Questioning the Ethics of Social Networks

A few months back I finally gave in to the thousands of invites I get from friends who have joined these networks. I have both a Friendster and Hi5 account.

What are these networks?
Drawing comparison to the real world social networks are similar to large gatherings of friends past and present. Each individual invites his or her circle of friends and their friends invite their circle of friends and so on. As you can imagine, these networks quickly grow as more people invite more of their friends.

My hi5 network for example has 14 friends; 5 or 6 of whom I speak to on a regular basis. My "extended network" however, consists of 473 people. When I visit my hi5 home page pictures of some of those in my network are displayed. Unsurprisingly it shows members of the opposite gender who are around my age. The idea behind these social networks is great, however it seems that some sites use our social nature to exploit us.

The problem!!
So what is the problem with these social networks? These sites provide# you with an interface which allows you to communicate chat and share pictures with other people, all for free. Free is never without a capital F however. In order to make money, the social network sites may offer premium services, or advertise. The more members they have, the more popular their site becomes and, the more popular their site the more money they can make.

In recent months I have had growing suspicions in relation to these social network sites regarding their use of personal data held on their members. I first became suspicious when a friend had told me that the invite supposedly sent form her had not actually been sent by her. In fact, she had never visited the site before. Not long after, another friend told me she had been infected by a virus which sent email supposedly from her containing a link to a video. The email had been sent to everyone in her hotmail address box which she only ever logs into via a web browser. The actually PC showed no evidence of having been infected by a virus. So I came the conclusion that this is some kind of Internet based worm, which logs onto your hotmail account and sends out emails to everyone in your address book.

I therefore decided to do a little investigation. I clicked the link in my friends email and signed up to ringo.com using a bogus hotmail address. It was after entering a few of my details that I discovered what I believe to be the root of the problem. Ringo asked for my hotmail password. After supplying it, it logged onto my account on my behalf and obtained a list of email addresses from my address giving me option of sending one or more of them an email invite. This rang alarm bells straight away. What does Ringo do with my password? Why ask for your Hotmail login when Hotmail actively discourages giving out your password and provides facilities that enable you to export your address book to a file on your PC?



My next stop was Ringo’s privacy policy. I delved through it to find out exactly what they do with the data you give them. Of striking pertinence was this comment:

Do you send unsolicited emails or direct mail?
Ringo absolutely, positively does not use the emails or postal addresses it collects as a source for unsolicited emails or unsolicited postal mail.

Alas, maybe not. But upon reading further I found this:

Ringo may develop special sites in cooperation with other companies. If you register at these "co-branded" sites, we share your registration information (such as name and email address) with that company.

A contradiction? No. Ringo are simply saying that they may pass the details you give them onto other “co-branded” sites. Unfortunately they do not mention whether these “co-branded” sites must adhere to the guidelines in their privacy policy and more worryingly they do not say exactly what information they will share with them and what these sites do with it.

While Ringo do not condone spamming and would “never” send unsolicited email to you or on your behalf. How does one know what their co-branded sites do with information such as the contacts in your address book and your hotmail password?

Sites like passport.com (the authentication engine behind Hotmail’s login) have very strict guidelines on the handling of personal data. Looking at their privacy policy we see the following:

Except as described in this statement, we will not disclose your personal information outside Microsoft and its controlled subsidiaries and affiliates without your consent. Some Microsoft sites allow you to choose to share your personal information with selected Microsoft partners so that they can contact you about their products, services or offers. Other sites, such as MSN, do not share your contact information with third parties for marketing purposes, but instead may give you a choice as to whether you wish to receive communications from Microsoft on behalf of external business partners about a partner's particular offering (without transferring your personal information to the third party). See the Communication Preferences section below for more information.

Some Microsoft services may be co-branded and offered in conjunction with another company. If you register for or use such services, both Microsoft and the other company may receive information collected in conjunction with the co-branded services.

We occasionally hire other companies to provide limited services on our behalf, such as handling the processing and delivery of mailouts, providing customer support, hosting Web sites, processing transactions, or performing statistical analysis of our services. Those companies will be permitted to obtain only the personal information they need to deliver the service. They are required to maintain the confidentiality of the information and are prohibited from using it for any other purpose.

Put that in two short sentences. Microsoft will “ask” you if you wish to share your personal information with their partners. They also say that external companies my be given certain information but in the event that they are they must conform to their guidelines.

It is not my place to say whether or not Ringo are acting immorally here, I leave that for those who are reading this blog to decide. What I will say is that they are treading on very thin ice with regard to their use of their members’ data and are almost certainly in violation of passport.com’s conditions of use in asking for their members’ hotmail password.

In conclusion, it is without a doubt that some of these social network services are misusing the data their members are giving them. They are using this data “hotmail passwords” in particular to login to accounts and send mail shots on behalf of the unsuspecting users. These passwords are obtained through a simple social engineering concept: the implicit trust an individual gives a site due to a personal invitation received from a friend. The irony is, this friend may never have sent the invite in the first place.

My advice to anyone who is reading is: DO NOT give out your hotmail password or any password relating to another site or service away to a third party. This includes e-messenger services too. If you have already given it out then change it immediatly.

Below are a couple of the sites I have been pointed to when receiving invites from friends who did not send them. Sign up to them at your own risk.

www.ringo.com
www.sms.ac

Bad code!!!

There is a disease which has spread among us. Its victims are gullible, miss informed and vulnerable. Once it has struck the consequences can be disastrous. Like any other disease, it is spread by those who are careless and those who have caught it themselves. The net positively stinks of it, seeping from every corner, page after page, just waiting to hitch a ride on another unsuspecting developer. What am I talking about? BAD CODE!!!!!

In my short outing on this earth I have seen the web go from a playground for script kiddies to a huge commercial entity. Anyone who doesn't use it is considered strange. A company that doesn't have a web site does not exist and home without an Internet ready PC is like a relic from the stone age. With this has come a new type of programmer. These are not hobbyists for which it is a way of life, they are individuals; often with other job titles trying to solve a specific problem as quickly as possible. These people often do not have the patience and problem solving ability of those who want to program, so rely heavily on search engines and forums to find the solutions to their problems. The thing is, if you are doing something you do not like, you want to get shot of it as quickly as possible - if it works, paste it in to your app and forget about it.

So, where does the problem come from? Let us approach form a different angle. There is a game called Chinese whispers. The object of the game is to whisper a message across a chain of several people; the irony is, that by the time the message has come to the end of the chain it bares no resemblance to the original. This, in my opinion is exactly where the problem lies.

You post a question on the forum asking how to solve a specific problem. "Mr 100 Posts Per Day" consults his 4GB library of samples, posts his response, hence solving the problem. But does this actually solve the problem? "Mr 100 Posts Per Day" rips his sample library from other posts and samples off the Internet and other forums; he doesn't know or care how the samples work, nor if they are the most secure, efficient and tidy way of solving the problem; but nor does the person asking the question (he has his code remember). OK, this is an extreme example, only a handful of "Mr 100 Posts Per Day" exist.

But, there are a huge number of developers out there who are happy to post code snippets with no explanation, no regard for best practice and who pay no attention to security and there are an even higher number who are willing to accept them for free. The result is that the "new to programming" programmer, who, is interested in programming and does want to learn, is being weaned on a mess of sloppy, insecure, inefficient code. Worse, these "new to programming" people, will with no doubt learn quickly and want to spread their knowledge; they write tutorials, post samples on forums and blog.

The web is now a pandora's box if you are new to programming. Because the majority of code out there is not even fit for the recycle bin, in fact it the hard disks that house this code should be put in a skip an nuked.

So where do the professional and expert programmers fit in? We have a huge responsibility to ensure that none of this code makes it past our eyes without us preaching/shouting the proper way and fixing it. Being a regular forum poster, I often find myself repeating in an endless loop; "do not use echo to output all your HTML", "do not execute queries without checking for errors", "sanitize variables", "indent code", "don't use tables for presentation" ... The list goes on. But I cannot stress more the importance of this, especially with languages such as Perl and PHP which provide a huge amount of flexibility but at the same time leave a lot of room for dreadful coding.

The coding community needs to wake up ... They need to realise that by giving samples which are knocked up in 5 minutes with no explanation is creating a generation of bad coders who get a terrible shock when they need to rewrite part of their application, clean up their company LAN after being attacked through an exploit, or just realise that all they have learnt in the past year is utter tosh.

Let us stand our ground and make the web a place of clean and secure code!!

Very Useful PHP function - find out where output started!!

I have been programming with PHP for nearly three years and still I am discovering incredibly useful functions. One such that I found today was the headers_sent() function. This functoin returns a boolean value, indicating whether or not the HTTP headers have been sent and more importnatly whether output for the body of the request has started.

It is useful to know this in web programming becuase once the HTTP headers have been sent to the user and the body of the reuqest is being sent, no additional headrs can be sent and attempting to do so will fail.

But, this function does more than tell you whether the headers have been sent, it tells you when and where they have been sent. By passing two arguments to the function it will also tell use the file and line number where they were sent and the main body of the request is output.

While debugging big applications which include code from several files, I often find myself hunting for a rogue ehco or print_r statement that I was using to check data and program flow. With the headers_sent function, the offending statement can be found in seconds.

This is what I did. I edited my php.ini file to add a file to the end of all scripts using the auto_append_file directive. In this file I put three lines of code:

    
    if (headers_sent($file, $line)) {
        echo("<p><b>Output started by {$file} on line {$line}</b></p>");
    }

Simple, elegant and extremely useful.

Goto My PC for FREE!!!

I was originally going to post this here, but decided to put it on VBF as a tutorial doesn't really suit a blog.


Enjoy.

http://www.vbforums.com/showthread.php?t=393847 - Services like GotoMyPc, allow you to access your computer securly from any location in the world via a web interface. But, at a price. In this case $17.95 per month. This in my opinion is a little bit costly as I have worked out how to do it for free.

XML is Sexy

Over the past few weeks I have been delving into the applications of XML and I must say that I have been pleasantly surprised, not only by the level of support out there for XML but also by its versatility and simplicity. This is a technology that, for the best part I have ignored until now, I fear that many other developers do the same unless forced to use it.

My latest article at PHP builder is going to be about XSL transformations. XSL (extensible stylesheet language), enables one to describe one type of XML in terms of another. Carrying out a transformation using the stylesheet effectively means that you can convert from RSS->XHTML, WML->XHTML, XHTML->WML, in fact you can convert any kind of XML to any other kind of XML.

Doing this research has also put a few more aspects of web development in perspective. Mainly XML's most popular application (XHTML) and its partners in crime, CSS and JavaScript. I see now the importance of separating these three technologies when designing web pages and ensuring that any CSS and JavaScript is included in separate files via links.

For XML the future looks bright, it does have a lot of potential, some of which is already being milked (look at the Firefox web browser for example). As web technologies continue to merge with desktop applications and personal Internet connections continue to increase in speed, XML will be creeping in the background, enriching an revitalising our online experience.