2007-08-14

A guide to Facebook's security settings aka Facebook Security for the Unitiated!

Firstly a disclaimer, in my opinion there is no such thing as complete security, there is only ever a solution of best practice in terms of security which can be limited by the online application.

The developers at Facebook have implemented some of the best privacy settings I have seen in a social networking tool. These can be found in the "privacy" menu on the top right of a profile page. Here is my version of proposed default settings:

Profile

  • Profile: "Only my friends" (allows only your added friends to view your profile details.) HIGHEST LEVEL AVAILABLE
  • Status Updates: "Only my friends" (allows only your added friends to view your status updates.) HIGHEST LEVEL AVAILABLE
  • Videos Tagged of You: "Only my friends" (allows only your added friends to view videos of you, can also be set to "only me".)
  • Photos Tagged of You: "Only my friends" (allows only your added friends to view photos of you, can also be set to "only me".)
  • Online Status: "Only my friends" (allows only your added friends to view your online status, can also be set to "only me" or "no one".)
  • Friends: "Only my friends" (allows only your added friends to view your friends list) HIGHEST LEVEL AVAILABLE
  • Wall: "Only my friends" (allows only your added friends to view or add to your wall, can also be set to "only me" or "no one")

Contact Information

  • IM Screen Name: "Only my friends" (allows only your added friends to view your IM screen name.) HIGHEST LEVEL AVAILABLE
  • Mobile Phone: "Only my friends" (allows only your added friends to view your mobile phone details.) HIGHEST LEVEL AVAILABLE
  • Land Phone: "Only my friends" (allows only your added friends to view your landline telephone details.) HIGHEST LEVEL AVAILABLE
  • Current Address: "Only my friends" (allows only your added friends to view your contact address details.) HIGHEST LEVEL AVAILABLE
  • Website: "Only my friends" (allows only your added friends to view your website details.) HIGHEST LEVEL AVAILABLE

Contact emails

  • Personal email addresses: "Only my friends" (allows only your added friends to view your personal email addresses, can also be set to "no one") Facebook also obscures this by displaying it as a graphical image rather than plain text so that automated email address harvesters cannot grab it for spam purposes.
  • Work or organisational email addresses: "No one" (Does not allow anyone to see your work or organisational email address. Ultimately, work and organisational email addresses are for that purpose only. By allowing others to see that email address they can use it for purposes outside of your control, such as sending pornographic material, viral code, phishing emails, etc. Organisations have been known to take legal action against individuals who publish work email addresses because they allow attackers an insight into email address structure, etc. Additionally, it is in your best interest to use a personal email address that is not affiliated to somewhere you might not even be at a year from now!) HIGHEST LEVEL AVAILABLE

Applications in your Profile

These should be on a case-by-case basis, I have set all my applications to be either "no one" or "only my friends". Why on earth would you want to set your posted items to be viewed by everyone in your country level network for example? Simple answer, there isn't one.

Search

  • Who can find me in a search: "Everyone" (Allows all Facebook users to view your public profile, more about your public profile in a minute. This is a good case of security where needed, if you were to lock this setting down to no-one then there would be no point using Facebook! In order for a social network website to work you need to be able to network! However, we can control what the Facebook population can view in a search, more details below.)
  • Allow anyone to see my public search listing: YES (This allows public search engines to view your profile)
  • Allow my public seach listing to be indexed by external search engines: NO (This means that search data cannot be cached by search engines, if you change your name for example, you won't be found from a previously indexed search.)
What Can People Do With My Search Results:
  • See your picture: NO (Why? Isn't a name good enough, let them send you a message first so you can see if you want them to view your picture. People can use photographs for social engineering purposes.) HIGHEST LEVEL AVAILABLE
  • Send you a message: YES (No harm in messages)
  • Poke you: YES (No harm in "poking" :-D )
  • Add you as a friend: YES (People can add you as a friend, of course, this is a reciprocal two step process. Someone can only be your friend if both people add each other as friends and thus confirm the relationship.
  • View your friend list: NO (Why should an otherwise complete stranger be able to see who you are friends with. Take this example, someone who you do not wish to be affiliated with wants to confirm which one of five profiles is you from a search, by viewing your friends list they may be able to confirm which one is you and use your friend list as information to target a social engineering attack.) HIGHEST LEVEL AVAILABLE

News Feed and Mini-Feed

Changing your profile can trigger news alerts regarding those changes to your friends. Whilst your friends are ... well ... your friends, they might not always be your best friends. Certain events you may not wish to advertise to colleagues, co-workers or friends in general. This is my list:
  • Remove Profile Info: NO
  • Write a Wall Post: NO
  • Comment on a Note: NO
  • Comment on a Photo: YES
  • Comment on a Video: YES
  • Comment on a Posted Item: YES
  • Post on a Discussion Board: YES
  • Add a Friend: NO
  • Remove my Relationship Status: NO
  • Leave a Group: NO
  • Leave a Network: NO
  • Show times in my Mini-Feed: NO (Because these times can show when you are online.)

Poke, Message and Friend Request Settings

When you poke, message or add someone as a friend you allow them to see your profile, whilst this is useful you may wish to limit some of the information you allow others to view. These are my settings:
  • Basic Info: NO
  • Contact Info: NO
  • Personal Info: YES
  • Education Info: NO
  • Work Info: NO
  • Wall: NO
  • Photos Tagged of Me: YES
  • Videos Tagged of Me: NO
  • Online Status: NO
  • Status Updates: NO
  • Friends: NO
  • Posted Items: NO
  • Notes: NO
  • Groups: NO

Essentially, if someone wants to know who I am they should only need the most basic of personal information and a photo or two. From there people can then add you as a friend to have access to more information. Any supplemental information such as work, telephone, networks, etc. is purely open to abuse from a social engineer.

Applications

A little note about Applications, they are written by third parties. Do you really want the writer of an add-in application to see your religious or political views? Or what sex you're interested in? Probably not. Be sure to uncheck all available options in the "What Other Users Can See via the Facebook Platform" settings option.

Block People

Does exactly what it says, this stops the specified users from acessing your profile or even seeing it in a Facebook search. Userful huh? It even blocks unwanted communications from the user within the Facebook tool.

Limited Profile List

This little option allows you to limit your profile to a level specified by you for certain added friends. Useful if you wish to have two different levels of profile; one profile for friends and one for work colleagues for example.

2007-08-09

Love, light and lenses

I love photography, anyone who knows anything about me knows this much. Just recently I have been longing to take more wildlife photographs, crawling around in the undergrowth setting up spy huts to get close to nature isn't my cup of tea frankly. I would much prefer a big telephoto lens that I can just point at my subject at 50 metres away and get an impressive shot.

So time to hunt for a telephoto lens that will fit the bill. I currently have a very tasty Nikon Nikkor 18-200mm Vibration Reduction (VR). It has a 3.5 f-stop maximum aperture which lets in quite a bit of light and allows me to take photos at fairly low level light. But it's just not long range enough. The problem with lenses is that the longer the lens, the wider it has to be to get the same level of light through the lens, which in turn means that more glass is used, which in turn means that it is more expensive.

So why is light so important? Simple, however much you magnify your subject you ALSO amplify the noticeable movement of the lens/camera. The science of exposing a photograph is based on a trade-off between light levels and shutter speed. The lower the light level, the more time it will take to make the exposure, which in turn increases the risk of recording motion blur from shutter bounce, unsteady hands or general vibrations.

So I started looking around, I wanted a good telephoto zoom that also allowed a decent amount of light through without breaking the bank balance. What I found was the Sigma APO 200-500mm F2.8, I'm kind of guessing it's going to break my bank balance. It is HUGE. It weighs in at approximately 16kg and will cost approximately 7000 US dollars. Needless to say, I'm still looking.

2007-08-01

IPhone patch already?

I have a Nokia 8800, a nice phone by most standards, not quite the same league as a Vertu but nice nonetheless. One of the great things about my phone is the robust stainless steel casing and the two year premium support that comes with these phones regardless of the network provider. The phone is now two years old, I was an early adopter so the time has come for me to look for a new one. Being an early adopter ... Iphone looked like the way to go.

Two days ago Apple released their first set of patches for the Iphone a month after the initial US launch. All the addressed vulnerabilities seem to be related to Safari, Apple's own internet browser software. Of particular note are the arbitrary code execution and cross site scripting vulnerabilities. Yikes! I'm glad I'm one of those people that refuse to use handheld devices to browse the internet. With vulnerabilities like that I wonder how long it will be before the Iphone becomes the target of viral code ...