A fascinating event occurred on Twitter today. In short, someone cracked a joke about a new 3rd-party Twitter application. Someone else took it seriously and blogged about it on ZDNet, creating a wave of misplaced mass hysteria. Brian Ambrozy has the whole story in more detail, but I especially appreciated his Twitter-style summary:

• Hay guys, Twitterank gives u a twit score. Mine is 110.23! Check it!
• Looks like @brianoberkirch made a funneh. oops
• Now Oliver Marks sez @brianoberkirch hacked twitter omgz
• A MILLIONTY PEOPLE READ OLIVER MARKS AND RETWEETED IT
• Everybody skurred nao

This does raise some interesting issues. For example, if you’re generally a highly credible source, as Brian Oberkirch is, do you have a responsibility to be so reliable that you can’t even crack a joke? I experienced this myself last year when an April Fool’s post I made was so believable that it was prompting calls to LinkedIn customer service (even though I said "April Fool’s" at the end of the post). I took a look around the web at some of the other pranksters (Google being one of the biggest), and wrote about it in April 2nd - The Day After. I still don’t know where the line is, but I certainly don’t think Brian crossed it.

The real problem is in the system that allowed a blogger who didn’t do any fact-checking with other sources to jump on the story under the loaned credibility of the ZDNet brand. It was an honest mistake, and well-intentioned, but it was magnified by being published under a trusted brand. As Shannon Whitley wrote:

Bloggers are not journalists in the professional sense of the word.  It’s not only a misconception, but judging by how quickly erroneous information can spread, it’s a very dangerous idea. […] Amateurs can produce high-quality content and, in a particular area of expertise, can provide more depth on a subject.  However, we should never kid ourselves that the amateurs have the same level of experience, nor do they support the same level of standards as the professional.  Read carefully and watch those banners.  You may see a professional logo at the top of the page, but that doesn’t mean the same level of trust can be transferred to the content beneath it.  I think it’s time that organizations like CNN and ZDNet change the layout of their amateur sites.  It’s too easy to mistake the work of an amateur for that of the professional and trusted journalist.

In general, I agree with Shannon. However, I do think he perhaps has some misplaced trust in those "professional" journalists. I have done dozens of interviews with journalists, and while some adhere to very high standards, others are frankly kind of lazy. I’ve been misquoted numerous times in ways that changed the meaning of what I said. I’ve seen stories that drew obviously wrong conclusions from the facts. I’ve seen factual errors in the stories I’ve been quoted in. Many of the journalists are freelance writers with no formal journalistic training. And on non-critical pieces, i.e., anything in any section other than "news", a lot of publications don’t do rigorous fact-checking. If it wouldn’t lead to a potential lawsuit, they don’t bother.

So while you may want to be a little extra-cautious if the author is designated as a "blogger" rather than a staff reporter, you need to take what the reporters say with a grain of salt as well. If you are going to make an important business or life decision based on the information, check your facts with multiple sources.

Let me say first off that I am, generally, a MySpace fan. I’m active on there, and my teenage son and my two older stepsons all have accounts.

But you’ve got to be careful on there. Last Thursday I spent the better part of a day cleaning off spyware and a Trojan virus from my son’s machine. I had some precautions in place, but obviously not enough. I won’t go into the whole story, but we’re about 98% sure that it came not directly from MySpace, but from the page of someone who sent my stepson a private message.

It was a particularly nasty virus, known as a keylogger, which records keystrokes from your computer and sends anything interesting — user names and passwords, credit card numbers, social security numbers, etc. — to a hacker somewhere who collects them, presumably for identity theft purposes.

Turns out there’s another little disturbing fact about MySpace that I was unaware of… it seems you don’t have to actually have a valid e-mail address to use MySpace. In fact, apparently you can register under someone else’s address, as Auren Hoffman writes about in Assuming an Identity on MySpace:

That’s right … I can sign up on MySpace under your email address and assume your identity. MySpace does send an email to verify the email address – but you do not have to click on the verification email to use MySpace. You can still do everything on MySpace you’d always do – like creating an account, adding pictures, adding friends, and generally being active on MySpace. You can assume anyone’s identity on the number one site in America. But this is only if that email address was not used to sign up for an account.

He goes on to note that many people will just ignore the verification e-mail from MySpace, thinking that it’s not a valid one - perhaps a phishing scam - since they didn’t sign up themselves. If they ignore it, though, then someone else now has a MySpace account in not only their name, but their e-mail address as well.

The danger? Auren explains:

Though this can be fun and tame … like me signing up as Clark Kent @ superman.com … it can also be used for malicious purposes. Someone can assume another person’s identity, get people to trust them, and be fooled when that person goes to verify their email address in MySpace (which is the only way to verify someone today).

So what can you do to protect yourself?

First, install good anti-virus and anti-spyware software. If you just want to pay for this, you’re welcome to, but there are some excellent free solutions out there. I have tried most of them, and the ones that in my experience consistently find and fix things the others can’t are AVG Anti-Virus and Anti-Spyware.

Beyond that, MySpace offers some safety tips, but they fall way short. At the other end of the spectrum, I think some of the parent-oriented sites and privacy-advocate sites go a little overboard. I recommend Rock Safe from MyCityRocks, which offers practical and realistic guidelines to help users of social networking software protect their identity and participate safely.

Finally, download a free copy of The Virtual Handshake and read Chapter 16 on Privacy & Safety.

Have fun, be safe, and feel free to stop by and connect with me on MySpace.

The Presentation of Self in the Information Age
http://hbswk.hbs.edu/item/5435.html

by John Deighton

Executive Summary:

In the past, we knew a lot about the seller of a product (through ads, marketing, or reputation) but little about the individual buyer. Times have changed. From the Internet to store loyalty cards, technology has made the marketplace into an interactive exchange where the buyer is no longer anonymous. The future market will likely be one in which personal information is shared and leveraged. Consumers who are willing to share their information will be more attractive to sellers and more sought-after than those who have bad reputations or refuse to participate. Key concepts include:

* Consumers will play an increasingly leveraged role in the marketplace by “branding” themselves and sharing personal information with sellers.
* Technology is making the idea of consumer branding a reality, but it is unclear how personal information will be used in the marketplace, or which uses will be the most beneficial to both buyers and sellers.
* Look deeper into loyalty programs for the societal and commercial, and positive and negative effects of sharing personal information in the marketplace.

more…

It seems that an evil spammer (who shall remain nameless pending further investigation) has developed a personal vendetta against me and is maliciously trying to smear my reputation by posting bogus blog comment spam in my name (and my wife’s - that bastard!), linking to this site, my About.com site (entrepreneurs.about.com), and another domain I use just for e-mail.

This is a blog variation on a tactic employed by email spammers called a Joe job, “an incident of spamming designed to tarnish the reputation of an innocent third party.” (Wikipedia) While this tactic has been around for at least ten years, its application in blog comment spamming is new and presents a whole new set of issues in identifying the perpetrator and fighting it.

If you don’t want to read the whole story…
Click here if you have received one of these spam messages
Click here if you’d like to help me keep my name clear and stop this perpetrator

The posts are that genre of innocuous spam that doesn’t actually say enough to trip off the spam filters. Here are a couple of examples:

Posted on kcyap.com/wordpress-16-theme-design-competition:

Comment by Scott Allen

Hi. I’ve got some really good stuff for download at my site at http://snipurl.com/tvhamazon.
Not to be boasting or anything, but I am the coauthor of this little gem. Come on by and have a look.
BTW, your blog is just okay.

Posted on www.simonwaldman.net/2005/12/30/these-are-a-few:

Scott 512-215-9720 Says:

Hi. I’ve got some really good stuff for download at my site at
http://www.thevirtualhandshake.com/ Come on by and have a look.
BTW, your blog is great.

To anyone even remotely familiar with my work, it’s obvious that this is totally antithetical to everything I teach, everything I believe in, and couldn’t possibly be from me. But I’m not a household name to the vast majority of bloggers out there, so to someone who’s never heard of me, this is incredibly damaging to my reputation, to the book, and to my co-author David Teten by implication. In fact, I first learned this was occurring from a blogger who sent me a message saying:

Hi. I’ve got some really good spam on my blog from you - I really appreciated it. Thanks for visiting, I’m sorry your last name is “512-215-9720″
…
Does your book really sell that badly that you must spam blogs for more attention?

Never having visited their blog, I was shocked to see the least. I can’t say that I blame them. Comment spam pisses me off too.

So how did this all start? I wrote to a comment spammer asking them to stop and telling them I was going to expose their site publicly as engaging in spam marketing if they continued.

So how do I know they’re the ones behind this?

1. The fake posts started within minutes after sending that message.
2. The site that was doing the spamming has comments right next to the fake comments in my name on all the same sites. Talk about a smoking gun!
3. Other evidence I can’t disclose at this time.

What I’m Doing About This

I’m not an expert on spamming, or internet security, etc. But fortunately, a lot of really smart people in my network are. I’m not a lawyer, but a lot of smart people in my network are. I’m a bit of a PR expert, but I haven’t really ever had to deal with a smear campaign like this. Fortunately, some really smart people in my network have.

I turned to that network of really smart people that I’ve built up over the past few years and asked for advice. While there were certainly some differences of opinion, there were a few things that stood out as consistent advice, all of which I’m following.

1. I’ve reported this to the FBI as a case of identity theft and fraud.
2. I’ve reported it to About.com’s legal department, since they are now implicated by the impersonator linking to my site at About.
3. I’m going on a counter-PR campaign to make sure my name stays clear and that this person is caught and prosecuted. This is what the vast majority of the people who gave me advice said to do. The legal process will be long and arduous. Counter-publicity is the only way that I can immediately combat the damage this person is doing to me right now.

I would never have wished for this. It’s going to be a pain in the rear to monitor this, collect the evidence, and take appropriate action. It creates a lot of work for me, and will damage my reputation with those people who never hear about this and just assume that I’m a spammer.

But ironically, in the process of trying to create negative publicity, this whole fiasco will probably end up generating far more positive publicity for me. As a result of my posting on one list, I ended up doing a full-hour interview on The David Lawrence Show last night. You can listen to the whole thing for just a quarter, or to the 10-minute podcast for free. Thanks, David!

How You Can Help

If you have received one of these bogus comments in my or my wife’s name (Jayne), please do the following:

1. Leave it up until I can capture a screen shot as evidence.
2. Make a note of the raw IP address.
3. If you can, please make a note of any other comment spam from the same IP address. This is particularly important.
4. Contact me with the information.
5. Once I’ve confirmed back to you that I’ve got the screenshot, delete the comment.

If you would like to support me in helping keep my name clear and catch this perpetrator:

1. Please post about it in your blog and link back to this post.
2. If you see fake comments in my name like the ones above, please contact me with the URL so I can gather evidence and contact the blog owner.

Thanks for your understanding and support. I don’t know what I’d do without the support of the network I’ve built in the past few years — yet again another lesson in the importance of building a diverse and powerful network.

From Mobile Pipeline, via Arieanna Foley:

Basically, the new phishing model will start with a log-in page for a public WiFi network. What you’d expect at any hotspot, really. …
Without realizing it, the user will enter personal information to the logon page, whereupon the hacker will proceed to put 45 or so viruses onto the computer.

The attack is specifically targeted at business people - it will typically take place at a tradeshow, airport or conference.

What can you do? Use a firewall. Use only those websites that have SSL security (watch for the logo and click on it). Try to use a VPN (virtual private network). Don’t stay connected to the wireless network if you don’t need to be.

The growth in cellphone cameras allows for more illegal video voyeurism.

This is the law of unintended consequences in action…

When you actively participate in a lot of different online communities, what are you supposed to do about passwords?

Sure, many people just use the “remember me” option and then forget about it. Inevitably, though, you eventually delete your cookies (or your browser loses track of them on its own — it’s happened to me), and then can’t remember your password.

Sure, you can use the password reminder function. But a) it’s a hassle, and b) that’s assuming you can remember what email address you used to register for that site.

So many people opt for just using the same password everywhere. Bad idea. One hacker gets your password from one insufficiently secure site, and next thing you know, they’ve got access into your accounts everywhere.

Here’s my solution… I use a relatively simple algorithm for creating a password that’s based on the name of the site. It’s easy enough for me to figure out in my head, but obscure enough that your typical hacker won’t guess it. Maybe a professional cryptographer would, or someone who’s really, really persistent, but the point is just to encourage them to simply move on to someone else once they realize you don’t use the same password everywhere.

I’m not, of course, going to tell you my particular algorithm, but I’ll give you an example one on which you can base your own.

1. Pick any word, or even a nonsensical series, of 4-6 letters. We’ll use “snrgl”.
2. Look at the third letter of the domain name. Let’s say you’re doing this for Yahoo Groups, so we’ll use “h”.
3. Figure the numerical value of that letter in the alphabet. “h”=8
4. Tack that onto the end of your word. “snrgl8″
5. Now, pick a 4 or 5 digit number — NOT part of your social security number., and preferably something that people won’t obviously see the connection to. I’ll use the address of my childhood home: “2303″
6. Insert your result from step 4 into the number of step 5 as follows: if the domain is .com, add it after the first number; .net, the second; .org or anything else, the third. This gives us “2snrgl8303″.

Your typical hacker is going to go try that on another site or two, see that it doesn’t work, take one look to see if there’s an obvious pattern, and then give up. Remember, they don’t have a series of passwords to try to derive the pattern from. And based on just one instance, it’s nearly impossible to derive the pattern. It will keep you safe, but it will certainly make your life easier if and when you need those passwords.

Many websites, particularly media sites, now require registration, usually to gather demographic data about users. If for any reason you don’t want to register but still want to view the site, go to www.bugmenot.com, which offers valid logins and passwords for hundreds, perhaps thousands, of sites.

Via Lee Dembart via Kevin Kelly’s “Cool Tools”

I’m all for privacy rights. I’m all for sites having a privacy policy. But the new California Online Privacy Protection Act of 2003 is a really, really bad idea.

Why? Because no one seems to have even considered any of the negative consequences, or what a slippery slope we start down when we start letting states regulate internet commerce.

In short, this California law, which goes into effect July 1, requires any web site owners, regardless of their location, to have a conspicuously posted privacy policy that meets certain requirements, if they collect any personal data from residents of California.

This is just dumbfounding to me. The policy requirements are reasonable enough, I suppose, but it will take me, a pretty technically and legally savvy person, a good four hours to have read and reviewed the requirements and implement them. Figure the typical web site owner will have to spend at least that. Multiply that by a few hundred thousand websites, and California has just cost small entrepreneurs across the country tens of millions of dollars in either lost productivity or real expense to outsource the compliance.

Now, here’s where we start to slide down that slippery slope: New York, New Jersey, and several other states have similar (but not identical) laws under consideration. Now imagine multiplying that few hours by 10 or 20 or 50 states that pass such legislation. The cost to web site operators could be in the billions. To the big sites, it’s a drop in the bucket, and most of them already have compliant policies in place. It’s the individual owner/operators who are just trying to build a simple mailing list who will be the hardest hit. The cost of doing business on the web has just jumped an order of magnitude for small sites.

Most astonishing to me is that there has been almost no coverage of this topic, and no critical dialog. A search on Google turns up about 170 entries. For a legal precedent of this magnitude, affecting hundreds of thousands of site owners and millions of users, that’s frightening. And the only objection to the law so far seems to have been from the financial sites who have been selling this information and the direct marketing companies who’ve been buying it.

I love my friends and customers in Caliornia, but tell your legislature to go mind their own business and quit playing internet cop. This needs to be a federal or, better yet, international matter. It’s like one beach trying to tell the ocean what to do. I’ll put this site in compliance, but it’s under protest, not because I oppose privacy, but because I oppose state-level regulation of the internet. This is a dangerous precedent.

For more details on the law, its history, and a look at the pros and cons, see my California Online Privacy Protection Act of 2003 Issue Page at About.com.

MIT doctoral candidate Fernanda Viégas just posted the summary of her findings in her blog survey on expectations of privacy and accountability. Among the key findings with a few of my comments interspersed, particularly regarding blogging in a business context:

- the great majority of bloggers identify themselves on their sites: 55% of respondents provide their real names on their blogs; another 20% provide some variant of the real name (first name only, first name and initial of surname, a pseudonym friends would know, etc.)

Of course, in a business context, anonymity doesn’t really serve you very well.

- 76% of bloggers do not limit access (i.e. readership) to their entries in any way

I know of a couple of business bloggers who limit access to their blog, or even charge for their content. It all depends on your purpose for your blog. If you’re trying to build visibility, it doesn’t make much sense. If you’re trying to create an air of exclusivity—an inner circle—then it makes a lot of sense.

- 36% of respondents have gotten in trouble because of things they have written on their blogs

- 34% of respondents know other bloggers who have gotten in trouble with family and friends

- 12% of respondents know other bloggers who have gotten in legal or professional problems because of things they wrote on their blogs

- when blogging about people they know personally: 66% of respondents almost never asked permission to do so; whereas, only 9% said they never blogged about people they knew personally.

- 83% of respondents characterized their entries as personal ramblings whereas 20% said they mostly publish lists of useful/interesting links (respondents could check multiple options for this answer). This indicates that the nature of blogs might be changing from being mostly lists of links to becoming sites that contain more personal stories and commentaries.

I don’t think it’s that so much as just a semantic issue. The distinction between blogs and diaries/journals has grayed, “blogging” has had more media attention, and a lot of people who a few years ago would have called themselves journallers/diarists now refer to themselves as bloggers.

- the frequency with which a blogger writes highly personal things is positively and significantly correlated to how often they get in trouble because of their postings; (r = 0.3, p < 0.01); generally speaking, people have gotten in trouble both with friends and family as well as employers.

I find this fact very interesting, even if it’s intuitively obvious. Definitely a lesson there.- there is no correlation between how often a blogger writes about highly personal things and how concerned they are about the persistence of their entries

- checking one’s access log files isn’t correlated to how well a blogger feels they know their audience

- despite believing that they are liable for what they publish online (58% of respondents believed they were highly liable), in general, bloggers do not believe people could sue them for what they have written on their blogs.Again, this is just a summary of her findings. I highly recommend reading the whole report.