Facebook, if you didn’t know already, asks you for your email address and password when you create an account, or even if you don’t. It’s a highly visible link on their homepage. The stated reason is so that you can send invite letters to your contact list. And you can’t blame the peeps for trying, right? We all gots our hustle. It’s just that Facebook’s particular hustle leaves a lot of room for doubt. It could be Facebook doing exactly what they claim to do and nothing else, or it could be that the largest data mining company in the world is applying to email what Nigerian scammers have been doing with bank accounts for years.

But it’s also a royal pain in the tuches to have to invite every one of your friends to your social networking site manually, and with the importance of social networking sites to many businesses, people in fields that require a little publicity, and people who really like attention, this is a useful feature.

Which is why this article from blogger Dragon’s Flag caught our eye. It’s not just a plug for our product (although an independent testimonial to how awesome we are it certainly is), it’s also a fantastic little piece of know-how that makes you kick yourself for not thinking of it. And so here it is, translated for your edification:

On National Day (October 1st), 2007, I created a Facebook profile, and as part of the registration process, Facebook asked for my email account and password. To test if Facebook poses a threat to social networks by doing this, I gave them my password. I can hand out my password to pretty much anyone who asks for it, but can you?

My email address is dragonflag@gmail.com, and there are over 3000 emails inside. (Facebook supports most of the major services, including gmail, hotmail, live, yahoo, aol, etc.) Before uploading my password, I changed it to 123456.

I’m a longtime user of the notable Gwebs WebmailSafety software. I have more than 50 people in my address list there, and all the email we’ve sent back and forth is stored on Google’s servers is encrypted using a RSA+AES mixed cipher. I’m definitely not worried about Facebook searching or selling my email, because they can’t understand a word of it.

So after I gave my password to Facebook, those 50-odd received their invitation letters, and after 30 minutes I changed it back. Everything was alright, and now Facebook and don’t owe each other anything, nor do we have to be concerned about one another.

I also used the same method to register at the domestic (mainland Chinese) social networking site XING.com, without any apparent danger to my privacy or data. My advice when dealing with commercial web service companies like this is not to trust them lightly. Their promises to you don’t mean a thing, and it’s never a bad idea to have some basic self-protection in place.

So take my advice, especially if you’re one of those people who haven’t invited their email contacts because you’re afraid of your email being searched or revealed.

Italicized text added by translator.

Encrypting his email, we approve of, and using our product to do it, we approve of even more. But another important step he’s taken is:

Before uploading my password, I changed it to 123456…and after 30 minutes I changed it back

This is very important, because people are often predictable when they create passwords, and even if you use “rules” to create less breakable passwords and change them regularly, if someone gets a sample or two of your work, they can figure out your formula, and you’re right back where you started. Change your password to a no-brainer before giving it to someone, and change it back as soon as possible.

The best advice here, though, is not to let a company that makes its living by selling highly specialized user data to advertisers rummage through your inbox. Using Gwebs WebmailSafety; which is free, remember; or any of the other programs on the market means that your email is safe from advertisers as well as hackers.

One of the reasons we (yes, it’s a we now) at the Cryptographer are in this business is because we get to laugh at the messes we ourselves will never get into. Take, for example, Guo Li, a Hangzhou lawyer whose email was inadvertently “hung out to dry” online by Baidu (China’s search giant) and WanWang (one of China’s largest hosting providers). He sued for 1,000,000RMB (around $120,000), and the results speak for themselves.

I have translated the following article specifically for this blog.

Private Emails “Hung Out to Dry” for a Month, Victim Sues Baidu for
Violation of Privacy.
8-12-2007 3:35 A.M., Beijing Morning Post
After his private emails hosted in a Baidu (百度) account were posted online for more than a month, Hangzhou lawyer Guo Li (郭力) decided to sue Baidu Inc. and email services provider WanWang (万网) for 1,000,000 yuan in damages, claiming his communication privacy rights were violated. A judgment will be issued tomorrow at the Haidian District Court on this so-called “national precedent-setting email privacy case.” Guo Li stated at the conclusion of the trial, “It’s entirely possible to look into other people’s inboxes online, I’ve searched the information myself. This won’t be the last trial of this type.”

(more…)

Two news stories caught my attention this weekend. The first, “Wider Spying Fuels Aid Plan For Telecom Industry,” [NyTimes.com] is a great article describing the state of the NSA wiretapping investigation.  Most of my readers will have heard of the secret room at AT&T’s San Franscisco offices, which was built to mirror ALL of the data going into and out of AT&T. But the reporter for this excellent article turns up a ton of new information.

The N.S.A.’s reliance on telecommunications companies is broader and deeper than ever before, according to government and industry officials, yet that alliance is strained by legal worries and the fear of public exposure.

To detect narcotics trafficking, for example, the government has been collecting the phone records of thousands of Americans and others inside the United States who call people in Latin America…. The program dates to the 1990s, according to several government officials, but it appears to have expanded in recent years.

Terror, the government’s (not very good) excuse for renegigng on the 4th amendments promises of personal security, has nothing to do with drug trafficking.

In addition the article points to some further previously unknown facets of the government’s spying. A dedicated fiber optic cable mirroring all of Verizon’s traffic appears to have been uncovered during lawsuit depositions.

[what the accusing Verizon employee saw] “was decisive evidence that within two weeks of taking office, the Bush administration was planning a comprehensive effort of spying on Americans’ phone usage.”

The same lawsuit accuses Verizon of setting up a dedicated fiber optic line from New Jersey to Quantico, Va., home to a large military base, allowing government officials to gain access to all communications flowing through the carrier’s operations center. In an interview, a former consultant who worked on internal security said he had tried numerous times to install safeguards on the line to prevent hacking on the system, as he was doing for other lines at the operations center, but his ideas were rejected by a senior security official.

It doesnt say why his safeguards were rejected, but if the government is viewing all our telecommunications, that is bad enough - if they are negligently making that information available hackers, that is an even grater cause of concerns.

Encryption is extremely important, but its overuse can also lead to problems.

Five to reasons to use Encryption:

1) You are dealing with important government, company, or personal data – especially on laptops, flash drives, or portable hard drives.

The news these days is riddled with stories of public servant or big company data theft, often due to laptop or hard drive loss. If big companies lose their data that often, little companies and individuals must do it all the time (more often, probably, because they don’t have encryption mandates) – they just don’t make the news. If you encrypt your data properly, data theft is virtually impossible. Note too that encryption doesn’t preclude data loss - you should back up your important data as well. (more…)

Yesterday’s news of Hushmail.com passing information to the US Government is alarming to most people who consider privacy important. We use encryption to protect our privacy against industrial spies, nosy intruders, and hackers; but most importantly, we use encryption to protect ourselves against governments, which are becoming more and more nosey.

(more…)