When Social Networks Violate Trust: Yaari.com = Social Network Virus + Spam Engine

I just got taken for a ride and I am pissed.

I got an invite from an Indian friend that I respect, inviting me to join Yaari.com, what purports itself to be an Indian social networking site. He’s a very savvy guy and generally on the forefront of what’s hot and cool in Indian tech. So I thought “hey–must be something here, I should check it out.” After all, India tech is hot and I like to stay on top of what’s happening.

So I signed up. They asked if I wanted to check my GMail contact list for friends on Yaari.com. I thought: I have a lot of friends in India, most are serious web geeks, let’s see who’s here.

When I went to add my GMail password I paused for a moment. The conversation inside my head went something like this: “Give my email password to a site that I never heard of… that’s a bad idea! But then again I have checked my Gmail contacts against other sites buddy lists before and I never had a problem. Well, it was X that invited me and I trust him… so, I guess I will trust this site.”

And that usually works.

Usually.

But as it turns out, Yaari.com appears to be a site that is crafted to do nothing more than dupe unsuspecting people into giving up their friends email addresses; a social virus posing as a social network to harvest emails for spammers.

So, usually you can trust invites from your friends, but what happens if your friend was duped into trusting an untrustworthy site and you, in turn, trust what you think is his recommendation? Well…. it’s not really his recommendation and that’s not trustworthy, is it? The chain of trust was compromised somewhere along the line.

So, what happened was, that my entire Gmail contact list was spammed with invitations to join Yaari.com WITHOUT MY CONSENT. My trust had been compromised and they took advantage of that and then used my reputation to spam my friends.

And my friends signed up.

And the cycle repeated.

After this whole mess, I had a friend point out that if you Google Yaari you see that they are a scam. A bit late, I am sad to say.

I feel terrible that I fell for this. I feel worse that my trust was used to compromise other people.

Sadly, it seems to be a new enough scam that it works and works well. This is likely to be a new frontier for scammers. Expect to see more exploits like this springing up.

They could have done worse: they could have hijacked my Gmail account. That could have been a disaster. I guess I should consider myself (relatively) lucky that the worst that seems to have happened is that I suffered embarrassment and put my friends through some inconvenience. Not to say that’s a trivial matter, but I think how much I depend on my Gmail account and I shudder to think what could have happened.

But for all of you that read this the lesson to be learned is this: it’s not enough to trust the person that you get an invite from on a social network, you MUST VERIFY YOU CAN TRUST THE NETWORK IT WAS SENT OVER.

I should have seen that. My hesitation is clicking the button was the little voice inside my head telling me what I already knew. My scam sensor went off and I chose to ignore it.

There is a first time for everything…

Some Tips for Secure Social Netwoking

• Be more aware of the dynamics of trust on the Internet. You must think of trust not as a person or a name, but as a chain of events and each link in the chain must be trustworthy
• Never give out your passwords to any site–trusted or not. Yeah, we already know it–but social networks have conditioned us to behave otherwise.
• Google and email providers need to make a great effort to educate users not to give up their password for any reason and provide alternate ticket-based access to contacts that can be authorized–much like Yahoo is doing.
• Browsers should be flagging sites like Yaari.com as phishing scams. They are potentially as dangerous as banking scams; access to email passwords can divulge tremendous amounts of user data and can give scammers the ability to reset passwords–which is even better then the password itself

Google Chrome Changes the Game: The Browser as Platform

Google announced their new browser named “Chrome” today. Check out the blog post and, better yet, the Google Chrome comic book.

The platform wars just moved from the OS to the browser and Google took a commanding lead.

Rather than re-write everything, allow me the luxury of re-purposing my Tweets:

• Chrome is all open source. They have made the world their R&D department. Brilliant.
• Chrome just increased the importance of Javascript dramatically. They launched a platform where Javascript is the dominant language.
• Google just moved the development platform to the browser. The OS just took a backseat
• If MS was afraid that Google had them in the Search Engine Market, they should be shitting themselves about now about the browser market.
• Chrome will set the bar for what people will expect in a web browser.
• Google didn’t have to reinvent the OS; they just had to build the best browser that could run on any OS.
• Automated testing against google’s vast index of web pages is a stroke of brilliance for stability testing a browser.
• Chrome should solve the biggest annoyance I have with my browser: better memory management so I don’t have to restart my broswer 3X daily.
• Chrome is privacy-oriented. That’s a good thing.
• The name is very toungue-in-cheek: chome is a refernece to the UI for an application, Google wants Chrome to be the UI for the user’s web experience.
• This is the biggest architectural leap in computing in a long time.

Google has just moved to the forefront of the Browser wars and will force the competition to keep up. They have the brand recognition, industry leverage and exposure to get their browser installed in a LOT of computers.

Oh–an it’s also built on the same engine that the Android mobile browser will run on.

Mark my words: Google just changed the game on the web. Chrome is the lever they use to move the world.

Thai MICT: If You Can’t Beat ‘Em, Hack ‘Em!

The folks over at the Ministry of Information and Computer Technology here in Thailand just keep up the great work.

What can they do to top their random and ridiculous website block lists?

Well, they can hack websites they deem offensive to the Thai character:

The Information and Communications Technology Ministry is to ‘hack and crack’ foreign websites deemed offensive to Thailand’s revered institutions. A March 15 report in Krungthep Turakij newspaper (www.bangkokbiznews.com) quoted a source at the ICT that the ministry could pursue legal proceedings only with websites registered in Thailand, and is now planning a ‘hack and crack’ programme to hack offensive websites hosted abroad and delete their contents, because the legal process would take too long.

Wow. What a twisted mindset.

Via the good folks at Freedom Against Internet Censorship Thailand.

Larry Lessig for Congress!

Well, here is the best reason I ever heard for moving to California: Larry Lessig is thinking about running for congress!

We had a lot of discussion on Twitter the other day about how politicians don’t get technology and new media. Here is a guy that really gets it! I should move to California just to vote for him. He is one person I would be proud to call my congressman!

Two Thirds of Americans Think Nanotechnology is Morally Unacceptable

Can a whole realm of technology be morally unacceptable? Two thirds of Americans seem to think that nanotechnology is morally unacceptable.

Huh?

Americans fear of technology and truth continues to frighten me. How can a country keep it’s technological lead when it’s masses find pure science and technology to be “morally unacceptable?”

Hint: people have to understand that science and technology are knowledge which is neutral; how you use technology can be either good or evil and have moral consequences.

CNN Fires Blogger

Funny, for an industry that thrives on freedom of expression, they can be rather harsh censors of their own people.

Chez Pazienza was fired from her job at CNN for blogging about her job at CNN.

While I understand that a company has to protect it’s proprietary secrets and shareholder value, somehow news companies seem like they should rise above the rest in protections for freedom of expression.

The firing of Chez Pazienza for blogging just gives credence to her criticism of CNN as a company that has lost touch with the core values of the news media that made Murrow and others of his generation respected giants of American culture.

It seems CNN’s effusive support of blogs, bloggers and blogging (not to mention freedom of expression) is somewhat of a superficial show of face and not a real core value.

Windows Live Hotmail is Rejecting (Not Filtering) Spam

Windows Live Hotmail is rejecting email messages! No, I don’t mean they are flagging mails as spam, they are actually rejecting the emails–which means the emails never get to the recipient, not even into the spam folder.

As far as I can determine this only happens in a small number of cases, but the fact that it happens at all should be an outrage.

Effectively, Microsoft, at their discretion, is absolutely barring certain people from emailing Hotmail customers.

I sent three emails in three days to two friends, all rejected by Hotmail; one of them being a very important information about and airline reservations I was sending to a friend I was supposed to meet next week.

I got the following Undelivered Mail Returned to Sender message on three email messages,

I’m sorry to have to inform you that your message could not be delivered to one or more recipients. It’s attached below.

For further assistance, please send mail to

If you do so, please include this problem report. You can delete your own text from the attached returned message.

The mail system

: host mx1.hotmail.com[65.54.245.8] said: 550 SC-001 Mail rejected by Windows Live Hotmail for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support (in reply to MAIL FROM command)

Did my friend get the email or not? Well, from the error message I received, it appears they did not.

WTF? Now Microsoft is deciding who you can send email to and who you can receive emails from?

This is the line that scares me the most:

Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems.

Rejection means the email never, ever gets to the recipient. Never. Ever.

The problem with rejecting (as opposed to filtering) potential spam is that Microsoft is making an absolute determination on what email you can receive, rather than offering a tool that assists you in filtering your email. When emails are filtered, Microsoft is allowing you to get all your emails even though they might suggest it is spam and put that in some place other than your Inbox–but you can still access it. When it is rejected, you do not and cannot get your email–Microsoft has made an irrevocable decision for you.

Do you trust Microsoft to make these decisions for you?

For me the answer is an emphatic NO!

How can you trust an email provider–even if their intention is to be helpful and benevolent–that rejects some of your emails on your behalf? An email system is useless if it’s not 100% reliable and no automated system that rejects emails can determine what is relevant to me 100% of the time.

This is not a trivial situation.

What You Can Do

Please let Microsoft know that they do not have the right or authority to make decision on what emails you can send to their customer or what emails you can receive. if you are a Hotmail customer! Send a message to Windows Live Hotmail Feedback and let them know this is not acceptable!

If you have a Hotmail account, sign up for Gmail and send all your friends an email telling them you are no longer using Hotmail and why.

Then again, if your friends are using Hotmail, maybe you should call them–you can’t be sure that they will get the email.

Sony’s DRM Crosses the Line and Installs a Rootkit

The Washington Post has a good article on how Sony’s new copy protection scheme installs what amounts to a rootkit on your computer to prevent you from copying their CDs.

Sysinternals published the original report, complete with all the gory details.

Wired has a great article on Sony’s reluctance to come clean on the issue called “The Coverup Is the Crime.” I like the sentiment expressed in the closing line:

Honest programs have no need to conceal themselves or their actions from users. Honest companies, too.

This is way over the line of acceptable behavior.

I certainly won’t be buying a Sony / BMG CD.

Update Nov. 11, 2005

Well it seems it is also legally way over the line of acceptable behavior. Slashdot is reporting that EFF has files a suit in California and will be filing another in New York later today.

Also it seems that there is already a trojan that uses the Sony software to hide itself from detection.