I admit, I laughed: LulzSec as popular as orgasms?

Unless you've been ignoring the news for the past few weeks, you've probably seen mention of LulzSec, and if you're a security person you've probably seen this article about Why [security folk] secretly love LulzSec. The short version is that they're the latest hacker gang, and rather than profit or social justice, they're just in it for the lulz. They're really making the state of computer security more obvious to the layperson:

LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.

While I often joke that web security is an oxymoron, they demonstrate it in the funniest ways they can find. As a web security researcher, I have to admit that their antics often make me laugh... and kinda make me wish I was allowed to use stolen data for research -- all those passwords! Data was always hard to come by when I did my spam immune system work so that much just makes me salivate a little, even if I'm pretty sure our ethics committee wouldn't let me touch it. And it's not like I do authentication research. But still! Data! I hope someone's doing cool things with it.

But here's a bit of meta-lulz: LulzSec scam discovered on Facebook - but it's not what you think. The excellent Graham Cluley discovers a Facebook scam that purports to have a picture of a LulzSec suspect, and then he sleuths out that the pixelated bait picture is, in fact, of another hacker arrested in 2008.

This means that LulzSec is apparently now so newsworthy that potential pictures of them can be used as bait for Facebook scams. They're up there with Obama, celebrity sex tapes and the ever-popular dislike button.

I don't know about you, but I got a great chuckle out of the thought that LulzSec might be as popular as orgasms... at least when it comes to scam bait.

And to end with more lulz, here's my favourite LulzSec tweet of today, which came in the midst of explaining what they had and hadn't actually hacked as the media attributes everything and anything to them:

News: Facebook still going to share your address/phone # with external sites

Old Facebook home page
by Terriko.

Over a month ago, I wrote Facebook now enabling annoying phone calls and paper junk mail? and shortly thereafter they pulled the plan.

But it sounds like it's back on the table, along with an updated privacy policy format.

Given that anyone can buy a targeted Facebook advertisement, is this going to lead to new levels of stalking and general harassment from "adveritisers" who think it's totally worth a few bucks to get the phone #s of all the women who they might find attractive in their metro area? Awkward.

As usual, I recommend not having private contact information available in Facebook for your own safety.

Will Facebook's choice of social authentication (face CAPTCHAs) lead to huge gains in facial recognition software?

Some of my friends,
for your future hacking pleasure
by Terriko.

We've actually talked about this sort of thing considerably within my research group, so it's hardly a new idea, but it's still interesting because I hadn't heard of a large scale implementation of this before: Nevermind CAPTCHA, Facebook Asks If You Know Your Friends.

They're calling it "social authentication" where rather than reading obfuscated text as in a normal CAPTCHA, you're asked to identify friends.

"Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication," writes Rice. "We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are."

Of course, that's not true at all. For many people with public profiles, flickr accounts, etc. it's pretty easy for a hacker to identify your friends. (Even easier if your would-be hacker is a jilted lover or angry sibling, but presumably those folk could also pass a regular CAPTCHA.) The key here isn't that this social authentication isn't hackable, though, it's that the hack has to be more carefully crafted to your account, and may well require a human to do the facial recognition necessary, thus slowing down the attack and doing exactly what CAPTCHAs were intended to do.

I'm curious to see how well it works in practice, though. CAPTCHAs in their current "mangled text" form relied on assumptions about the ineffectiveness computer text recognition... assumptions that have been rapidly broken as determined attackers and researchers have improved our text recognition algorithms. (Nowadays, many captchas can be bypassed with a higher than 90% success rate. Here's a link to one such paper but a websearch will turn up many others.)

Friends in costume
by Terriko.

So the interesting question to me is "Will Facebook's choice of Face CAPTCHAs lead to huge gains in facial recognition software?" -- we're well overdue for gains in that area, actually, given that law enforcement is hoping to use facial recognition to stop crime and even terrorism, but the technology is so poor right now that if they used it now they'd likely be arresting a lot of innocent folk. Facebook will lead to some great cases: What about when your friends are in costumes? Wearing different makeup? Different lighting? Different poses? Different hair?

Beyond the usual halloween costumes, my facebook friends include theatre geeks, haunted house aficionados, members of the 501st legion of Star Wars costumers and folk involved with things like the Society for Creative Anachronism. Will my friends' and acquaintances' penchant for elabourate costumes mean that I'm more secure? Or will it mean that I'll have more trouble identifying them in photos unless I've seen their standard costumes before?

Mostly I'm torn between excitement at new gains in image processing and a vague sense of unease when I contemplate the potential applications of better facial recognition software.

Zuckerberg... hacked?

There's an amusing story up on TechCrunch suggesting that Mark Zuckerberg's fan page may have been hacked.

Obviously, Zuckerberg didn’t actually write it. Or at least, we’re pretty sure he didn’t. Instead, it would appear that his fan page was hacked. Facebook has now taken down the page — but not before we grabbed a screenshot.

Honestly, these things happen. But what made the story actually funny to me was this tweet:

@snipeyhead Hah. FB is flagging the Tech Crunch article reporting on Zuckerberg's fan page hack as "abusive or spammy" http://twitpic.com/3thf68 #classy

Edit: More news on what happened according to Facebook: Facebook blames bug for Zuckerberg page hack

Facebook now enabling annoying phone calls and paper junk mail?

Drowning in Verizon junk mail
by Night-thing.

Sophos points out that Facebook has made yet another change to the way it handles your information: this time, allowing third-party developers access to contact information on Facebook.

Now, part of me wants to just shrug: it's always been technically possible for third party developers to get access to this information because of the current state of web security. It's long been true that anyone who can execute JavaScript in your browser on a site (e.g. every facebook app) can gain access to anything you can see. So if your friend installed FarmVille and you've allowed your friend to see your phone number, FarmVille can see your phone number (and the pictures of you in that horrible halloween costume, and that drunken post you made on your ex's wall...). And if you install FarmVille, they can even more easily glean your phone number and anything else on your profile. What Facebook's doing is in some ways good: they're helping to make this clear to users, and maybe even helping to track who is actually looking at and using that info.

But of course, most people aren't aware that this has always been possible, so they're suddenly envisioning FarmVille sending them paper brochures filled with new crop info, or phoning all their friends to ask why they haven't helped out on the farm lately. Maybe an automated call would help convince you to join the game and seek out that lost kitten?

And maybe those third party apps didn't realize they could do it either, and they're salivating over the extended marketing possibilities. Technically possible doesn't imply endorsed by Facebook the way putting the ability into the API does, so while getting this information might have been in the realm of sketchy scams before, now it's going to be considered a legitimate asset by more companies. After all, you consented when you installed the app. And remember, corporate assets do tend to be about making money, so don't assume they won't sell those lists.

So, while it was technically feasible before, maybe now is a good time to reconsider what data you keep within Facebook. And it's always a good time to re-evaluate which applications you have installed or will install. As always, I recommend that you don't leave anything on facebook you wouldn't want shared with the world, so now's a great time to delete your phone number and address from your facebook profile. And if you don't? Well, don't be too surprised when you start getting texts saying that someone needs help with their FarmVille crops.

Apathy or sensible risk evaluation: why don't people care about security?

Starbucks' Christmas Bokeh
by pierofix.

Engineer Gary LosHuertos decided to try Herding Firesheep in New York City: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.

This is the most shocking thing about Internet security: not that we are all on a worldwide system held together with duct tape that has appalling security vulnerabilities; not that a freely available tool could collect authentication cookies; and certainly not that there are people unaware of either. What's absolutely incomprehensible is that after someone has been alerted to the danger (from their own account!) that they would casually ignore the warning, and continue about their day.

But is this shocking? To someone who cares about security, maybe. To someone who knows people? Less so.

Cormac Herley has an absolutely great paper entitled "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users"

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.

So let's think a little bit about cookies and firesheep. One of the ways to be most safe is to browse using a VPN. For someone who already has one set up, this is pretty much a matter of toggling something on your computer: pretty low difficulty and less trouble than having your accounts hacked. You can see why many geeks think it's ridiculous that people wouldn't just secure their sites: even if you include time setting up the VPN, for many folk that's a task that falls under the heading of "something I meant to do anyhow" and isn't really perceived as costly.

But if you're not a computer-savvy person who has a server online to host a VPN, setting up a VPN can be stupidly costly. Maybe you'd have to replace your router with one that can handle it. Maybe you'd have to pay for hosting. Maybe you'd have to spend hours figuring out how to generate keys, or pay someone else to do that. Maybe just figuring out what you need to do at all is going to take hours. Quickly, the hours required seem worth more than the cost of having some stranger send you messages from your own facebook account, or maybe set your status message to something embarrassing.

Perhaps what we need to raise the costs of a security mishap is a little evil. It's actually easy to craft a firesheep-based attack that would raise the cost high enough to make VPN hunting (or just not using the Starbucks wireless) seem worthwhile to most people: Log into someone's account, delete all their status messages, notes and photos, defriend all their friends. Since there's no easy way to back up your facebook profile, the results would be devastating and partially unrecoverable: worth more than the pain of setting up a VPN or going without FB while in a coffee shop. It might be easier to litigate for theft/unauthorized access than it is to restore that profile, so I don't recommend any security vigilantes start doing this!

So I guess the take-home message here is that while it's worth trying to educate users so they can make smarter decisions, they're not necessarily being delusional or foolish when they just say "meh" and go on with their lives. If we want to make a really huge impact, we need security solutions that are so low-pain that there's no longer any rational reason to reject them.

Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws

Privacy is not a crime
by sunside.

This maybe shouldn't surprise anyone, but Mashable is reporting that Facebook Lobbied to Kill Social Networking Privacy Act in the USA.

It's one thing to believe that privacy isn't important, or to make mistakes that expose users, but paying people to lobby against privacy legislation that might protect your users seems like a big step further. It makes me concerned as a user of the service.

Incidentally, Facebook has already broken Canadian privacy law (they're not the only ones), and likely the laws of several other countries, so I guess it makes sense that they wouldn't want to run afoul of further laws... but I really wish they'd do this by handling privacy issues better rather than paying people to make sure the laws don't come into effect. Maybe the law was simply ill-conceived (I haven't read it) but this really doesn't sound like the actions of a socially-responsible company. Very disappointing.

Quick Hit: Firesheep

Mountain view with sheep
by Jule_Berlin.

By now, probably everyone's already heard of firesheep, the nice user-friendly way to use cookies to do session hijacking. Want to be logged in as someone else on Facebook? No problem.

It's nothing spectacular on a technical level, since it's been easy enough to use other people's cookies for quite some time, but it's a pretty impressive social hacking tool. It's making it clear to a lot of people (and media) that this is a real problem, and that it's an exploit anyone can do now.

I'm actually sort of surprised that I haven't seen this earlier: it used to be a bit of a game in the undergrad lounge to see what one could sniff off the network, with people using some tool whose name I've forgotten to show any images that came up from users surfing on the wireless. Hacking session cookies would have been a fun addition to our childish games -- and I'll bet plenty of college kids are using it for just that. Or for checking out their ex-boyfriends/girlfriends...

Privacy: Not just for people who are doing bad things

I'm happy to see that Gizmodo is already recommending that people disable Facebook Places in as much as you really can.  And the article has a nice step-by-step on how to limit the amount your friends can (accidentally or intentionally) violate your privacy.

But I take issue with the fact that their examples were "you're lying to your girlfriend" and "you're cheating on your wife."  Seriously?  I know they were trying to be funny, but the implication you get from the article is that privacy should only matter in this way if you've got something to hide.  But that's not the case:

What about a parent who doesn't want to advertise to strangers the exact geo-location of the parks his kids play in every day?

What about a woman who has received threats from unpleasant people who feel that women should not be involved in open source software?  (I wish I were kidding, but this happened to me, and other people receive threats from disturbed individuals online.)

What about someone shopping for an engagement ring who meets a friend at the mall?

There's plenty of reasons one might prefer privacy.   I think maybe we would do well to include this sort of example in articles, so that even those living utterly honest lives will realize that privacy is important to them and people they care about.

A crash course in the social media equivalent of defensive driving

How can you stay safe and keep things private while still taking part in online life? I'm a web security researcher, so I get asked this fairly frequently.  And it's easy to see how people get overwhelmed by all the news stories, the marketing blurbs, and the constantly changing policies.

Why I'm not telling you to quit Facebook

Let's say you're worried about your risk of getting into a car accident.  Do you sell your car and refuse to get into any moving vehicle?  No.  Refusing to use a car might make you safer, but it would be quite isolating and, depending on where and how you live, very difficult.  Just like many people live without cars, you can live without social networking, but it there are some significant costs to refusing to participate.  Many people's need or desire to participate is much stronger that the risks they face.

If you're worried about car accidents, you've got other options to manage your risks than giving up your car.  You can learn to drive defensively.  You can make sure you wear your seatbelt.  You can learn about the safety ratings and use cars that perform better in safety tests.  You can refuse to drive places that are dangerous.

So what I'm hoping to do here is give you a crash course in the social media equivalent of defensive driving.

The web is not a safe place

When I learned to drive, my driving instructor often reminded me that I had to treat every car on the road as if it were being driven by a moron who might swerve into my lane at any time.   It might seem like a very negative point of view, but it's a very practical one that's helped me avoid accidents on numerous occasions simply because I was expecting it.

My blog is called Web Insecurity for a reason.  Nearly 2/3 of web pages currently have a serious vulnerability.  So that means no matter what the policy is, how careful you are, or how careful your friends are... there's a good chance you are going to view some code controlled by a bad guy, and they could get information about you that you don't want them to have.  It's often very easy to exploit these vulnerable parts of a website.  75% of websites with malicious code are legitimate sites.   

You may be thinking, "sure, but no one's going to care about my data."  And you may be right.  But if a bad guy is trying to make a company look terrible, one way to do so is to expose information about all of their users.  You can definitely wind up as collateral damage.

Learn your legal protections

Learning about legal stuff can be time-consuming and confusing, and frankly companies may violate laws anyhow.  But it's still worth learning a bit about your rights. The EFF has quite an impressive body of work covering free speech, privacy, intellectual property and other important issues, and they do a great job of translating legal speak into clear, comprehensible articles.   You might also consider reading bloggers like Michael Geist, and your country may have great resources like the Office of the Privacy Commissioner of Canada.

Remember that things that may seem similar often have very different legal protections.  For example, if my credit card number is stolen, there are laws that limit my liability to $50.   But that's not true about all money transactions online:  Debit/bank cards have no such legal protection.  Some modern credit cards that require a PIN have no such protection even though these cards aren't actually safe. You may have no legal protection from your bank if you don't follow their security procedure to the letter, and those security requirements of online banks can be pretty crazy: Do you reboot your computer every time you bank?  No?  You might be on the hook if someone compromises your account!

So yeah.  It's a bit of work, but it's worth it to at least learn about the issues that affect you.

Learn the controls

It may seem a bit silly, given that I've already told you that websites can easily be compromised, but if you're managing risks you should learn to use your privacy controls, choose good passwords and security questions, and keep those things private.  Again, it's about managing your risks: even if these controls can't make you 100% safe, they might make you safer.


Companies are not your friends

For many companies online, you are not really their primary customer: your time and your personal information are assets the company sells to their advertisers.  You have to expect to be treated accordingly. You have to treat every company or organization you interact with online as potential hazards.   Many companies intentionally or unintentionally violate privacy laws and even violate their own privacy rules.  And privacy rules change, sometimes because the company itself changed them, sometimes because they get bought out by another company.  Your guarantee when you signed up for the site is unlikely to hold a year from now, but it may be nigh impossible to remove your data from the system when it changes.

And that's just the "legitimate" problems that could affect you: there's a good chance any company's sites could be attacked and your data exposed as a result -- it happens to fully legitimate companies all the time, no matter how good their intentions towards you and your data.

Choose your friends wisely

You wouldn't tell all your secrets to the office gossip, but online your friends may be "forced" to become gossips either through malicious software or through changing policies.  It sounds like some crazy super-spy movie: trust no one!  Your friends could be compromised!  But once again, just like I'm not telling you to delete your facebook account, I'm not going to tell you not to share, just to be defensive.

For example, I have a couple of friends who really enjoy Facebook games.  They seem to install every new thing that comes along and invite me to join.  Nothing wrong with that, right?  I mean, if I don't want to join, I just don't, and that's the end of it.  Except that it's not: my friends have all these games and thus all these extra ways that someone might break in to their accounts.  And indeed, these are the folk who wind up with compromised accounts more often than most.   So while these are great people who I'd be happy to share job concerns or relationship woes with in real life... It's too risky for me to share private stuff with them online.  They are the office gossips, whether they mean to be or not.  They're not the only ones who put me at risk (any friend can end up on the wrong end of a broken website) but they're the riskiest.

Choose what you want to share

The biggest part of managing your risk is choosing what you want to share online.  Here's a few questions you might want to ask yourself:

1. Will this embarrass me if it gets out?
2. Will this affect my safety?
3. Will this affect my employment?
4. Will this affect my family/friends?

If your job requires you to be a role model, you may have to be a role model even in your off-hours. Maybe it shouldn't be that way, but let's be pragmatic: you have to assume that it is that way.  

You have to assume that anything you share online could become public knowledge.  You can't trust the companies, you can't assume their sites are safe, and you can't even trust your friends because of unsafe websites.  

Think before you share.

Using a pen name

One other way to manage risk is to use a pen name or pseudonym.  Lots of people do this to give them a layer of privacy, especially when trying out something new like starting a silly blog, or when engaging in discussion that could be sensitive such as online political debate.  Sometimes it's even an open secret that so-and-so goes by a nickname online, and the only reason they do is to make it harder for potential employers to come up with a list of everything they do online when searching their legal name and given email address.

This is a great tool if you want some more freedom to speak, but people sometimes will do the legwork necessary to figure out who you are, especially if you're high-profile or saying something unpopular.  So pen names are great, but do remember that they're not 100% guaranteed to keep you safe.  Again, it's another way to manage risks.

No matter what you do, everything may become public

I've said this a bunch of different ways, but this is the real take-home message here: No matter how careful you are, anything you do online can become public knowledge.   It's up to you to manage your risks accordingly.

But don't despair -- it may sound stupidly hard, but you're already handling issues of trust and privacy every time you choose to tell a story to a friend or complain about work at a party.  You might have to pretend you're in a spy movie and trust no one, or you might decide some things are perfectly fine to share with the world.  Just try to make an informed decision.

Will privacy issues herald the end for Facebook?

escape!
by dev null.

I've been seeing a lot of people talking about deleting their facebook accounts over the privacy issues. At first, I chalked it up to my twitter contacts being more aware of security issues than average (I do follow a lot of security folk), but I'm starting to see retweets from outside my own network that imply a lot of people are jumping ship:

@tonyakay: "I deleted my Facebook" is the new "I don't own a TV"

Which really probably sums it up. It's a bit pretentious and holier than thou to announce your lack of Facebook, and it's kind of a techno-elite status marker. When Wired called for an open alternative to Facebook I figured I was right on the money, and it was just a thing for tech nerds to do.

But then I started seeing things like this:

@thesixthbaron Was told by a student this morning that not having a Facebook account is now cool. #abouttime

The Great Escape
by Hryck..

Facebook's biggest strength is in the network effect. The more people you know who use Facebook, the more useful it becomes. Everyone says, "Oh, I have to keep my account because $some_friend_or_family_group still uses it to communicate." But if Facebook is starting to be uncool the way myspace became less cool, then there aren't going to be as many people worth keeping an account for.

It's not just the people that keep users on Facebook. No one says, "I'm too addicted to FarmVille to leave." But I'm guessing that's an issue for some. However, it turns out the games may be jumping ship too. (And if you don't want to admit you're leaving because of the games, you're probably going to say the problem was privacy, because that's what the cool kids are saying.)

So now you have fewer friends on Facebook, and you have fewer new games... will you stay, or will you find you're spending most of your time elsewhere and encouraging your friends to do the same? People will keep their accounts in case Joe from highschool wants to chat, but they'll use them less and less.

We're starting to see suggestions that the facebook ecosystem actually could collapse, not just that some tech people wish it would.

Escape
by just.Luc.

Privacy is a big deal and countries are starting to care. Those are big players, but a mass exodus of actual users now shows that it's more than a few policy-makers and the techno-elite who care: privacy may actually be a selling point for future social networks because it seems that the market is demanding it.

The question for Facebook is "at what point will enough people leave?" and the answer right now may be, "when they have somewhere else to go." And that next big thing may have to provide some pretty strong privacy guarantees to woo over enough audience. Is it possible? Yes. Will it happen? That remains to be seen.

The advertising social contract vs malvertisements: how can online advertisers earn your eyes?

I'd like to draw three related things to your attention.

First: Avast released a study on malicious advertisements in February, and the media's had some fun reporting on "malvertising" while seasoned professionals tried not to roll their eyes at yet another buzzword. (Tired of malvertising? Try "badvertisements!") Malvertising is one way legit sites get hosed: estimates say 75% of sites with malicious code are legit sites that got compromised.

Second: Back in March, Ars Technica posted a rant, "Why Ad Blocking is devastating to the sites you love." That they felt ad blocking was impacting revenue and asked people not to do it. (Note that this argument spawned rebuttals.)

Third: I went to a talk by Terry O'Reilly and Mike Tennant, as part of their book tour for The Age of Persuasion: How Marketing Ate Our Culture. (I recommend their radio show.) Among the things they talked about the advertising social contract: In exchange for your attention, advertisers give you something in return. TV advertisements subsidize programming, so they're honouring the contract. Billboards don't really give anything back to the consumer, so they're breaking it.

----

So here's where we put it all together:

Using ad blockers breaks a social contract with advertisers: namely, you get free stuff (content) in exchange for those eyes. If you're taking without exposure to the advertisements, you're "stealing."

But advertisers are breaking the contract in even worse ways with malvertising. They're basically stealing from viewers. It might not be intentional, but it's probably the equivalent of having advertisements on the TV that blare so loud that they cause hearing damage. Could you blame people for turning those off?

Ad blockers do more than keep you from seeing advertisements: they may actually make you safer.

So what to do? The advertisers can try to woo people away from ad blockers by giving more. Terry O'Reilly and Mike Tennant talked about how they like to make their ads funny: so you're giving more in terms of entertainment. What can advertisers do to give back when it comes to security and privacy?

One answer I've seen on that front comes from a surprising source: Facebook. Although Facebook isn't known for getting privacy right at all, but they are doing their darnedest to put a nice spin on their privacy violations. Sure, maybe you didn't want to share with those Facebook connect apps... but isn't is awfully convenient how other sites already know your preferences?

Unfortunately, I (and many others) don't WANT creepy customization. So in the end what they're trying to do doesn't really help with their end of the social contract at all. It may even hurt for many people. Let's just hope that later attempts are a little more generous on their side of the bargain.

You know who did it better? Burger King. Their Whopper Sacrifice where you defriended 10 people for a whopper was quite the hit. In exchange for ditching your friends and giving up some privacy, you could get a free burger. And lots of people did.

I'm not sure I'd give up more privacy and security for a burger, but I'm curious to see how the more creative advertising folk handle this challenge. If users become more aware of malicious advertising, will it even be possible to overcome this challenge and still use banner advertisements, or will we be seeing advertising in new ways?

Why Facebook is like your psycho ex

There's been lots of really interesting articles about the privacy changes in Facebook. My personal favourite is Matt McKeon's excellent infographic showing your (private) data spreading out further and further. (See left for mini version.)

The thing that I don't quite get is how upset every one seems to be about this.

No, hear me out. I'm not just being a smug security researcher.

I caught the 6 o'clock news on TV a few weeks ago, and tried in vain not to laugh during the segment on THE DANGERS OF TEEN SEXTING. Basically, for those of you who haven't heard, sexting is the practice of sending sexually-charged text messages and photos. According to the news segment, it is a plague upon our youth, who are too foolish to realize that those naked pictures they sent to their significant others might eventually wind up on The Internet. The segment was so over-the-top that it was begging to be parodied by some comedy group, but the take home message wasn't wrong: anything you send can be shared, so don't send stuff you don't want shared.

So, when we're seeing news where smug adults talk about how teenagers don't know any better about protecting their data (or at least their naked breasts) from public scrutiny, I'm not really sure how adults can justify being horrified and shocked that their Facebook data isn't as private as they thought it was. Tell your children not to record anything they don't want available for all time, but OMG FACEBOOK IS SHARING MY DATA?!!!

I hope teenagers everywhere are laughing.

So here's what I recommend: Treat web sites much like you would potential ex-boyfriends or ex-girlfriends. You may want to trust them now, but you can never be sure when they might go psycho and write your number in bathroom stalls and share your naked pictures with the Internet. It is, of course, safest to never share anything... but we're not wired that way. People like sharing! It'd be a bit of a lonely life if you never shared anything, and nowadays sharing includes sharing online.

But websites are about as trustworthy as the worst psycho ex: you never know when policies will change, the website will get bought out by someone who has different policies and now controls your data, or someone will exploit a security hole in the website. At least ex-friends aren't usually bought by megacorps who profit from selling all their mementos of your relationship. And probably, unlike websites, 64% of your friends don't have a security flaw.

My sister has a funny story about doing a security check for a previous job that went something like this:

The guy who was doing my clearance was old enough to have children my age, and I sort of think he might have because he was getting increasingly uncomfortable about the questions he had to ask me. When he got down to ones like, "have you ever had a threesome?" he reminded me that, "you don't have to tell me if you aren't embarrassed about it. We only care if you can be blackmailed. If you're not embarrassed, it doesn't matter."

So there you have it: As long as you're not embarrassed by the stuff you share online, it doesn't matter if it gets out.

Or if you prefer dramatic news segment style: SHARE BUT BEWARE. ;)