One reaction is to diversify: Hotmail instead of Gmail, MapQuest instead of Google Maps, AOL Instant Messenger instead of Google Chat ’ though that would mean losing the accumulated benefits of linked services. Another reasonable response is to focus efforts on improving our (new) media literacy so that we’re more mindful of how much even free stuff can still cost. If we don’t force ourselves to be aware of those trade-offs, we risk stumbling into an increasing dependence on yet one more company that’s too big to fail.

From Google Everywhere by Nancy Scola in The American Prospect.

Google pretty much runs my life right now, and considering this recent Buzz fuck-up, I’m not okay with that. Facebook’s handling of privacy and user data issues are precisely why I avoid it. Now that Google is trying to out Facebook Facebook, I might go in the same direction.

Trading privacy for convenience is not something I oppose. Hell, Amazon has an 11 year search and purchase history on me and does a pretty effective job of getting me to buy more stuff because of it.

I had few problems with GMail at first because the targeted advertising is automated. But I am not a fan of articulating every social connection I have in public. Yes I am on Twitter, but it is a mostly a mix of people I know, people I sort of know, and people I don’t know at all. My email connections are different because they contain information about connections to people that I have not otherwise articulated in public and connections that are very loose. That’s Buzz’ fatal flaw as far as I am concerned: it assumes a lot of things. Sometimes that’s good because it assumes incorrectly — it obfuscates. And sometimes that’s very bad.

That Google made Buzz opt-out shows either stupidity, callousness, or arrogance. Not cool with any of the above. It’s encouraging that they’ve since made it easy to opt out. But I think the original decision is a sign of the decision-making culture at Google. My advice is to use Google services carefully.

However, making such a sweeping change to a fundamental user interaction could present serious problems. Consider some contexts in which a password might need to be entered in front of a large group of people, such as while using a conference room projector. And many years of web experience have set user expectations on how form elements should work. People understood that password masking was invented for their security. Failing to meet that expectation might undermine confidence, and we cannot afford to lose our users’ trust.

I agree with Nielsen here, and suggest that if you need to enter a password while using a conference room projector, you should have logged-in before your presentation.

Password masking prevents users from making sure the password is correct before sending it to the server. If you, like you should and I do, pick long, hard-to-guess passwords, an unknown mistype can be a source of frustration.

Password masking also provides a false sense of security, particularly on unencrypted connections. Sure it prevents a person peeking over your shoulder. But it doesn’t stop her from watching you type it on a keyboard. Nor does it stop someone from intercepting it with a packet sniffer if the password is sent as plain text.

In other words: password masking is a bad convention.

So what’s the answer? Password unmasking — a toggle that allows users to choose whether or not to show the password. It’s a fairly recent convention that’s become widely used for WiFi set-up screens. Jeremy Keith described one method of password masking last summer. Mullican covers a similar technique in his A List Apart piece.

News of a vulnerability in the Snoopy open source PHP library has surfaced. WordPress uses the Snoopy library to power feeds in administration section’s Dashboard.

A fix — WordPress 2.6.3 — was released today. You can download the entire package, or just download the two affected files and upload them to your server.

I like to think that I am an above-average user of technology by American standards. And yet, if I am overwhelmed by the sheer knowledge of networks, software and hardware that is becoming required in our digital age, what implications does this have for the less savvy, if not downright technophobic among us?

And from a social justice and social control perspective: Who keeps the keys, who can get them, what rules do we draw about using them, and hell, could we even enforce those rules anyway?

The sheer powerlessness we all have compared to this faceless, mindless, multi-headed, and inherently ethics-free technical beast¹ has me feeling disenfranchised, disenchanted, disaffected, and discombobulated by it all.

Join me in my mood, won’t you? Here’s what I’ve read recently(-ish) that has me wanting to move to some remote, uninhabited, no-tech island.

Malwebolence

The New York Times Magazine looks at the culture of internet trolls and online harassment. A few paragraphs seem like a crock of bullsh*t from a movie script somewhere. And yet, maybe it was real and knowing or not knowing is part of the point.

Everyware: The dawning age of ubiquitous computing

Adam Greenfield’s look at the ethical, social and moral issues surrounding pervasive and ubiquitous computing. My main thought while reading this was “Where are we going to find the energy for this always-on network of interlinked technologies and at what economic and environmental cost?” I had more thoughts that focused on the social justice implications of ubicomp too, but the sustainability concern loomed largest.

Electronic Frontier Foundation’s Test Your ISP

Our aim is to ensure that the Internet community has the tools and organization to quickly recognize when ISPs engage in interference or protocol discrimination in the future.

Travelers’ Laptops May Be Detained At Border

Federal agents may take a traveler’s laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Of interest? Truecrypt

A People’s History of the United States: 1492 to Present

A look at the history of the United States in a way that centers the experiences of non-rich, non-capitalist, non-white, non-Christian and/or non-male people. This book really changed my perspective on what it means to be a citizen of the United States and the steady stream of propaganda we’re fed, even by “liberal” media outlets.

Your Privacy Is An Illusion: Privacy advocates nearly publish guide to carjacking Google executive

Well, it is an illusion, particularly as technology becomes more pervasive and more entrenched in our lives.² The comments are particularly fun.

OSS voices must be heard in national security debate

A FASCINATING review of Christine Peterson’′s OSCON 2008 presentation / opinion piece by Ryan Paul of Ars Technica on the role of open source developers and the security of our technical infrastructure. Resistance, however, is not enough. In order to overcome such challenges, technology enthusiasts must find better ways to address the underlying problems that seemingly necessitate the faulty solutions.

Objection

Firefox extension for deleting Flash’s Local Shared Objects or “Flash Cookies.” Did you know Flash stored those? And that merely deleting your cookies doesn’t delete this data? And how many web sites do you visit every day that serve rich media ads? Yeah. Install this one.

Possibly related

• Who do you trust more: Corporations or Government?
• Yahoo! Mash: an interesting exercise in trust and control
• Why I went private on Twitter
• Recommended: “SNS visibility norms (a response to Scoble)”
• Ethics, friendships and Flickr (or “Why I don”t drink around some folks”)
• Recommended: Jeremy Keith’s “Lock up your data”
• Is Google evil?

¹ Yes, I realize that computers can only do what we tell them to do. But as anyone who uses technology knows, engineers, designers, and developers have a mediocre track record with regards to the ethical, moral, social, privacy, and security concerns of the technology they (we) build. And with any technology, people will use it in unexpected, even malevolent ways.

² Honestly, whatever notion of privacy that existed in a pre-tech world really hinges on obscurity and the footwork someone is willing to put in. Birth records? Property records? Tax returns? Your friends, enemies, and associates? It’s all there for the aggregating.

The obvious question is ‘How much should you trust code from strangers?’ And can this be done in a safe(-ish), secure(-ish) way?

Possibly related: Cross-domain Ajax links and Access Control for Cross-site Requests (implemented in Firefox 3)

It’s an inventive use of your user’s browser history, though I suspect it could potentially be used — in combination with cookies and logins — to detect which of your users are also regular porn surfers.

With that little bit of fearmongering out of the way, I’ll direct you to two Firefox extensions designed to stop such nosy coding (found in the comments on Niall’s post:

• SafeHistory
• SafeCache

OS X comes with its own encryption feature known as FileVault. But in my experience, FileVault can cause some performance issues. If you don’t regularly log out of your machine, you may find yourself running out of hard-drive space faster than you should. Recovering that space is easy, but can take half an hour or more in some cases.

TrueCrypt avoids FileVault’s disk space issue by giving you the option to encrypt your data one file at a time. [Via Lifehacker]

Yeah, as I type this, I’m getting hit with an attack. I’m not precisely sure of the motive. I just know that there are two directories on my server that should not be there and the attack appears to be coming through a specific URL. It’s been happening for several days nowIt just started today, according to my server logs, and the attacker is using / attempting to use PHP functions that interact with the shell.

He was also able to grab a whole bunch of data about my server as you can see from the above-linked code. I have my suspicions about how it is getting through, but nothing I can prove just yet. I’m going to look into it and see what I can come up with.

In the meantime, I’m just going to ask nicely that he (assuming this is a guy) please, please stop, and don’t mess up any of my stuff while visiting.

And please take steps to disable certain system-affecting functions in your php.ini file (if you have access).

UPDATE: This crack appears to involve a ShellBOT as well.

UPDATE 2: ShellBOTs are bad. Apparently they open a connection to an IRC server allowing all kinds of nasty things to happen. So hoping nothing serious was compromised.

UPDATE 3: Interesting to know: when working in the shell, your file name does not need to have the ‘proper‘ extension that it would on a web server in order to be executed.

Let’s say you have a plain text file named ‘hello.txt.’ It contains one line: <?php echo 'hello world';?>. In order for this file to run as a web page, it would need to have a .php (or whatever is designated in your server configuration file). But as a shell script, it could have just about any name and still be executed by typing ‘php hello.txt’ at the command line.

In this case, the attacker grabbed (or attempted to grab) a ShellBOT written in Perl from another server (file name b.txt) and execute it by sending the ‘perl b.txt’ after the wget command.

UPDATE 4: I’m pretty sure my suspicions have been confirmed. It seems that at least one other person has had an issue with WP Super Cache opening their server to attack. I suspected this early on, and deleted the plugin and its associated files. As an added measure, I disabled those functions that can execute system commands. So far, so good. I can’t say my server is now secure, but I’m hoping that hole has been filled.