OK, off my soap box – for a second, anyway. One of the measures I’ve put in place to deal with such nuisances is to implement blacklisting by user agent in htaccess files. It’s not the most effective way in the world to deal with bad-behaved bots, but it’s quick, easy, and deals with a large majority (80%+) of the spammers and script kiddies – the ones who aren’t smart or skilled enough to write their own bots, or to even change the user agent name to one that hasn’t been seen a gazillion times.

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

This particular agent string – as I write this – is #16 on this list, as well as this one. In going through 2 1/2 years of logs from my old hosting, it’s apparent that no legitimate use of this agent string has ever been seen on any of the sites I manage, and obviously, it’s been caught in honey pots for years as well. The decision to blacklist this user agent was one of the easier ones to make. This particular rule has already stopped four bots (a lot for my sites!) in the first two days it was in use, including these two entries from the server logs:

174.143.89.144 - - [29/Jan/2012:17:12:41 -0500] "GET / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
174.143.89.144 - - [30/Jan/2012:17:43:07 -0500] "GET / HTTP/1.1" 403 380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"

A whois query shows that this address resolves to the BBB:

Council of Better Business Bureaus RSPC-1244493612054045 (NET-174-143-89-128-1) 174.143.89.128 - 174.143.89.159

I was aware that the BBB was running a bot that checked in on one of the sites I administer once a day, but I never gave much thought to the user agent this bot identifies itself with. What makes this interesting is that I remembered seeing that the BBB was a supporter the various “anti-piracy” measures in Congress. After doing a little searching, I found these two letters from the BBB to various members of Congress stating the BBB’s support of the SOPA and PROTECTIP bills. They are all generic form letters, with the name of the legislative bill and the congress critter’s names being changed as appropriate. However, the BBB did publish these to the world, and this is their official stance, so deconstructing what they say – especially in light of this bot – is only fair.

Rogue websites are often designed to deceive consumers into believing they are legitimate by misappropriating trademarks from respected businesses and entities – including the BBB – to foster trust with those who visit the sites.

Speaking of deceptions, why doesn’t the BBB label their bot as a bot that belongs to the BBB? What do they have to hide? As well, in faking this user agent, BBB has misappropriated and violated the Mozilla trademark, as well as several Microsoft trademarks. People in glass houses.

Moreover, consumers who share sensitive personal and financial information with these sites are also exposed to an increased risk of falling victim to other malicious online activity such as phishing scams, identity theft, or viruses.

In addition to jeopardizing consumer safety and protection, rogue websites impact the health of our national, state and local economies. According to a 2007 report for the Institute of Policy Innovation, copyright theft costs the U.S. economy more than 373,000 jobs that would otherwise have been created, as well as $58 billion in economic output and $3 billion in federal, state, and local tax revenues.

Scams such as these are already illegal. Is it really so difficult to understand that if the current laws aren’t enforced, further legislation isn’t going to make a difference? Apparently it is, since these fallacies are peddled by every shill expressing their support for these kinds of “solutions.” 373,000 jobs and $58 billion in economic output? And we’re supposed to believe those incredible numbers, with nothing more than a reference to an unnamed and unsourced report?!?

More importantly, the BBB is dreaming of a world they aren’t willing to work to make happen – at least not anything beyond lobbying efforts. Their bot only adds to the immense and wasteful noise caused by other bots. Some of those bots are used by site scrapers, who in turn create the rogue websites the BBB is complaining about. In short, the BBB is a part of the problem they’re demanding legislation to deal with.

In any case, since I’m sick of dealing with all the noise that comes from that particular agent string, it will remain blacklisted. If the BBB wants to check that this particular client’s site is up or whatever the hell they do, they can damned well pay a human (preferably in the USA instead of Canada) to manually check it every day. Or they can stop their deception and rename it to something that accurately identifies itself as belonging to the BBB – as well as programming it to follow directives in robots.txt. Organizations like the BBB, RIAA, MPAA, and the US Chamber of Commerce need to either start acting with the moral standards they are demanding of the rest of the world, or shut the fuck up.

Some settings are changing with the recent updates to Facebook privacy, but Facebook’s commitment to providing you control over your information is not. Here’s a summary of what’s changing:

Providing me control over my info…Well, let’s just see, shall we?

• The Privacy page has been simplified, and in that process, some settings have been consolidated. For security reasons, you will now be required to enter your password if you’d like to update your privacy settings.

Huh. Simplified & consolidated – nice way to say “we rearranged the screen and got rid of some of those peskier settings.” And what security reason could justify entering my password to update my privacy settings? If someone has hacked my account that shouldn’t be messing with those settings, then they already have my password! Entering my password a second time does nothing to enhance my security or privacy – and it’s arguably worse without strong encryption being used.

• A privacy control has been added to the publisher at the top of your home and profile page. This allows you to set privacy on individual posts. For example, you could post a status to Everyone or only to Friends. Learn more on the Publisher help page.

OK, even this curmudgeon has to admit this is a good thing.

• Instead of having networks for regions (eg., Australia or New York City), people’s locations are now listed in the “Current City” or “Current Region” field of their profiles. This means if you use the “Friends and Networks” privacy setting, the networks part only applies to work and school networks.

What’s this have to do with security or privacy? Read on…

• A basic set of information is publicly available, meaning it’s visible to anyone that’s able to navigate to your profile, applications you use on Facebook, and websites you connect with via Facebook. This information includes your name, profile picture, gender, current city, networks, friend list, and Pages. Any additional information (eg., photos or videos) will only be exposed if your privacy settings allow it.

This is where facebook is screwing the pooch. By providing all this information publicly, a hell of a profile can be built about any given person. This is a paradise for spammers, scammers, stalkers, and sickos. It’s a tyrannical government’s new tool. It’s a pedophile’s wet dream. And it’s a nightmare for anyone who desires or needs privacy.

Keep in mind that anyone who navigates to your profile will be able to view your publicly available information and information you’ve made visible to Everyone. While you do have the option to hide your Friend List from being visible on your profile, it will be available to applications you use and websites you connect with using Facebook. In addition, your profile picture appears in places you make comments and posts. You can always change your current profile picture or lower your search visibility if you choose.

Oh, yeah, the application gap. It amazes me the amount of info an application can get not just about me, but about my friends. Yes, the API documentation mentions what personal information you’re not supposed to retain about your users, but there’s no system security behind that API to enforce it. Oh, sure, there are the various agreements for facebook developers – but the honor system does no good when facebook does nothing to enforce those agreements. In reality, the more money an application makes, the more ad revenue facebook is getting a cut of – and the less likely they are to do anything about it. So the worst offenders (Zynga, for example) make millions scamming people. It’s only a matter of time before someone sells all the info they’ve mined out of facebook profiles. Maybe that’s why zynga is using iesnare, and maybe that’s why I haven’t heard a peep from facebook since I filed a privacy violation about that issue.

The pages and friendlist are the two most egregious violations of privacy. You can build a fairly good picture of, for example, a person’s political affiliations, religious beliefs, and sexual tendencies, by examining their pages. Why does this need to be public? I used to be able to selectively show that to whoever I wanted or to nobody at all. Same deal with the friendlist – I could customize who would see that (and had it set to only the people I really knew in real life and trusted) – now it’s an all-or-nothing setting. The setting to hide your friendlist from your profile doesn’t even do a thing to ensure the privacy of that. For example, if you’re logged onto facebook, take a look at Mark Zuckerberg’s profile, and you’ll see he has hidden his friendlist from his public profile. However, by appending anybody’s facebook account id or account name to the end of www.facebook.com/friends/?id=, you can see their entire friend’s list, regardless of their privacy settings – this is Zuckerberg’s friend list, which I’m sure he won’t mind being shared like this since that base url is hardly a secret, and the same info can be gotten by platform applications and Connect sites.

Publicly available information includes your name, profile picture, gender, current city, networks, friend list, and Pages. This information makes it easier for friends, family, and other people you know to connect with you.

No, it makes facebook more like twitter, publicizes more of everyone’s info – especially when the search engines start crawling publicly enhanced profiles and putting together their own social graphs – and frankly only makes it easier for more people to connect with me who I don’t want to hear from at all. In reality, despite the way this change has been spun by facebook, I have less control over my information with this change.