Archive for the ‘Social Media’ Category

Social media is different from in-person interaction. One big difference is the lack of physical presence. Because of that difference, some folks are rude and mean on social media when they wouldn’t be in real life. Also, social media is notorious for arguments which serve no purpose: folks already knew each others’ positions and no one is interested in considering a change of their own beliefs. As a result, social media can be both damaging and a huge time waster. This is why some people avoid social media, though it can be an effective tool.

This has led me to drafting my own social media interaction rules. I operate by those most of the time now, but by putting them down I have a standard to compare myself against. This is a work in progress. I am sure I will adjust some of these rules over time. Do note, I’m not saying others I have to interact with have to follow my rules. This is my personal code of conduct.


  1. I will treat everyone with kindness and courtesy.
    • It doesn’t matter how I’m treated.
    • I will not insult or demean another.
    • I will not retaliate to any personal attacks.
  2. I will have a positive attitude or I will end my participation.
    • When I begin feeling negative is when I am most at risk for breaking these rules.
    • My negativity does not help anyone else.
    • If possible, I will state why I am disengaging, shouldering the accountability.
    • I can state a problem or a disagreement without being in a negative frame of mind.
  3. I will look for opportunities to encourage and build up others.
  4. I will stay out of controversial arguments where none of the following can be accomplished. In all cases I will clearly state my purpose.
    • I intend to learn more about the positions being argued.
    • I can clear up misinformation or misunderstanding.
    • I can add new, relevant information to the discussion.
    • I can share the Gospel with someone who appears willing to listen.
  5. I will attempt to avoid controversial posts where none of the sub-points in (4) can be accomplished.
    • I consider security, especially IT security, posts an exception to this rule.
    • If I am posting to foster thought and ideas, I will clearly state my purpose.
  6. I will remember than anything I post is not private.
  7. I will remember that anything I post can be referred to in the future.


As with any standard, there will be times when I fall short. Over the long run, though, I expect those failings will reduce in number.


Read Full Post »

If you’ve read or heard anything about The Filter Bubble, you know that your on-line habits, content choices, searches, physical location, etc., are now being used more and more to give you a customized view of information. This is true whether we’re talking search results via Google or seeing updates on Facebook. The main issue with the views that are being presented to us is that the filtering of information is being based on algorithms we have no input to nor have much way to change. As a result, the filters could be way off, such as a case given in The Filter Bubble where a search of BP during the last oil disaster brought one person news on the oil leaking into the Gulf of Mexico and another person information on investing in BP. The problem with the latter is the person wasn’t an investor and couldn’t figure out why their search results would bring up such content so highly.

When I did a search of my name using Google, I noticed that there’s definitely a filter being applied. For instance, here’s one search:

Compare this to another search where I’m able to somewhat bypass the filters:

Note the difference in number of results and in how the entries I’ve marked with red arrows are flipped between the two searches. These searches were conducted at about the same time (seconds apart) from the same computer.

Part of how the filters work is that cookies are being used to track your browsing habits. That’s something you can control. There’s some other things that are entering in that you can’t without using a proxy or the like. For instance, note that both searches clearly show my location. This is being determined based on an IP address range from my Internet provider. So unless I bounce through a proxy, which would mask my originating IP address, this sort of information can be picked up. That’s why I said this is a post on partially avoiding the filter bubble.

The key to avoiding the filters is to remove cookies altogether. Doing this automatically for normal browsing isn’t a good idea. Cookies are often used to keep track of the fact that you’ve logged in successfully to a particular web site, hold the contents of a shopping cart, etc. So the use of cookies themselves isn’t bad. However, trying to sift between cookies you need to use the websites you frequent and other cookies which are tied to tracking and/or advertising can be downright impossible. Therefore, if you could start a browser window that basically shielded off your existing cookies, that would work and would be a nice compromise. And you can, depending on your browser.

  • Chrome: Toggle a window with incognito browsing (Ctrl+Shift+N)
  • Firefox: Toggle a window with private browsing (Ctrl+Shift+P)
  • Internet Explorer: Toggle a window with InPrivate browsing (Ctrl+Shift+P)

If you look closely at the second search results, you’ll see in the upper left corner a figure that looks like a spy. That’s how you know that Chrome window is incognito. The other main browsers have similar indicators. Open up the appropriate private mode for your browser and issue your search from that window. That should reduce some of the information being used to figure your results.


Read Full Post »

Just recently, my oldest son entered the ranks of the teenagers. I shouldn’t actually say teenagers, because I have come to not like that word, mainly because of the influence of the book, Do Hard Things. But with 13 came access to email and to Facebook. Here’s how I tackled things, not only setup, but initial education.


The first thing I did was set him up with an email account with one of the many providers that are out there. I could have set him up through one of my domains, but I decided this would be easiest for him, especially since I had already planned on getting him a decent cell phone. When I chose the name, I avoided obvious “tells” such as references to video games, to popular cartoons, or to anything else that might scream, “I’m not an adult.” Instead, I went with one variant of his full name, one that would be appropriate on a professional resume.

Now, most email accounts have the ability to contact another email in case you need to get into the account. I set up the emergency email to be one of my wife’s accounts, and I promptly gave her the email address and password to my son’s new email account. I have it, too. The email account password is a strong passphrase with some alterations. It’s not one you’d tie to him in any way but it is one he can easily remember.

Then I pre-loaded his contacts list with the folks he would most likely want to contact and sent an email from his account to all of those contacts sharing the email address and indicating that it was me setting up his email since he was a newly minted 13 year-old. This, of course, served three purposes:

  1. It gave him access to the email addresses of the people he’d most likely email.
  2. It gave those people his legitimate email so they wouldn’t be tricked by an account they though might be his.
  3. It gave them an opportunity to wish him a happy birthday!


With his email account set up, it was time to set up my son’s Facebook account. I used the email address just created, but chose a completely different passphrase. This ensures that should one password be compromised, the other one isn’t. I went through his profile, configuring the basic information that was necessary, hiding the rest. While Facebook does offer some protection for those who are classified as minors, I’m not going to rely on that. So among some of the things I did:

  • I did not specify his current city. He has already been told not to set this.
  • I specified his hometown as an older ones. Folks who legitimately know him will recognize the hometown and know they have the right person.
  • I did not publish his birthday to Facebook (yes, he’ll get posts on his birthday, but how old he is will remain hidden).
  • I locked things down to friends of friends for much of his information, because he is in a youth group and so there has to be some flexibility there.
  • I turned off the location features that Facebook now offers.
  • I configured initial interests that I knew were appropriate for him. For instance, Chris Tomlin as a musician he liked.
  • I picked up a reasonable profile pic that I had. He eventually changed it to another one that it is acceptable, too, of one with him and his grandfather.
  • And again, my wife and I have his password.

The Phone:

Truth be told, I was looking for a really basic phone that would allow him to call us and to text.For those teens thinking, “No fair! My parents won’t let me have a phone!” it is truly a mixed blessing. As the old AT&T commercial went, him having a phone means I can “reach out and touch someone,” namely him, whenever I want. We have a dispersed church campus and we spend a lot of time there, and tracking him down could sometimes be a chore. Not any more! Now I can get him any time. And believe me, my wife and I have (ab)used this greatly since he got his new phone.

He’s on our plan, which is pretty robust since me and my wife both carry smartphones due to my ministry and professional commitments. Looking at the phones, however, the only decent set of phones that I saw also had the built-in camera and ability to connect to Facebook and Email. As I thought about that, though, it occurred to me that this was just fine. So we got him a good phone, and I set up Facebook and his mail on it, because I knew this would be his primary interface to those two mediums. That restricts some of what he can do, but it also protects him a great deal because the phone doesn’t have a lot of functionality. It’s not a smart phone, so certain security threats are naturally eliminated.

The Education:

Next came educating him on everything. I started with the phone, which is his primary means of communications. First there was the explanation of the shared plan and that his phone use should be limited. He knows my wife and I will check the minutes religiously, so he’s been good about his usage of his phone. Then I showed him how to call out, how to text, and how to access Facebook and e-mail, to get him started quickly. The rest he picked up from reading the instructions that came with his phone. He knows his phone only has a 1 GB card in it, so he has to limit the photos and pictures he might take.

Then, when we got home, I went over email and Facebook. The first rule is, if it looks too good to be true, it probably is. Then we talked about the mentality of attackers on the Internet. They basically don’t care how they get you, as long as they get you. While this is slightly overstating things, and may seem a bit paranoid, having worked in IT security for a number of years, I know it’s not. My son knows I worked in IT security and so when I said “Pay attention,” he really did. Let’s talk about the basics:

Getting Something from Someone You Don’t Know: Unless you know something was coming in, like from a school or something and you just didn’t know the address, automatically be suspicious of this, whether it’s email or a Facebook message or a Facebook friend request. This is a play on your trust.

Getting Something from Someone You Do Know That Doesn’t Fit: This is the classic con game. I explained to him that it’s not too hard to make an email look like it came from someone you know, when it really didn’t. Technically, it may have, but their computer is infected. So if they send something that’s out of character for them, like sending an attachment, don’t open it. Instead, write them back and ask them if they really meant to send it. Even if they did, be suspicious.

If You Get an App Request for a Photo or Video, Close Out the Tab: Facebook photos and videos do not require an application request. If you get one, that means it’s not legitimate. Don’t play around with navigation. Simply close that tab, open a new one, and go back to Facebook. If it was posted to your wall, go into your profile and delete it so it doesn’t get someone else.

If You Get a Prompt Saying You Need to Update Software, Check with Me: We talked about how attackers have used false software updates to push malware onto a system. The unsuspecting user thinks they are getting a needed software update to say, Adobe Flash, and what they are really doing is infecting their system. His account doesn’t have rights to do a software update, so he has to check with me anyway, but should he see such a prompt, he needs to tell me right away.

If It Appeals to What You Know You Shouldn’t Be Messing with, Avoid It: Scantily clad girls, adult content, beer/alcohol ads, etc., it makes no difference. Not only should he not be going after such things because of his age, but it’s just dumb on the Internet. Attackers know what our vices are. And they know that when it comes to our vices, we’ll let down our guard, meaning it’s easier to push malware onto our systems. So knowing that attackers are using our weaknesses against us, it’s just smart to steer clear. It’s not just about purity, it’s also about IT security.

Limit the Facebook Games You Play: I used to play a handful of Facebook games. One was because my cousin was in QA for Zynga and he asked me to play one to give him honest feedback. But over time I started tracking the number of hours spent each week on those games. I wasn’t pleased with those numbers. They are incredible time sinks. They also collect personal information on you from Facebook. So I told him to limit it to a few sets of games I’d approve of. Bejeweled Blitz is one, though that can be addictive. But any of the -ville games are definitely out. This isn’t an IT security one, just a common sense one.

Understand What a Phishing Attack Is: We talked about how attackers will make a link look legitimate but it’s not. Therefore, if it’s something that asks him to disclose any personal information, even his email, he immediately should delete/ignore it. If he thinks it might be legitimate, then he needs to let me see it.

If You Have Any Doubts, See Me: I knew that with the brief education I gave him, he would occasionally come across things he wasn’t sure what to do with. In those cases, he needed to talk to me or my wife (who would likely just ask me). And then I reminded him of the next one.

On the Internet, Be Paranoid: As a security professional, I came to understand the following maxim very well: “Just because I’m paranoid doesn’t mean there isn’t someone out to get me.” There are plenty of attackers looking for anyone they can take advantage of. There are sexual predators out there who will pretend to be a teenage boy or girl and want to be his friend, all to arrange a meeting with him. If you don’t know the person, if you aren’t sure you can trust something, check in with me. It’s better to be safe than sorry.

Likely More to Come:

I’m sure there are some other things I’m leaving off, but this is what we started with, so far as I can remember. It was sort of like a brain dump on him, but he’s done well thus far. Now it’s about ensuring he stays diligent.


Read Full Post »

I had seen others using the FourSquare application and decided to give it a try. Here’s basically what it does:

  • It allows you to post check-ins of your location for your friends to see.
  • It allows you to see the location of your friends.
  • It allows you to post tips or things to do at the locations you check in at.
  • It allows you to see others’ tips and things to do at the locations.
  • It allows you to post a message communicating something you choose at the check-in. For instance, you could post who else you are with if they aren’t using FourSquare.

And all that sounds good. You get to choose when and where you check in, so you don’t have to reveal what you don’t want to. Only the friends you approve can see where you are… Well, sort of.

FourSquare also integrates with Twitter and Facebook. Now when you check in, you can tell it not to tweet or post to Facebook. It will honor that. But if you earn a badge or dethrone someone as mayor (meaning you’ve been to a location more often lately), it will tweet and post to Facebook if you have them configured. In my case, there were times I wanted FourSquare to communicate info, but not always. However, there wasn’t an option to disable the communication of badges.

I gave FourSquare a decent try over several weeks, including in another city. Ultimately, I decided FourSquare wasn’t for me. Here’s why:

  • I couldn’t stop the badge tweets that were spamming my Twitter and Facebook.
  • Locations can be entered by anyone and duplicate locations are frequent. So you could be at the same place as a buddy and not realize it.
  • Checking in was easy, except I couldn’t change the default to not tweet and not post to Facebook. That meant every time I checked in, I would have to uncheck those boxes.
  • I didn’t get any value out of it because those friends who use it tend to tweet their locations if it is somewhere I want to be as well.

Therefore, in the end, I have uninstalled FourSquare from my Blackberry. I will still play the game involving four squares and a playground ball, but with respect to this social media experiment, I am taking my ball and going home.

Read Full Post »