When Social Networks Violate Trust: Yaari.com = Social Network Virus + Spam Engine

I just got taken for a ride and I am pissed.

I got an invite from an Indian friend that I respect, inviting me to join Yaari.com, what purports itself to be an Indian social networking site. He’s a very savvy guy and generally on the forefront of what’s hot and cool in Indian tech. So I thought “hey–must be something here, I should check it out.” After all, India tech is hot and I like to stay on top of what’s happening.

So I signed up. They asked if I wanted to check my GMail contact list for friends on Yaari.com. I thought: I have a lot of friends in India, most are serious web geeks, let’s see who’s here.

When I went to add my GMail password I paused for a moment. The conversation inside my head went something like this: “Give my email password to a site that I never heard of… that’s a bad idea! But then again I have checked my Gmail contacts against other sites buddy lists before and I never had a problem. Well, it was X that invited me and I trust him… so, I guess I will trust this site.”

And that usually works.

Usually.

But as it turns out, Yaari.com appears to be a site that is crafted to do nothing more than dupe unsuspecting people into giving up their friends email addresses; a social virus posing as a social network to harvest emails for spammers.

So, usually you can trust invites from your friends, but what happens if your friend was duped into trusting an untrustworthy site and you, in turn, trust what you think is his recommendation? Well…. it’s not really his recommendation and that’s not trustworthy, is it? The chain of trust was compromised somewhere along the line.

So, what happened was, that my entire Gmail contact list was spammed with invitations to join Yaari.com WITHOUT MY CONSENT. My trust had been compromised and they took advantage of that and then used my reputation to spam my friends.

And my friends signed up.

And the cycle repeated.

After this whole mess, I had a friend point out that if you Google Yaari you see that they are a scam. A bit late, I am sad to say.

I feel terrible that I fell for this. I feel worse that my trust was used to compromise other people.

Sadly, it seems to be a new enough scam that it works and works well. This is likely to be a new frontier for scammers. Expect to see more exploits like this springing up.

They could have done worse: they could have hijacked my Gmail account. That could have been a disaster. I guess I should consider myself (relatively) lucky that the worst that seems to have happened is that I suffered embarrassment and put my friends through some inconvenience. Not to say that’s a trivial matter, but I think how much I depend on my Gmail account and I shudder to think what could have happened.

But for all of you that read this the lesson to be learned is this: it’s not enough to trust the person that you get an invite from on a social network, you MUST VERIFY YOU CAN TRUST THE NETWORK IT WAS SENT OVER.

I should have seen that. My hesitation is clicking the button was the little voice inside my head telling me what I already knew. My scam sensor went off and I chose to ignore it.

There is a first time for everything…

Some Tips for Secure Social Netwoking

• Be more aware of the dynamics of trust on the Internet. You must think of trust not as a person or a name, but as a chain of events and each link in the chain must be trustworthy
• Never give out your passwords to any site–trusted or not. Yeah, we already know it–but social networks have conditioned us to behave otherwise.
• Google and email providers need to make a great effort to educate users not to give up their password for any reason and provide alternate ticket-based access to contacts that can be authorized–much like Yahoo is doing.
• Browsers should be flagging sites like Yaari.com as phishing scams. They are potentially as dangerous as banking scams; access to email passwords can divulge tremendous amounts of user data and can give scammers the ability to reset passwords–which is even better then the password itself

My New Distributed Brain

I have become smarter recently. It is due to my new Distributed Brain.

I have recently begun to distribute my thinking across the globe with Twitter. When a question pops into my head, I first check the local cache (my memory), then I query the global memory (Tweet the thought or question on Twitter) to see if an answer or comment bounces back–and often it does. (And if that fails, there is the fall-back of Googling for an answer.)

What’s so special about Twitter for getting answers? It’s the amount of people that can have access to the data. Currently, there are over one million active tweeters–and it’s growing fast. Anybody who tweets can follow you on Twitter (unless of course, you make your tweets private–but the default is public which is nice.)

Of course not everybody does follow me, after all I have never been that popular, however, I do have a fair amount of like-minded individuals that follow me. But the big difference with Twitter is that people can track words. So if I tweet about Drupal, or Ubuntu or Thailand, anybody tracking those words can capture my tweet.

This Is Your Brain on Twitter

Here is an example:

While writing this blog, I was wondering if there were any stats on the number of twitter users. I did not know the answer, but I figured somebody using Twitter would. So I tweeted the question.

I got the Twitter usage stats I wanted for supporting facts in this article. It took a few seconds but it was EXACTLY the info I needed. My distributed brain is quite smart. Smarter than my local brain by itself.

I see this happening all the time on Twitter. People asking about restaurants in Bangalore, how to fix a code problem, where to buy size 13 shoes in Bangkok–queries that Google would choke on.

Why Is This Different?

Internet users have been using forums, search engines, chat programs and other apps for querying and sharing information for a long time. So, why is this different?

It has a potentially wider reach than regular chat/IRC programs.

If you know where to ask the question on IRC or a specialized chatroom, you can probably get the answer just as easily–but finding that place? That might not be so easy. On twitter, everybody who tracks the terms you use in your tweet can see it–a potentially larger audience.

It’s faster than a forum / mailing list.

With forums, like chat rooms, you need to know where to find the people that know the answer and then you have to wait–usually a few hours or even days–to get your answer. With Twitter, the answer often comes back in seconds.

It’s almost always more accurate than a search engine.

When you Google for an answer, an algorithm determines the response. Google does not (yet) have the technology to understand the question–but it has an algorithm that does a very good–but not perfect job–of figuring out what is relevant to your query.

If you use a human-powered search engine like Mahalo, you don’t get an answer to your question–you get a pre-built set of results based on the fact that your question is like another question their human editors have asked and compiled a result for. Again, it’s not THE answer to YOUR question–but AN answer to a question that is like your question.

Any Venture Capitalists Listening?

Here, potentially, lies the seeds for the Holy Grail of search engine technology: a real-time, human powered search engine. If you can build a user base willing to answer real-time questions (possibly leveraging an existing social network), find a way to at least reasonably filter / channel questions to the people with the answers, and a reputation system to prevent spam answer–then you could have a spectacular product.

But why would people answer other people’s questions for free?

Why do they do it now? It’s a great way to connect with other people with similar interests.

And it does not have to be free. Integrate something that leverages PPC ads and there is the potential for revenue sharing–on the order of billions of dollars of revenue per year. Oh yeah!

The new paradigm is the query becomes the social network.

I must ponder this more…. I feel a larger blog coming on.

Until then, follow me on Twitter: @jfxberns.