Network Security Blog

Jailbreaking an iPhone unlocks some very useful features that the iPhone is lacking and gives you the control over your device that you should have in the first place.  Just getting access to the xGPS project and it’s turn by turn directions has been more than enough reason for my friend Bob to jailbreak his phone multiple times.  But as Uncle Ben once told Peter Parker, “With great power comes great responsibility.”  Apple locked down the iPhone in part to protect users from the bad guys out there and if you’re in the Netherlands with a jailbroken iPhone, you may be regretting having a taken your security into your own hands.

A Dutch hacker has started breaking into iPhones that have been jailbroken and left SSH running with the default root password.  This enabled the hacker to log into the iPhones and send the owner a message telling them their iPhone is insecure.  It goes on to give them a link and asks for 5 euros in order to secure the phone.  This has been sighted on a relatively few iPhones so far, but it’s not inconceivable that this could be weaponized and used on a much wider scale.

This just highlights that the act of jailbreaking your iPhone or hacking any manufacturer’s device places the onus of securing the device back on the owner rather than on the manufacturer.  I have no problem complaining about companies like Time Warner who’ve consistently given their users given their users insecure routers.  The company is supplying and configuring the device, the responsibility (and the power) to secure the routers is theirs and theirs alone.  The user has no ability to make changes and in most cases, probably doesn’t know much more than how to plug the router in and turn it on. 

But once you’ve taken the steps to jailbreak an iPhone or hack your router, you’ve relieved the company of that responsibility.  It may not take much, but if you’ve done the necessary research to download the tools to free your device, you are also taking on the responsibility of securing the same device.  So take the time to do a little more research and figure out what steps you need to take beyond just jailbreaking to secure your iPhone, or whatever device you’re hacking into today.

Micheal Arrington sure knows how to stir up a crap storm.  Saturday he started bringing to light the amount of scamming and dishonest practices behind ads and games on Facebook and MySpace.  I’m pretty sure that the people who think the ads are legitimate are in the minority, but even I was stunned by the sheer magnitude of the money changing hands behind the scenes.  I assume part of why I was unaware of the issue is my own limited of use of Facebook and complete refusal to visit MySpace.  Sure, there are rules that try to limit the scams, but the reality is that the technology allowing scammers to earn big bucks is changing much faster than anything the big social network sites can do.  I wonder if this sort of ecology isn’t exactly why Twitter has never allowed ads?

Today TechCrunch is running a guest blog post by Dennis Yu, an advertiser who knows a lot about the guts of running Facebook scams, since he used to make his money performing the exact sort of scam Arrington is trying to call out.  He claims to be reformed, he claims to feel guilty, but he’s not offering to give any of the money back in an act of contrition.  I guess the best we can hope for is that the information he’s sharing can be used to limit the damage caused by scammers going forward.  And limiting the damage is the best that can be hoped for, since the money being generated by Facebook ads is too tempting to stop all together.

One of the biggest keys to encouraging a user to click on an ad has always been to make it look like it’s coming from a trusted source.  Looking like a legitimate Facebook ad is important, but using personal information from the users profile is even better, according to Mr. Yu.  Which has been one of the things that Facebook has been the leader of providing since it’s inception.  Developers have always had easy and wide ranging access to user data on Facebook, in many cases even data that’s marked as ‘private’.  Facebook’s privacy policy spells this out, but few users ever read the policy when they sign up for Facebook and even fewer read it whenever it’s updated.

It’s no wonder that developers flock to Facebook either; according to Mr. Yu, he was able to earn 40-60 times what Google Adsense could for the same ads.  Not that the ads were actually effective for the advertisers, but the companies were still paying out for ad placement.  The funny thing is that most of the ads didn’t convert to real sales, since a lot of the people using Facebook didn’t have or use credit cards.  In other words, they don’t actually buy things that ads are selling.  But there are a three things that don’t cost end-users money that they’re willing to accept: toolbars, supplying an email address or supplying their phone number.  Toolbars are egregious because they are often nothing more than conduits for spyware.  An email address is obviously useful for spamming, especially if you already have all the other information being supplied by Facebook.  The worst of the three for consumers is giving up a phone number, since this can lead to a reoccurring monthly bill that you might not even realize you have tacked onto your phone.  After all, how many people actually check their phone bills that often?

The bad guys, and even the guys who aren’t bad but want to make a buck, are going to find ways to exploit Facebook, MySpace and other social media spaces as long as there is money to be made.  They’re going to take advantage of weak enforcement and a lack of motivation to stop the scams from happening.  But the social media companies have to decide for themselves if the cost of accepting the ads is worth it in the long run.  Users aren’t stupid, they realize the ads are often scams and many of them are playing the game just as hard as the advertisers, providing false or partially true information to get the rewards for clicking on banners and ads.  Soon Facebook will have to decide if they want to be the premier site on the Internet or be relegated to the backwaters of the Internet, used only by scammers and fools.