, 2012

What is Google's "Humility Algorithm™"?

[Grant Crowell's Interview with Michael Roberts - October 30, 2010.]

GRANT: What is the "Google Humility Algorithm?"

MICHAEL: Please understand that I am answering these questions with the presupposition that it does in fact exist because my assertion is based on my empirical observations... I believe it really is out there!

Originally I called it “Google's Humiliation Algorithm”; however, I realized that I might have been jumping to conclusions because in context “humiliation” could imply that Google is deliberately humiliating the subjects being Googled. I opted instead for “Google's Humility Algorithm” to give Google the benefit of the doubt with respect to intent; humility is considered by right minded people to be a noble state of being although I would argue that it should be voluntary. I believe the humility algorithm is a provision within the Google search formula giving what would otherwise be unmerited high search rankings for a small number of web pages containing derogatory or demeaning words in close association with proper nouns such as personal and business names.

GRANT: How does it occur?

MICHAEL: I don't know; I would expect that Google guards its algorithms like KFC guards its secret recipe. Notwithstanding, although I cannot see the wind, I see its effects. Based on my observations and the tests our team have run, if I were to hazard a guess I would say there is a list of “humility words; nouns and adjectives that bring the hypothetical algorithm to life. These words include ponzi, scammer, abuser, whore, tax cheat, playboy, felon, conviction, indictment, bankrupt, molester, fraud, cheater, pyramid scheme, etc -- I'm sure you get the idea. There are also some web sites apparently designated as humility domains by default and they include the likes of ripoffreport.com, complaintsboard.com and, interestingly, blogspot.com.

GRANT: What is the reason for it occurring?

MICHAEL: I sincerely hope that Google's intentions were pure and that they were simply trying to ensure that the search results were diverse and balanced; lest genuinely bad individuals and organizations use expensive SEO techniques to bury legitimate dissent, competition and whistle blowing.

GRANT: What effect does it have on Google's search results (and search relevancy)?

MICHAEL: The humility algorithm seems to have special reservations for positions 3 and/or 4 on page one of Google search results. My close observations suggest that these high-ranking results have almost without exception, some type of a humility keyword in close proximity to the search subject's name. This year's "Caffeine" release of Google search has shifted the weight somewhat with humility search results being more random between #1 through #4 on page one and now it seems that #1 on page two has been reserved for humility results, but not always.

GRANT: What examples can you provide as evidence (can cite both existing and past)?

MICHAEL: I cannot really go into too much detail here because much of our work is based on real-life cases for clients. In some instances we have individuals literally on the verge of suicide because of the problems this was causing; unfortunately the child of one of our clients succumbed to the pressure several months ago. That being said, now that your readers have been told what patterns to look for, it won't take long to verify my assertions. And I would invite any brainiacs out there who have a better head for maths than I, to do some serious testing. I would appreciate being privy to the results.

GRANT: If you are correct, what do you think this is this accidental or intentional on Google's part?

MICHAEL: I believe the algorithm is very deliberate; but it is the intent that I am more interested in. In other words "humility vis-à-vis humiliation", or "don't be evil vis-à-vis evil is relative".

GRANT: If intentional, what would you argue is Google's motive or motives?

MICHAEL: If it is a humiliation algorithm [i.e. evil], then it could be argued that Google could benefit when users decide to click on a Google AdWords link to a humiliation victim's competitor once the user has read the negative results for the business he or she found in organic Google search results.

GRANT: What are the problems this creates?

MICHAEL: That is a whole 'nuther conversation which stretches from mild emotional annoyance for some individuals right through to suicide and breakdowns. I have personally witnessed these two extremes and everything between in the last three years. For businesses, the same emotional toll for the individuals involved through to insolvency; once again I have seen it all. I would even go so far as to say that the Wild-Wild-Web combined with the US Congress' existing subsidy for Internet libel, through Section 230C of the Communications Decency Act, is a clear and present danger to the national security of the United States. A competitive market driven economy can no longer function on a level playing field in these conditions; in many vertical markets the only businesses that can win are those willing to stoop to either “doing evil” by smearing their opposition with "googledoo", or looking the other way when it is within their power to act. I am referring here to the many thousands of tear soaked letters sent to Google et al, begging for the removal of egregious allegations from search engine results. These are usually met with canned template responses encouraging the victim to simply create more online content with positive spin to dilute the negative postings.

I find such narcissistic corporate cultures to the reprehensible on at least two levels.
(1) The very law that gives ISPs the immunity to turn a blind eye to such requests is in fact titled “Good Samaritan” protection, clearly implying that it was Congress' intent that the recipients of such letters would do the right thing.
(2) Such letters encouraging the creation of more online content serves the purpose of creating more advertising platforms for AdWord campaigns; victims effectively become slaves at worst or indentured servants at best to Google by creating more of what it devours and profits from, information.

GRANT: In your opinion, would this put Google in a position of increased liability? Or are they fully protected by the CDA?

MICHAEL: This would be a good opportunity to make it very clear that I am not an attorney, although I consult for many of them in these matters. As such, I would rather defer to the wisdom of suitably qualified, but more importantly qualified professionals to express such opinions.

GRANT: What do you think needs to be changed and why?

MICHAEL: I would start with the human heart and the nastiness epidemic, but that comes only from a miracle of God. Otherwise, if I could wave a magic wand I would like to see some common sense amendments made to the communications decency act which still gives generous immunity for Internet service providers but conditional upon reasonable attempts to comply with the intent of the “Good Samaritan” clause which is found specifically in TITLE 47, CHAPTER 5, SUBCHAPTER II, Part I, § 230(C).

GRANT: What questions do you think Google needs to answer for in light of this evidence?

MICHAEL: My questions would be simple:
(1) “Does the humility algorithm exist, and why?”

(2) Do your family members receive the same cookie-cutter responses when they ask you for junk results to be removed from your search index?


Wednesday, August 29, 2012


by Margaret Overton

In 2002, I decided to leave my husband. There was only one argument, really, that I remember. In mid-November, on a Sunday morning, Stig called to ask what I was doing that day. He'd been up early, making rounds at the hospital. "Thanksgiving is Thursday," I said. "I've got to bring the decorations and the turkey dishes up from the storage locker, and I was going to take the boxes that are piled up in the dining room downstairs, get them out of the way."

Stig didn't reply.

"You know, the lift is broken," I said.

"How dare you."

"Excuse me?"

"How dare you ask me to help you. I bring home the bacon. I don't ever want to be asked to help do anything around the house."

I hung up. My hands shook. The rage in his voice was out of proportion to a few boxes to be carried to the basement. And who said stuff like, "I bring home the bacon"? It was irrelevant. I'd worked or been at university our entire marriage. As had he. But it was a pivotal event. He stopped talking to me. And I stopped sleeping.

I didn't have money of my own; Stig had made sure of that. Then, miraculously, my medical practice offered me a job. I wrote Stig a letter, and put it on his desk – talking to him directly never worked out as planned. Plus I'd stopped sleeping in our bedroom and seldom saw him if and when he came home. One morning I walked into our bedroom. He was at the desk, working on his laptop. He quickly closed it when he saw me.

"What do you think about the separation?"

It had been two weeks since I had given him the letter. Stig just stared at me. He looked like someone I'd never seen before. His expression seemed scrunched, pinched, so taut that no blood could flow to the surface. His face held rage. "That's fine," he said.

Twenty years, two children and that was it. No discussion, just "fine".

A few days later, I moved to our weekend house in Michigan. When I came back to Chicago to meet an estate agent, the building engineer mentioned that my husband's girlfriend looked, from behind, just like one of my daughters. That's how I found out he had a girlfriend.

I lived in our weekend house for the summer, waiting for my job to begin, waiting for our apartment to sell. In the months after I left, after 20 years together, when I hadn't yet learned what the narrative would be, I didn't know about the girlfriend – or all the girlfriends, rather, all I knew was that he had turned into someone I no longer knew or trusted. I could barely stop crying long enough to drive my car to the off-licence. I took it there frequently. I couldn't sleep unless I drank half a bottle of wine before bed. I cried until my head ached. I had headaches every day.

Then, in a few brief weeks over the summer, the apartment sold. In September, my daughter Ruthann, who was still at high school, and I moved into a two-bedroom apartment with no view, high ceilings and large rooms. After a day of moving, my phone rang. "Margaret, this is Leo Kennedy." Leo Kennedy was a friend of my former brother-in-law. I hadn't seen him in years. "I've been wanting to call for months, ever since I heard you were separated. I'd like to take you to dinner." He was at least 70. Maybe older.

"Leo, it's just too soon for me," I said.

"I'll wait. I'll wait three weeks, then call?" I suppose Leo didn't have a lot of time to waste.

I let Leo go to voicemail for the next couple of weeks, but I registered the wake-up. Does anyone plan on being single at 44? One night I took off my clothes and stood in front of a full-length mirror. The lighting accentuated my cellulite and wrinkles, made me look depressed and a bit criminally insane. I looked like a woman who'd been left in middle age, even if I had done the leaving.

On a Saturday afternoon I was on the internet, shopping for things I didn't need. A screen popped up: match.com. I did not know how to meet men. I didn't go to bars, I was paralysed with shyness and almost all my friends were married or gay. The internet seemed a good place to start. As I read the profiles, I recognised some very angry people. They sounded like me, or like the me I didn't want to acknowledge. I would have to be careful.

I started slow. Anyone with even a passing resemblance to Stig, I immediately deleted. Then there was an email from Ed, a doctor of psychology. This was important to me because I thought it appropriate to date men as educated as myself. There's no box to check for that on match.com.

We met at a bar. "Tell me about your research," I said.

"I study sexual behaviour," Ed answered.

"Ah," I said, nodding. Of course he did. Our talk was relatively serious, in contrast to our emails, which were funny. His sense of humour seemed limited by his… person.

"So how does this work," I asked, "this dating thing?"

"Well," he hesitated, "I've dated a lot of women. And what usually happens is, after a month of sleeping together, I find a way to extricate myself from the relationship. And it's painful. Because even if the woman says she's just interested in something casual, she gets hurt. I think a woman's interest in a man grows once they're sleeping together, whereas a man stays interested for about a month, then he stops. There's actually hormonal evidence to substantiate this scenario."

This guy was every woman's worst nightmare. He was using scientific research and probably US government grant money to justify being a jerk.

"What about fun?" I asked.

"Fun is important, but sometimes I think it helps to get sex out of the way first. We could do that tonight, if you like." He looked hopeful and innocent. Or, rather, he looked like a caricature of innocence.

"Thanks, but I'm fine," I answered.

Following my aborted rendezvous with Ed, I met Angel, a banker, who arrived 20 minutes late at a coffee shop. He appeared sweaty and dishevelled, his face covered with tiny lacerations. "I have obsessive-compulsive disorder," he said. "The reason I have so many cuts on my face is because I shaved six times before I came to meet you." I nodded. "Huh," I said.

Hank, a securities analyst, took nondescript and made it a superlative. Lunch went reasonably well, and Hank was dull but showed no obvious signs of self-mutilation, so we decided we'd meet the next night. That evening he called and said he'd been fired. "Can I make dinner for you?" I offered, feeling terrible for this man I had just met. I invited a total stranger to my apartment.

Besides being fired, he told me about his prostate troubles, gastrointestinal difficulties and recent gum surgery. His ex-wife had left him for another man. It was like having dinner with Eeyore, if Eeyore had been constipated, couldn't pee and had gingivitis. By the end of the evening, I was ready to leave him, too.

In summer 2004, two years into divorce proceedings, with no end in sight and legal fees mounting, I met a businessman named Nigel through a neighbour who described him as "good-looking" and intelligent. Consider "good-looking" a subjective adjective. We met at a lovely Italian restaurant. Immediately, he asked if I liked poetry and pulled out what he called his "favourite" book of poems: The Poetry Of Richard Milhous Nixon. It contained, in poetry form, excerpts from the Watergate tapes. I was relieved. I thought, he has a sense of humour – this might work out. It was the last funny thing he said or did for two months.

I decided to have sex with him. Maybe he would redeem himself. And I was not thinking clearly. Luckily, sex turned out to be the clincher. After removing his shirt, I got the distinct impression that Nigel had not bathed. This turns some women on. I am not one of them.

After Nigel, I decided to try match.com again. There were so many issues I did not want to deal with. I did not want to face the fact that Ruthann would soon go to university, leaving me to live alone for the first time in my life. I did not want to consider why I'd stayed married for 20 years to a man I did not like. And now here I was, dating men I found unappealing, hoping they would like me. Once again thinking that the right relationship could fix my life. It never occurred to me to ask myself, how do I fix this?

In late September, I received a match.com email from a man named Alex. He told me about himself in a way that was articulate, funny. We met in early October. We talked for three and a half hours; he told me he'd lost his wife after a long illness. Still we managed to laugh. I'd finally found someone I liked. I emailed, saying what a wonderful time I'd had, offering to make dinner. "I haven't had anyone cook a meal for me in a couple of years," his email said. "I don't know if I will know how to act, so tread cautiously."

I did not take his advice. I wish I had. Alex had disaster written all over him. It had been six months since his wife died; for complex reasons, he had only begun to grieve. He treated me as a temporary player in his life, introducing me as his "date" after we'd been together for five months. He grabbed me in public, as if he were a schoolboy, sliding his hand under my skirt when he thought no one was looking. When I objected, he withdrew behind a wall. After an argument, he told me, "I don't love you, and I never will." We hadn't been talking about love. After six months, I asked if he would be available to have dinner for my birthday. "No," he said. "I'll be out of town." What about the week after? "I'll be gone then, too." Silence. I heard the sound exactly as he intended it.

In August, at the age of 88, Mum fell into a creek while playing golf. We felt quite lucky she did not lose consciousness and drown. I had her transferred to my hospital, where surgeons operated to stabilise her neck. My sisters and I decided to move her into a retirement home. We needed to get her used to the idea, but the surgery had left her demented. "Stop treating me like a chicken!" she cried when I visited her that day. My normally sweet mother had transformed into a harridan.

I thought, if this is the future, the future looks grim indeed. I slid into a depression that held on to me tight. Had it not been for my daughters, I might have let go. My despair felt interminable. I knew something had to change. I could not continue doing what I'd been doing.

I told work that I wanted back into the partnership track, to be full time. I made plans to travel. I quit match.com and ordered expanded television with classic films. I became comfortable staying home on Saturday nights by myself. Responsibilities accumulated, friendships multiplied; the lack of a relationship in my life seemed almost unnoticeable.

After four or five months, several friends offered to fix me up. I hesitated. Then one told me about a dating service she'd used. It's not cheap, she said, but when people have to go through an interview and shell out money, they're more likely to be serious about wanting a relationship.

Charles was the fifth man I met through Dating Alliance. I felt unaccountably nervous – doubtful that I'd like him, afraid that I would. I'd met so many weird men by that point. He was originally from the Netherlands and owned a manufacturing company. He spoke several languages. He was tall, maybe 6ft 5in, bald, with a skinny, white, handlebar moustache, and he looked every day of 60. Perhaps older. He asked if I'd join him for dinner. "I told the women at Dating Alliance my concern about dating someone with kids, but they assured me your kids are older."

"Why don't you want to date anyone with kids?" I asked.

"Because they always come first," he said.

Ah, I thought.

"What about your work?" he asked. "Are your hours predictable?"

"No," I answered.

He looked unhappy. I almost felt sorry for him.

When we left the restaurant, a homeless man walked up to Charles, who took out his wallet and handed him some money. I heard him murmur, "You're not going to drink all this, are you?"

"No, sir, I'm not."

"Can I call you?" Charles asked me. I wasn't attracted to him. He was controlling, probably narcissistic, one more of the same old same old. Then again, I just wanted to date. Casually. Have some fun. So I said OK.

He asked me out that Friday night. We walked to a sushi place. I was exhausted. Conversation felt like work, and I'd already spent 12 hours in the operating room. After, we walked back to my apartment. We were discussing the upcoming election, standing in the kitchen, then wandered into the living room. We sat on the sofa, facing each other. Suddenly he yanked me towards him, put his mouth on mine, roughly, holding my neck tightly.

"Wait!" I said.

"You want me to stop?" he asked.

"Yes!" I said. "I want you to stop."

I turned my head. I wanted to get a breath that didn't include him, didn't include his scent, but for that moment, I must have relaxed and the tension must have lessened imperceptibly. It was enough. He flipped on top of me and yanked my trousers down. I said again, "Stop." He was huge and heavy. I thought, if I fought him, he might hurt me more, so I said, enunciating clearly, as if to a child, "Charles, if you do this, I will never see you again. Is that what you want?"

"No," he said. He shoved himself inside me.

Afterwards, I opened the door, he walked out, and I quickly locked it behind him. I felt the numbness of shock.

Rape can make a person catatonic. It did that to me, initially. Days passed. Weeks. I barely blinked. I lay in bed without sleeping. I repressed every thought, every feeling. I did not answer Charles's calls. He rang and left messages for a week or so, then stopped. Rape stays with you – the violence and the fear – it stays with you, in small and large ways, and it screws up your life and your relationships for years. But while it is a sexual act, it is only marginally about sex. It is an assertion of power, an act of intimidation.

The only relief I found was in riding my bike, the constant motion of it. I rode every day I could – along the lake front, in Michigan on day trips, in the suburbs when I visited my mum. Eventually, I made plans. I had a week of holiday in October and decided to take a bike trip. Although I'd done these cycling vacations before, this one marked my first time alone. I felt awkward. A younger woman, in her late 30s, thin and very fit, stuck out her hand. "Hi, I'm Micheline," she said. "Margaret," I said. A dark-haired man walked up to us, in biking gear and a jacket. "Henry," he said, "from New York," and held out his hand. "Margaret," I repeated, and shook it.

The roads, that first day, were empty, the sky blue. The group quickly spread itself out. I had no interest in hurrying and I planned to bike alone, at my own pace. Henry cycled with me, or behind me, all day. He asked questions. I answered, briefly, to be polite, and gradually the beautiful day and his genial company lifted my mood.

The second day we rode toward the coast. Once again, Henry rode with me. That night at dinner, he ordered wine for us. He asked me questions all evening. By the time dessert arrived, I felt exposed and exhausted. The next day, he apologised. He seemed to recognise his intrusiveness of the evening before. He rode beside me again, but he kept the conversation light. I thought, he seems like a good guy. But I knew I had bad judgment. And you cannot know someone in three days.

We ate dinner with the group, then left the restaurant and went for a walk. We stopped in a pub for a drink. As soon as we sat, Henry turned my barstool to face him. He took my hand and studied me intently. "Margaret, can you live in the moment?"

I frowned slightly. "I'm not sure I know what you're asking," I said. Much later I realised what I should have suspected then. His question had nothing to do with living in the moment. It had everything to do with sex, meaning sex with no strings attached. But there could be no such thing for someone like me, after all I'd been through, at that point in time, with someone like him.

Henry's divorce commenced soon after the Napa Valley trip. We saw each other over the next four months, and spoke nearly every day on the phone. We lived in different states. I stayed cautious and circumspect, or I thought I did. Then, one day, in the middle of discussing hotel reservations, Henry said he couldn't see me any more. His coldness stunned me. I sent him an invitation to my 50th birthday party six weeks later but he declined. I never heard from him again.

I feel confident that you would like a Hollywood ending to this story. I wish I could give it to you. But I'm afraid you would need to think in terms of independent films, not your typical big-studio romance. I stopped dating after Henry. I began writing and recognised my own patterns of behaviour, behaviour that seems obvious and destructive in retrospect. I gave up the internet, though friends still tell me it's the only way for a woman my age to meet a man. I find that incredibly depressing. Growing old is not for sissies. On bad days, I think I've made every mistake out there and know to anticipate the worst. On good days, I know I am lucky to be alive. Every day I wish that wisdom were not accompanied by receding gums, memory loss and joint deterioration.

Tuesday, August 28, 2012

Surviving the Cyberpath

It Takes A Strong Individual To Survive An Exploiter
(in this case a Cyberpath would be an 'EXPLOITER')

strength Pictures, Images and Photos

You really need to admire yourself for surviving an exploitative relationship. I say this very seriously, not flippantly. We all, of course, hope to minimize our involvement with exploitative individuals. But in the course of life, as we know, that’s not always possible.

It is vital, therefore, if you’ve been victimized by and/or are recovering from involvement with an exploiter, to fully, genuinely appreciate (and remind yourself constantly) that you are indeed strong, impressively strong, because only the strong survive exploitation.

Many clients with whom I work (really, most people, I think) tend to see personal strength and insecurity; personal strength and low self-esteem, as incompatible. They balk at the idea that you can be a very strong person and insecure at the same time; that you can be a very strong person even with low self-esteem.
For instance, when someone violates you (especially chronically) and you don’t defend yourself properly, the tendency is to attribute your failure at self-protection to “personal weakeness.” The thought is something like, “If I was a strong person, I wouldn’t have let that abuse occur. I’d have asserted myself, defended myself, drawn the line.”

But it’s not personal weakness that explains the failure to protect your boundaries; it’s more often a lack of clarity in knowing precisely what your boundaries are, and precisely what constitutes an unacceptable violation of them. Victims of sustained exploitation/ abuse aren’t personally weak, quite the contrary. My experience has affirmed again and again how remarkably strong and resourceful most of them are. What they lack, however, often is a clear, secure sense of their boundaries; this insecurity of boundaries leaves them vulnerable to compromising themselves. After all, you can’t assert and/or protect your boundaries unless and until you’ve established them very clearly and securely (in your mind).

This explains what for many can seem so confusing and dichotomous: how a victim of sustained exploitation/abuse can, on the one hand, lobby so effectively for others’ interests while, with respect to her/his own, appear stuck in circumstances s(he’d) counsel anyone else to reject and escape.

But I restate: you can’t protect your interests if they aren’t, in the first place, clearly defined. And you can’t defend your boundaries if, on any level, you’re uncertain, or ambivalent about, what they are. This disadvantaged position helps explain how an otherwise strong, resourceful adult can find her/himself tolerating and enduring the meanness and nonsense of a defective partner.

When my clients who have been in exploitative relationships discover confidently their boundaries, they often feel sad, on one hand, not to have done so sooner; but thrilled on the other to find themselves, as if miraculously, just as skilled at protecting their own interests as they’ve always been at protecting others’.

It’s a kind of bittersweet discovery. The bitter part, if grieved properly, is usually short-lived; the sweet aspect is longlasting.

Steve Becker, MSW, LCSW, CH.T

Monday, August 27, 2012


by Helen Pidd

(U.K.) A man suspected of burning his girlfriend to death in her own home has a history of meeting women through dating and social networking websites, police have warned.

Greater Manchester police believe George Appleton may have tried to contact women on Facebook and other sites since going on the run last Friday, when the badly burned body of Clare Wood, 36, was discovered at her home in Salford.

He is a regular user of Facebook and is known to use a number of aliases on dating websites.
Anyone who has made contact with him in recent days is urged not to arrange to meet him, but to call the police. Wood was discovered in the bedroom of her house on Friday afternoon. Appleton, 40, who lives nearby, is understood to have been in a relationship with Wood, who had a 10-year-old daughter.

Detective Superintendent Pete Jackson, who is leading the investigation, said: "George, if you are hearing this message, please listen to me. I want to speak to you and I want you to get some help. Please phone your solicitor or the police. Please tell us where you are and whether you are OK so we can get you some proper help." He added: "We are investigating the horrible murder of a young mum and are leaving no stone unturned to find the person who killed her."

At least four women are thought to have contacted police to say they had online contact with Appleton before Wood's murder. On his Facebook page, Appleton, who is unemployed, lists his activities as "wouldent ya like to know" and his interests as "music, computors, DJing, films".

Wood had reportedly recently signed up to Zoosk, one of Britain's top dating sites. She wrote in her ad: "I am a talkative, affectionate woman who would love to hear from someone who is relatively sane in my area.I would like to meet a respectful, affectionate man. Not looking for a one-night stand, so if this is what you want walk away. "Also someone who likes a larger lady is an advantage but they must be flexible as I am shrinking rapidly."

Detectives said the suspect also has a form of the spinal condition spondylitis and is not believed to have any medication with him. CCTV footage of Appleton taken outside his block of flats in Adelphi Court the day before Wood's body was found in nearby St Simon Street was released yesterday.

He is seen wearing tracksuit bottoms with a white stripe down the leg, white Reebok trainers, a dark-coloured padded jacket and a woollen hat with brown, red and purple stripes. It is possible he is driving a red Ford Escort, registration N554 HYG, and could be parked up, sleeping in his car. He is known to have links in the Warrington area and in Leicestershire and Gloucestershire.

Ms Wood's grandparents Geoff and Catherine Camponi paid tribute to her as a "lovely kind person who would never harm anyone".

Sunday, August 26, 2012

Match.com Can't Screen for Sex Offenders

By Benjamin Radford

One of the world's top dating websites, Match.com, announced that it would begin checking its members against a national sex offender registry. The announcement was made about a week after a class-action lawsuit was filed against the company by two women who claim men they met through the service sexually harassed them.

Whether an attempt to ward off future lawsuits or merely a publicity stunt, the measure is nearly worthless and in fact may do more harm than good by fostering a false sense of security. There are several obvious flaws with the plan.

The first is that users on social networking and matchmaking websites typically do not have their identities verified. Thus anyone (including convicted sex offenders ) can post whatever name they wish to use on the site and easily avoid triggering a match on registries.

Even if Match.com members' names were somehow verified, names are very common. A match with a name on a sex offender registry would also require a matching address to be sure it's the same person. Anyone can rent a post office box (or use a friend's mailing address) to easily avoid triggering an alert.

Second, even if the information provided to Match.com was completely accurate, it may not match what's on the nation's sex offender registries, which are notoriously unreliable. A 2010 study of Vermont's sex offender registry found that half of the entries sampled contained significant mistakes and wrong information, including two people who should not have been listed. Audits in other states, including Georgia and Texas, found that the registry information for offenders was often wrong, incomplete and outdated.

Third, statistics show that relatively few assaults are committed by convicted sex offenders. That is, a given person (adult or child) is far more likely to be sexually assaulted by someone who is not listed on any sex offender registry than a convicted sex offender. The vast majority of physical and sexual assaults are committed by friends, family and other loved ones, not a recently met stranger hiding a sex offense conviction. This is one of the fundamental flaws of Megan's Laws and other offender notification measures: They distract attention and resources away from the greater threat.

Even Match.com's president, Mandy Ginsberg, acknowledged that the new measures "remain highly flawed." The rules of safe dating have not changed in decades: Meet in a public place, tell a friend where you're going and don't give out personal information too early.

Benjamin Radford is deputy editor of Skeptical Inquirer science magazine and author of six books.

Another reason to NEVER USE ONLINE DATING!

Saturday, August 25, 2012


by Chris Brooke

(U.K.) After her husband of 26 years died of cancer Dena White thought she had found her dream man on the internet - a dashing major general in the U.S. army.

In reality the 52 year old's romance was a hoax created by a cruel African fraudster - a fact she discovered after he succeeded in tricking her into remortgaging her home and handing over £50,000. (note: they aren't all African - many are just cyberpath predators looking for money, sex or kicks)

The mother-of-two thought she was helping 'Steve Moon' - who the fraudster represented with a picture of U.S. Infantry division commander Major General John Batiste - in a legal dispute over the impounding of his war medals.

The fraudster convinced her he could not get access to his cash because he was serving in Iraq and she agreed to provide the money he needed. Three weeks later police knocked on her door to reveal she had become the latest victim of a massive worldwide 'rom con' against lonely middle-aged women.

She said:'Hindsight is a beautiful thing. Of course I feel silly and embarrassed but I was lonely, vulnerable and wanted to find love so it was easy to fall for. When someone you love asks for help, you want to do anything you can.'

It all began when Mrs White, of Market Weighton, East Yorkshire, registered with well known website DatingDirect.com and within weeks had been contacted by a Steve Moon – who claimed to be a Major General in the US forces. The pair were soon chatting online for hours each day and she fell in love with the 50-year-old serviceman who claimed to be going back to the frontline in Iraq to help train their police force. He told her his wife had died and that he had a young son. He would even chat to her youngest child Emma, 11.

Mrs White said:'Of course I was wary but everything he told me seemed to check out. The US were sending retired officers back to Iraq to help train the police and I even checked the address he gave me in the States and a widower called Steve Moon was registered there with a son. We started chatting on instant messengers for hours every day. He’d send me poetry. It sounds silly now but we were in love. He was going to come to the UK when he was done in Iraq and then I was planning to have a holiday in America to be with him. It seemed very romantic.'

After eight months, in August 2009, ‘Steve’ asked her if he could have a parcel containing his war memorabilia and medals, delivered to her house by a diplomat. Mrs White agreed and spoke to the man she believed to be a diplomat on the phone several times before being told that customs had impounded the parcel and it would cost £3,000 to retrieve.

'I didn't think it through': The fraudster persuaded her to transfer £45,000 in a legal dispute over his medals. She agreed to pay the bill, however weeks later she was told it would cost around £45,000 for the parcel to be changed into her name so she could receive it on his behalf.

'I was worried but he didn’t give me time to think it through properly. That’s what they do. I remortgaged the house. He promised to repay me as soon as he was back in the US and I thought I was protecting myself by transferring the money through a bank.'

It was at this point that police told her the truth about the internet scam.

'At first I couldn’t believe it,' said Mrs White, a former distribution manager. After further internet research she realised the profile picture of her 'new love' was actually a high-ranking soldier whose image was used for an advertising campaign.

Mrs White, who is seriously ill with COPD, a chronic lung disease, was forced to sell her home and downsize to a property which she now also stands to lose because of the crippling debts she has been left with. The man said to have conned her, 31-year-old Ghanaian Maurice Asola Fadola, was arrested in May 2010. He is now awaiting trial in Nigeria after allegedly scamming at least £771,000 from five women.

'Because I am now seen as an easy target my details have been sold on to other fraudsters so I’m regularly contacted by scammers. Now I talk to them to find out what new methods and technology they are using to help warn others. I would just tell people to meet people in person and never ever send money to anyone who contacts you online.'

Colin Woodcock from the Serious Organised Crime Agency (SOCA) said:'In a romance fraud the vulnerability is that the victim is someone looking for love, so the fraudster knows how to exploit them. But we're not just talking about vulnerable people being caught by this. Intelligent people are duped as well.'

Friday, August 24, 2012

Match.CON: How a Fraudster Fleeced a Woman on Online Dating

by Stephen Wright

(U.K.) 'I've been utterly stupid,' said 60-year-old Brenda Parke

A vulnerable divorcee was conned out of £60,000 (approx $95,200. US)by a man she befriended - but never met - through a dating website. Brenda Parke, 60, fell victim to a confidence trickster who persuaded her to part with her savings to help his supposedly sick daughter. They arranged to meet at Birmingham Airport so he could repay the loans, but he never arrived.

Miss Parke, a retired air stewardess, admits she has been 'utterly stupid' but now wants to raise awareness about 'romance fraud'. Police estimate that Britons are losing tens of millions of pounds as a result of scams by conmen who target emotionally vulnerable Westerners on dating websites.

Other victims have included dentists and barristers. Miss Parke, who had never used a dating site before, joined Match.com last December and befriended a man calling himself Bradford Broad Cole. Over the following weeks they developed a close relationship via emails and phone calls. Cole portrayed himself as a successful Dutch businessman who earned his living supplying and fitting computers. He said his partner had died and he was estranged from family and friends, claiming to have moved to the UK a year ago with his young daughter, Maureen. But she was injured in a hit and run abroad while accompanying him on a business trip, he claimed, and he needed £9,600 for an operation.

He did not ask Miss Parke for money directly but moaned that he had no one to turn to, having borrowed as much as he could from the bank. She repeatedly told him she could not help and each time he said he understood, but she wrestled with her conscience as she did not want to leave a child in trouble. Eventually she offered to pay the hospital direct, but discovered it only accepted cash, so she arranged money transfers to Cole. Miss Parke handed over more money after Cole said he needed £44,500 for his business and further cash for his accommodation and transport home. The police are now investigating the case.

Miss Parke, who has no children and lives in Sussex, said: 'I am fully aware how utterly stupid I have been and appreciate there is little, if any, chance to get my money back. However, I have always considered myself to be a bright and intelligent woman. If I could be manipulated and reduced to "a puppet on a string" because of this man's subtlety and supposed sincerity, then there are millions of vulnerable people out there just waiting to be abused by a very professional and consummate actor. It is so cunning and amazingly well done that I am reeling with shock at my own vulnerability.'

'I urge dating sites to take far more responsibility for who they allow to advertise on their websites.'

Miss Parke agreed to waive her anonymity to talk out about romance fraud for national fraud reporting centre: Action Fraud. Dr Bernard Herdan, of the National Fraud Authority, which runs Action Fraud, said: 'Fraud is a serious crime that devastates lives and often funds more organised crime such as drug smuggling.'

Thursday, August 23, 2012


by Josh Hale

(U.S.A.) A Maine man accused of using the Internet to stalk his ex-girlfriend in Louisiana and to steal her identity has pleaded guilty to cyberstalking.

Prosecutors say 41-year-old Shawn Sayer continued to stalk his ex-girlfriend even after she changed her name and moved from Maine to Louisiana.

They say he caused men seeking sexual encounters to show up at her Louisiana home by uploading sexually explicit videos of her to porn sites using her real name and street address. Authorities also say he set up a fake Facebook account to post the videos and extending sexually explicit invitations through a phony Yahoo! Messenger account.

Sayer previously pleaded not guilty but he changed his plea on Monday. He faces up to 10 years in federal prison if a judge takes into account a prior stalking conviction.

Wednesday, August 22, 2012


by Jonathan Bick

The economic difficulty of pursuing individuals for bad acts has led injured parties to seek legal remedies from the companies that facilitate the platform upon which the bad acts occur. In the past, internet facilitators could avoid contributory and vicarious liability by claiming users' bad acts were beyond the facilitator's ken and control. Now, widely available, low cost e-commerce technology diminishes the viability of said defenses.

Previously, passive internet service facilitators successfully argued that they do not "collaborate" with internet users to undertake bad acts because they were either unaware of the bad acts or could not act to prevent such bad acts in a timely fashion. Advances in internet technology, however, have increased the internet facilitator's capacity for ameliorating internet bad acts automatically. Failure to employ such technology may result in an increase in the facilitator's liability for not preventing bad acts on the internet.

Internet facilitators include service providers, hosting services, blogging platforms, 'gripe' sites and social network sites, to name just a few. These internet service suppliers allow email, instant messaging, peer-to-peer communications, blogs, broad internet access, chat rooms, intranets, interactive websites, and other electronic communications. They also allow various goods and services transactions.

These transactions may result in a myriad of bad internet acts, ranging from defamation, copyright infringement, failure to protect trade secrets, harassment (including hostile work-environment issues), to criminal accountability and loss of attorney-client privilege.

The nature and extent of internet bad acts is exacerbated by the fact that internet sites are accessible beyond national borders, and no international code of internet behavior exists. Additionally, user-generated content may be a substantial portion of an internet facilitator's site content and the international legal community has yet to standardize intellectual property rights; international intellectual property standards are governed by multilateral treaties.

In the past, internet facilitators could avoid secondary liability for not stopping bad acts by showing one of two types of defenses. First, if charged with vicarious liability, facilitators could show that they did not possess the ability to supervise those who engaged in bad acts using the facilitator's Internet assets. Second, if charged with contributory liability, they could show they did not have knowledge of the bad act involving the facilitator's internet assets. See MGM v. Grokster, 545 U.S. 913 (2005).

However, as internet technology increasingly allowed automated action to enable internet facilitators to prevent bad acts by third parties on their sites, the United States implemented a statute that provided a "safe harbor" provision protecting websites and web providers from secondary liability for certain bad acts, such as copyright violations performed by users on a facilitator's internet asset. The most wide-ranging safe-harbor provision is offered by the Digital Millennium Copyright Act of 2008, Pub. L. No. 105-304, 112 Stat. 2860 (codified at 17 § U.S.C. 101 et seq.) (DMCA).

Though the question of interpreting this part of the statute has yet to reach the Supreme Court, lower courts have been consistent in interpreting it broadly and have applied it to any entity that provides access to the internet. In particular, the court in ALS Scan, Inc. v. RemarQ Cmtys., Inc., 239 F.3d 619, 626 (4th Cir. 2001), found that a newsgroup website would fall under the definition of an internet facilitator. The court in Corbis Corp. v. Amazon.com, Inc., 351 F.Supp. 2d 1090, 1100 (W.D. Wash. 2004), found that Amazon.com fits within the definition as well.

However, the safe harbor also requires that the internet facilitator who is eligible for indemnification from secondary liability not have "actual knowledge" of the infringing material. The near universal use of internet technology, which provides actual knowledge of the content of the facilitator's site and the site's related transactions, may be used by plaintiffs to pierce the safe-harbor provision and require the internet facilitator to forfeit the protections of the safe harbor.

Internet technology that allows a facilitator to limit an internet user's bad acts is available. The three most important technologies are: automatic internet user monitoring systems, "net nannies," and internet tracking software.

Automatic internet user monitoring systems, such as screen capture utilities and key logger software, record all information that is sent to an internet facilitator's site. These monitoring systems can feed captured data to software tools which will prevent internet users from taking certain action to facilitate bad acts, such as installing malware and distributing unlawful spam, among other activities.

For more than 10 years net-nanny software has been providing internet facilitators with a secure means to web filter to avoid the use of its site for purposes deemed inappropriate. Net nannies may be used to stop the distribution of images of an unlawful nature, deny access to internet users whom the internet facilitator deems to be undesirable, and generally censor unacceptable behavior automatically on behalf of the internet facilitator.

Existing internet user-tracking software can usually narrow the radius of geographical location of an internet user within several hundred feet, without requiring the user's permission. This is done by sending a message to the target, and using the time it takes to bounce back, the internet user's IP address and Google Map software. Knowing the likely geographic location of an internet user can allow the internet facilitator to prevent internet bad acts, such as allowing a site user to send goods into a state which has deemed such goods to be contraband.

In combination, automatic internet user monitoring systems, net nannies, and internet tracking software are capable of removing unlawful or unacceptable content and sending an electronic message to the bad actor informing that person of the violation that has been committed. Internet technology may also mete out sanctions automatically. In particular, certain internet technology may automatically bar a bad actor's access after determining that a violation of the terms of use agreement associated with the internet facilitator's sites has occurred.

While changes in internet technology may change internet facilitators' liability in the United States, such changes may be blunted in Europe due to the implementation of local law. The European Union has attempted to deal with the liability of internet facilitators by issuing a series of directives.

These directives are known as the E-Commerce Directive, and it grants liability exemptions to passive internet facilitators. See Directive 2000/31/EC, arts. 40-58, 2000 O.J. (L 178) 1 (EC). The E-Commerce Directive exemptions only apply if the internet facilitators do not "collaborate" with a user to undertake illegal acts and must act expeditiously to remove access to any illegal information upon receiving notice of such illegal activities.

While the directive is binding on member states as to the effect to be achieved, it allows the implementation process to be designed by each member state for implementation in its sovereign jurisdiction. The directive does not address internet technology, thus the use or failure to use such technology is not a factor in assessing internet facilitator liability.

Even if the use of monitoring and control technology were integrated into the E-Commerce Directive, the result is not clear, as evidenced by the three cases considering YouTube's liability for user copyright infringement that parallel Viacom International Inc. v. YouTube, Inc., in Spain, Germany, and Italy.

All three countries are members of the European Union and thus subject to the E-Commerce Directive. Yet the cases have resulted in a YouTube victory in Spain, but losses for YouTube in Germany and Italy.

Tuesday, August 21, 2012

MY HYPNOTIST:The Big Roulette Wheel Of Internet Dating (a Story Of Spousal Abuse)

"I could not put this book down once I began to read it. I found it very informative as to what could happen when you meet someone over the Internet. I just hope that someone can gain insight and knowledge from reading Paulette's book. It is easy to understand and never boring."
FROM THE BOOK: "I have met several men over the Internet, as I look for someone interesting, in the hopes of fulfilling my seemingly desperate need for companionship..."


Monday, August 20, 2012


Have you accused someone of doing something on the internet you only 'know' about through internet searches?

Have you accused someone of hacking, spamming or running a website that someone else told you and you don't REALLY know for sure?

Have you accused someone of watching porn, online shopping or online postings just through checking their IP or by assuming?

Are you really sure?


  • Elaine Buckley, 50, was fired from her £19,000-a-year job for using the internet for personal use at work
  • Her employer accused her of watching hard-core porn but she denied the claims and tried to appeal
  • She was unsuccessful and so took her case to the employment tribunal
  • No evidence was found to suggest that Mrs Buckley had viewed porn
  • The court heard that sites could have been accessed by pop-up sites that Elaine did not know were there or by other people
  • Mrs Buckley went through a ‘dark time’ and had to receive counselling

By Sarah Johnson

A churchgoing mother has won a £20,000 unfair dismissal case after she was wrongfully accused of viewing hardcore porn at work.

Elaine Buckley, 50, has been married for almost 30 years and regularly fundraises in her local community. But in 2010 the finance manager was called into her boss’s office to explain why she had been looking at porn sites during working hours.

She strenuously denied the claims but her employers at Waters Edge Ceramics, a dental laboratory in Oldham, fired her for gross misconduct.

The mother-of-two said: ‘The whole experience has been so humiliating. I was just horrified when they first told me of the allegations. I am a normal 50-year-old mum. I like walking my dog, spending time with my children and friends and generally being a mum - not looking at pornography. I believe that what happens between a woman and a man or a man and a man or two women in their bedroom should be kept private between them.'

Mrs Buckley said that in November 2010 the company announced that redundancies would take place. A week later she exchanged cross words with Gemma Taylor, her boss’s daughter, who had been brought in as her line manager after finishing university.

The next day she was invited for a disciplinary meeting at which it was revealed that her computer had been used to view hardcore pornography. IT consultant Paul Burton printed off a report of her computer use - which revealed that the machine had been used to view hard-core pornography. Elaine said: ‘They kept using the words "obscene" and "pornographic" websites.

‘If it was a cooking website then that might make sense because I could be looking up a recipe for a colleague but not a pornography site. I kept denying it. I couldn’t understand why they thought I had been on the sites. I had been working with the company for ten years, they knew me. My computer was used by other people too and the site could have been a pop up site where the cookies saved to the machine. But they didn’t believe me. It was such a dark, dark time for me.’

On November 11, Elaine was handed with two letters announcing her suspension. On 17 December, she was sacked from her role by a further letter. It stated that she had ‘accessed inappropriate and obscene websites’, spent a ‘wholly unacceptable’ amount of time on personal sites and failed to follow an order not to do so. Elaine tried to appeal within the company but was unsuccessful and so took Waters Edge Ceramics to employment tribunal in February 2011.

Manchester Alexandra House heard that the sites could have been accessed by pop-up sites that Elaine did not know were there or other people who used the computer. The hearing was told the company had no evidence that Elaine had viewed pornography.

On November 2, 2011, Employment Judge Diana Kloss recorded that Mrs Buckley was ‘unfairly dismissed’ under section 98(4) of the Employment Rights Act 1996. Mrs Buckley, who has undergone counselling as a result of the ordeal, said: ‘Going to the tribunal was nerve wracking. After I had taken to the stand, I was literally shaking all over.

‘I never drink but my husband took me to a pub just down the road and ordered me a Grand Marnier on the rocks. The court accepted that I wasn’t to blame and I was innocent. But my boss has never apologised, he fought it to the death. The money was not an apology, it was for a loss of earnings. I had to have counselling for eight months, up to three times a week.’

Elaine now works as a book keeper for the RSPCA, earning £8.50 an hour.

Sunday, August 19, 2012

The 7 Deadliest Social Networking Hacks

Think you know who your real online friends are? You could be just a few hops away from a cybercriminal in today's social networks
social networking Pictures, Images and Photos

By Kelly Jackson Higgins

It started with a stolen Facebook photo attached to an inflammatory profile. It led to online harassment, death threats, and emails to the victim’s boss questioning the victim’s character. But an online personal attack against Graham Cluley earlier this year is one example of how easy it is to use a social network to damage the identity of an individual -- or an entire company.

Cluley’s case shows just how rapidly social networks can spread a smear campaign or personal attack -- and how it can quickly spread to the victim’s professional life. Cluley, who is a senior technology consultant with Sophos, recently met another victim who experienced a similar attack on Facebook, Kerry Harvey. He says it was apparently an acquaintance of Harvey’s who built a phony Kerry Harvey Facebook profile that branded her occupation as a “prostitute,” complete with her cellphone number.

Could such a thing happen to you or employees at your company? You bet. Social networks are the next major attack venue for trolls, spammers, bot herders, cybercriminals, corporate spies -- and even jilted ex-lovers or enemies -- to make money, or just plain wreak havoc on their victims’ personal lives, security experts say.

“It's the easiest way to passively gain intelligence on the largest groups of society and nearly every walk of life,” says Robert Hansen, aka RSnake, founder of SecTheory LLC.

The root of the problem is that social networking sites by nature aren't secure. They typically don’t authenticate new members -- you can’t always be sure that your online friend is who she says she is -- and attackers can easily exploit and capitalize on the “trusted” culture within the social network. Users often don't deploy the security and privacy options that some of these sites offer, either.

Social networking application development tools like OpenSocial and third-party tools on Facebook, for example, can be abused by attackers to readily spread malware or lift personal information. There’s also the very real risk of corporate espionage, with attackers culling tidbits from personal or professional social net profiles to wage targeted attacks on businesses via their employees. And popular Web attacks, like cross-site scripting, can also be used against members of social networks.

And don’t think for a minute that your “private” or closed profile keeps you safe from an attack or potential personal embarrassment, either. “There is no such thing as privacy on the Internet,” says Adam O’Donnell, director of emerging technologies for Cloudmark. “You are only delaying the inevitable information leakage for any content you put online. My recommendation is to treat the Internet as if all content there lasts forever.”

Attacks on social networking sites have only just begun, so think twice before you get too personal with what you post on them, or too loose about accepting and trusting new friends and connections.

“You’re only going to see these attacks on social networks go up,” says researcher Nathan Hamiel, who along with colleague Shawn Moyer recently conducted some relatively simple but scary hacks recently on various social networks that they demonstrated at Black Hat USA and Defcon 16 this month. “We’ve noticed some weird social networking attacks since we did our talk” at those hacker conferences, he says.

Here's a look at the seven most lethal social networks hacks:

* 1) Impersonation and targeted personal attacks

* 2) Spam and bot infections

* 3) Weaponized OpenSocial and other social networking applications

* 4) Crossover of personal to professional online presence

* 5) XSS, CSRF attacks

* 6) Identity theft

* 7) Corporate espionage

1) Impersonation and targeted personal attacks
You’d think security experts would be relatively immune from social networking hacks since, well, they’re security experts. But a recent wave of nasty hacks targeting security industry figures such as Alan Shimel of StillSecure and Petko Petkov of GNUCitizen, where their personal email accounts and other private data were raided and posted on the Net, have demonstrated that a determined attacker can even get to the experts.

Putting yourself “out there” with a social network presence basically leaves you open for all kinds of attacks, even personal ones. Just ask Sophos’s Cluley, who faced hate messages, death threats to his wife, and his photo being superimposed on some pornographic images after his Facebook photo hack. “They didn’t use my name,” he says, but all it took was someone to recognize his face.

Twitter, the microblogging site where members post quick updates on what they’re doing or comments to multiple “followers,” introduces a whole other element to social networking security -- physical security, experts say. “I never talk about where I am, who I'm with, where I'm going, or any other specific details,” RSnake says. “But that doesn't stop anyone else who knows that same information from doing that behind my back - maliciously or not.”

Sophos’s Cluley says posting too much information on Twitter, such as your whereabouts or trip plans, leave you wide open to things like burglary or stalking. “Twitter is a fascinating thing. To be honest, it could lead to all sorts of physical problems, such as physical theft…or jealous ex’s” tracking what their ex is up to, says Cluley, who “tweets” his blog titles. “When I post to my blog, I’m not saying ‘I’m at the supermarket.’ First of all, who cares? I much prefer to wait until I get back” from the store to say what I’m doing, he says.

And as Hamiel and Moyer demonstrated at Black Hat USA and Defcon 16, you don’t even have to have a social networking profile to be targeted. The two researchers were able to easily impersonate security icon Marcus Ranum (with his permission) on LinkedIn, the social network for businesspeople. Ranum doesn’t have an account, so the two basically lifted Ranum’s photo off the Internet and gathered information on him online and built a convincing phony Ranum profile. (See LinkedIn Hack Demonstrates Ease of Impersonation.)

They channeled Ranum so well that they amassed 42 LinkedIn connections within 12 hour, even duping Ranum’s own sister into friending the phony Ranum profile.

2) Spam or bot infections
Spammers -- for plain old advertising, click fraud, or for bot recruitment -- need mechanisms that efficiently and effectively deliver and spread their messages, malware, or both. And attackers have already honed in on the social networking community, hijacking accounts and using their address books to spread spam, worms, or other malware.

“We’re seeing more and more malware via spam and links in spam. We’re seeing this with malware text on Facebook and Twitter that’s designed to draw people to particular pages,” Sophos’s Cluley says.

Most recently, attackers hijacked some Facebook accounts, and posing as members sent messages to their friends to dupe them into viewing a video clip link, which instead was actually a Trojan that silently downloaded malware onto their machine once they opened the link.

A recent report by ScanSafe found that in July, up to one in 600 profile pages on social-networking sites hosted some form of malware, mostly adware and spyware.

3) Weaponized OpenSocial and other social networking applications
Users often don’t think anything of installing an application in their browser. “But these applications can all have the same levels of access to their system, and some of the most private information is often [stored] in the browser, so it can be more dangerous,” Moyer says. “It blows my mind how people can think that downloading [these applications] is not as bad” as downloading some application to their system.

That makes third-party application services like OpenSocial a dangerously handy tool for attackers. “The addition of the third-party application service also allows for another avenue for code-based attacks to occur,” Cloudmark’s O’Donnell says.

It’s not that all of the developers of those social networking virtual kisses, secret crushes, or birthday reminder widgets are necessarily malicious. OpenSocial, for example, offers an option for writers of these tools to limit malicious JavaScript in these applications, but inexperienced developers typically don’t bother or know to use these measures, O'Donnell says.

“These are opt-in only, and a limited number of developers use the tools. What ends up happening is that developers with a limited amount of security-sensitive development experience create these applications that spread like wildfire, allowing a new vector for infection on many profiles -- and by infection, I primarily mean attacks focused inside the social network,” O’Donnell says.

Users don’t always realize that the third-party widgets for Facebook, for example, weren’t written by Facebook. Some have holes that collect more information on users than necessary or safe, and others have been written specifically to install adware or generate revenue. “To their credit, Facebook has closed down some of these apps that behaved inappropriately,” Sophos’ Cluley notes.

A rogue application called “Secret Crush” was circulating around Facebook earlier this year, spreading spyware instead of love. (See 'Secret Crush' Spreads Spyware, Not Love.) It sent victims an invitation to find out who has a secret "crush" on him or her, and lured them into installing and running the Secret Crush app, which spread spyware via an iFrame. The attack got more advanced and worm-like when it required the victim to invite at least five friends before learning who their “crush” was.

“They [these sites] are basically under constant attack,” Moyer says. “We think a lot of the Web 2.0 problems [with these sites] are more about how much trust is being placed on the client side.”

4) Crossover of personal to professional online presence
Even if you keep a MySpace account for personal use, and a LinkedIn one for professional networking, there’s no guarantee that those late-night partying pictures aren’t going to end up in front of your colleagues on LinkedIn, or worse, your boss.

“Consider everything on a social network to be public, whether it’s private photos or work history,” Hamiel says. “You can’t stop a ‘friend’ from copying your stuff and putting it wherever” they want.

There are some measures social networkers can take to prevent the details of their social and personal lives from spilling over to their professional ones. Cloudmark’s O’Donnell says he doesn’t bother with separate personal and professional social networking accounts: “For me I find it far easier to not keep them separate, and to present a professional face on both my personal and my professional profiles."

You can set up “limited” profiles on sites like Facebook. “I can add someone as a limited friend, and they don’t know they’re limited. They can’t see my holiday photos,” for instance, Sophos’s Cluley says. That way, “I’ve really tied down and parceled up what I want as my real close friends” on the site.

There are also privacy settings that can control what information you share with others on the social network, and what information Facebook apps can get and share about your profile.

5) XSS, CSRF attacks
Cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities are obvious attack vectors, and some social networking worms have used XSS flaws to help propagate themselves. But most social networks have tightened their defenses against XSS attacks, security experts say, and CSRF attacks are not yet common.

XSS and CSRF do pose a big risk to these sites, especially when it comes to social networking applications, experts say. In an XSS attack, malicious code is injected into vulnerable Web applications and users who view those pages can get hacked. In a CSRF attack, an attacker basically tricks the victim's browser into making a request on his behalf -- as the logged-in user.

“Anytime [that] you, an attacker, can force a user to load HTML, the potential is there for browser exploits, botnet infections, and account manipulation via XSS/CSRF,” says HD Moore, director of security research for BreakingPoint Systems.

A CSRF attack could potentially jump and spread across multiple social networking sites that the user is logged onto -- effectively spreading the attack from one social network to another. It could, for example, force a victim viewing a CSRF-infected page on MySpace to post something on his own wall on Facebook if the wall-posting function was vulnerable. “I think [CSRF] certainly is one useful vector that's being overlooked now,” Moyer says.

Meanwhile, with the openness of social networks, attackers don’t really need to bother with complicated XSS or CSRF attacks. “But if you [the attacker] combine attack vectors, you could be a lot more effective. We think as long as [social networks] allow users to create markup in profiles and comments and link to external content, this will continue to be a problem,” Moyer says.

6) Identity theft
A social network profile can give away some valuable tidbits –- victim’s name and date of birth –- that identity thieves can use to guess passwords or impersonate them, and even eventually steal their identity, some security experts say.

But that doesn’t mean that identity thieves are crawling all over social networks, Hamiel says. “I just think that the claims that social networks are an identity theft magnet are overblown."

Social networkers sometimes inadvertently hand over the goods themselves: In a study Sophos conducted over a year ago, about 41 percent of Facebook users in the study gave out their email address, date of birth, and phone number to someone they didn’t know.

One safety tip for social networkers is not to answer all the questions posed to them by the site, and don't provide your true date of birth, Sophos's Cluley says. “You don’t need to tell Facebook your educational background, your phone number, etc. You don’t even have to tell them your real date of birth,” he says. “I want the identity thief to get the wrong date of birth.”

You can even make up a phony maiden name for your mother. “Don’t make it something that’s a matter of public record,” he says.

Even so, social networks basically tap into human nature’s innate need to socialize, and the bad guys know it. “People aren't very good at security,” RSnake says. “We were built to work in teams, we're pack animals.”
Social Networking Pictures, Images and Photos
7) Corporate espionage
Even if an employer blocks access to social networks from the office, the organization still could be susceptible to corporate espionage attacks via its employees’ personal profiles.

To pull off a spear phishing attack, for example, all an attacker has to do is search for Company A’s employees on a social networking site and then pose as someone within the organization -- such as the head of human resources -- and email the employee addresses he finds, for example. A phony HR spear phish could look something like this, Sophos’s Cluley says: “Dear Fred Jones, Congratulations on joining XYZ Company. Click on this link to access our HR Intranet and then log in with your regular network username and password so we can update our files.”

A newbie to the company could easily fall for the ploy and hand over access to the corporate network, he says.

The only shot at preventing this hack is for social networkers to limit what they post publicly and to keep their employer’s name out of their profile. “Keeping the name of your employer... far away from your personal profiles can reduce the chance that someone will target your employer through you,” BreakingPoint’s Moore says. “The trouble is that even with completely separate personal and professional identities, it only takes one scrap of public information linking the two to negate all of the time that went into separating them in the first place.”

That’s because the “six degrees of separation” rule applies on most social networks: You’re only a few hops away from a bad guy. “We know that there are bad people on these networks using them to steal information,” Cluley says. “You may be only a half a dozen hops from an identity thief if we’re all connected.”

Responses to: editors@darkreading.com


Many thanks to support group member, Gypsy for this gem!

Saturday, August 18, 2012

How Married, Middle-Class Predators Prey on Others

pervert Pictures, Images and Photos

This story talks about vulnerable teenagers - but all you'd have to do is replace 'teenagers' with disabled or divorced or lonely or vulnerable or trusting ADULTS - and the modus operandi and result would be EXACTLY the same - EOPC

By Mark Williams-Thomas

Somewhere out there, as you read this, a man sits hunched over his computer, his brow furrowed in concentration as he taps away at his keyboard.

But he's not booking cinema tickets or tracing his family tree or doing any of the things that have made the internet such a valuable tool of modern life.

No, the sickening truth is that he's pretending to be a 13-year-old girl and he's in one of those internet chatrooms so beloved of our teenagers.

Using modern text-speak to pass muster as a teenager, he taps out an innocent-sounding question, the sort one teenage girl might ask another.

'Hve u gt a boyfriend - lol?' 'No,' replies the very real 12-year-old, giggling as she types.

Back comes the reply: 'Wd u like one?' The trap is about to be set.

The man, of course, is a paedophile; one of the most feared and loathed figures in today's society. But the girl, sitting at her computer in the comfort and supposed safety of her own bedroom. . . well, she could be my daughter, your daughter or anyone's daughter.

As a father, I know it's important not to overstate the danger our girls are in but, as a former policeman and professional child protection consultant, I also know the paedophile threat is out there. It's very real, it's very nasty indeed and the connection between those internet chats and images of paedophilia are all too common.

I've spent the past 18 months shadowing the officers of Scotland Yard's Paedophile Unit and, despite being a former detective with more than 12 years of experience in child protection, I've been horrified by what I've seen.

It's not just the appalling nature of the photographic images that so alarms me; it's the number of them. Barely a decade ago, we thought it was bad enough that there were a few thousand of these images being passed around paedophile rings. Now there are literally millions.

It's become not just a worldwide problem, but a worldwide business, too, with organised crime gangs increasingly keen to muscle in on the lucrative trade for this truly disgusting material.

What you have to remember is that for each and every one of those images, a child has been coerced, assaulted and badly hurt. Many will have been raped and, in a few tragic cases, the victim may even have been killed. That's the reality of modern paedophilia.

Despite the horrific nature of these crimes, the problem seems to get worse every year.

As Detective Chief Inspector Nick Stevens, who heads the unit, puts it, he could have three times the staff he has and still be struggling to cope with the demand for their services.

The big question, of course, is who is looking at these appalling images and then going on, in far too many cases, to plan and commit their own assaults on children?

What my time at the Paedophile Unit has revealed is that the days when a lazy stereotype of a paedophile - a male, middle-aged loner, often still living with his parents - are long over.

Yes, child protection officers do still come across the sad and dangerous individuals who could be described in that way, but increasingly they are arresting a new breed of paedophile.

Often married and with children themselves, they can be well-educated and highly successful in their field.

Passing them in the street - and it could easily be your street - you wouldn't give them a second glance. But despite often having no criminal record, they pose every bit as serious a threat to our children as the more readily identifiable 'dirty old men' of the past.

'In the past couple of years we've arrested magistrates, lawyers, company directors, police officers, people in the media,' DCI Stevens tells me. Chillingly, it seems paedophiles and offenders really do now come from all walks of life.

Take Andrew Lintern, for instance, one of the men I saw being arrested, who had travelled to London from Hertfordshire in the hope of having sex with a 13-year-old girl.

He was 55, married, highly qualified as a scientist working in IT, professional and, it later emerged, an Oxford graduate.

And yet when officers from the Paedophile Unit raided his home, they found nearly 20,000 indecent images, including video-clips of a 17-month-old baby being assaulted.

Lintern later confessed that the man assaulting the baby in the videoclips was, in fact, himself - an admission that no doubt contributed to him being ordered to be detained indefinitely when he came before Southwark Crown Court earlier this year.

What's brought about this change in both the number of paedophile and the backgrounds they come from, of course, is the internet.

Twenty years ago, a predatory paedophile would have had to loiter around parks, funfairs and swimming pools to gain access to children, where his suspicious behaviour - in full public view - would often have raised the alarm before he could cause any real harm.

But computers and the internet have brought an end to all that. Now a paedophile can be chatting to a vulnerable young teenager - even watching her on a webcam - after just a few clicks of his mouse.

The internet has become famous for bringing people together - relatives, old school friends, prospective husbands and wives - but it also has a dark side, and it doesn't come much darker than bringing a paedophile and his victim together.

That's what happened when Andrew Lintern logged onto an internet chatroom pretending to be a nine-year-old girl and began a conversation with 'Jessie', whom he believed was a 13-year old-girl.

Only, just as the nine-year-old girl wasn't who she said she was, nor was Jessie. In fact, she was John Taylor, a middle-aged detective and a Covert Internet Investigator (CII) with the Paedophile Unit.

'Thousands in the UK have looked at child pornography'
To catch the new breed of paedophile, you see, has required a new form of policing and Scotland Yard's Paedophile Unit has led the world with its pro-active approach.

Since 2005, it's been using officers posing as young girls in internet chatrooms and on social networking sites to draw these paedophiles out into the open.

The idea is not to entrap them (which would be against the law), but simply to communicate with them long enough for them to break the law, either by engaging in sexual grooming, sending indecent images to a minor or by encouraging them to commit an indecent act.

Often, it is the investigation which follows the suspect's arrest on one of these charges that unearths evidence of even more serious crimes.

Such is the burden of proof that Paedophile Unit investigators are able to assemble that, more often than not, the defendants plead guilty.

Having worked alongside them for so many months, I am hugely impressed with their professional commitment and their determination to secure a conviction on the most serious charge they can.

After the excitement of a successful arrest, this, they say, is where the real work begins.

As one of the detectives told me: 'You've got to get their mobile phones examined, their computers examined, their cameras examined and look at every single image. Multiply that by the number of prisoners and it's a phenomenal amount of work.'

It's a meticulous and time-consuming approach, but it works.

Take Dean Hardy, a Kent businessman who, following a tip off from Europol, the European law enforcement agency, had been arrested for downloading child pornography from the internet.

Convinced but, as yet, unable to prove Hardy had also been assaulting children, his home was searched and a camera memory stick found which revealed pictures of an adult male's hand abusing a young Asian girl.

Proving the hand in the picture was Hardy's required something that had never been done before - a side-by-side photographic comparison and enough points of proven similarity to convince the Crown Prosecution Service, in the first instance, to take the higher charge of sexual assault to court and, in due course, for a jury to find him guilty.

In the end, however, the level of evidence so painstakingly assembled by the Paedophile Unit detectives was so great that Hardy pleaded guilty. He was sentenced to six years in prison earlier this year.

So how many paedophiles are there out there, trawling the net for underage girls? The truth is that not even Nick Stevens, head of the Paedophile Unit, knows. 'I believe there are thousands of people in the UK who have looked at child pornography.' What he doesn't know is what proportion go on and try to make contact online with a child and then meet them.

All I can add, having watched the Paedophile Unit at work and worked myself in the same field, is that we under-estimate the scale of the problem at our peril. The internet has opened a door, and I believe that many men have already stepped through it and more will follow.

The statistic that keeps coming back to me is that of 300 men arrested by the Paedophile Unit since 2005, most had no previous convictions.

To put it another way, if John Taylor hadn't pretended to be 'Jessie', Andrew Lintern, a man we now know had been abusing children for a decade, would still be out there.

What can be done about this growing evil? Well, a number of things. Scotland Yard's Paedophile Unit has led the world with its approach to catching paedophiles, and I'd like to see other enforcement agencies around the world following their example. But I'd also like police forces everywhere to remember that this is a crime with a victim as well as a perpetrator.

If we're clever and fortunate, we can send that perpetrator to prison for a very long time, but there's a danger that we forget the often terrifying ordeal his victims may have experienced. They need our help and, at the moment, they're not always getting it.

I'd also like to see internet service providers and those hosting chatrooms and social networking sites to be held responsible for the content they carry. Some sites need to closed down entirely; others need to be far more effectively moderated.