Category Archives: en

Google Buzz privacy debacle

So… as I said just 2 days ago, I tried Buzz.

And as I also said, « certainly missed a boatload of things and got some wrong ». Famous last words. How right I was !

I tried Buzz just like half the planet actually, which I didn’t realize until yesterday, when I found my Gmail account spammed by people I never heard about before, replying on my buzzes or writing buzzes I received or subscribing to my stuff.

I was panic-struck, just like the rest of the planet. That was the main theme of the comments I saw: « I’m panicking, are you? » « Oh yes I am, but who are you and how come you write this in my Buzz? ».

It somehow found the feed to this blog. I still haven’t quite figured out how; maybe that’s my fault, maybe not; anyway I validated it. I’m glad I wasn’t using Blogger, sorry but I’ve got enough knives planted in my back at the moment.

I did what everybody did yesterday evening: shut down all the incoming feeds, deleted posts and/or comments (“did I write something to my contacts that’s not for public consumption?”), tried to shut down everything outgoing, checked out all my subscribers, and tried to figure out how the damn thing decides that something should be visible or not visible, by others from me or by me from others. I’m still freaked out.

I still think this stuff makes Facebook look like amateur privacy violators by comparison. Even the quote by Eric Schmidt about privacy looks like a detail now (even though it was right-on).

The major, enormous psychological (not technical) error is that this was placed in the Gmail account; something you typically expect to be private. Putting there stuff that’s geared to be broadcast all over the place, in a opt-out way (second major error: everything is public by default, and you can’t ever revert to private after publishing, your only bet is to delete), is a tragically bad, bad, bad idea. Third error, fuzzy rules (recommendations? I’m not even sure) allowing buzzes to skip over contact boundaries.

By putting Buzz inside of Gmail, Google probably wanted to drive up adoption. Well done, it’s adopted all over the place with posts and comments and blog posts and tweet guts spilled everywhere, aggregated, resent, accessible without your knowledge. What a sorry mess. Evil? Still not sure about that. Ill-considered, that’s for sure.

Fourth, but not least, error — but is that really an error? Looks like a strategy, really –, Google confuses public availability with right-to-broadcast. My buzzes or blog posts being public does not mean that I want Google to spam these to contacts of contacts of contacts.

I’ll have to wait until the dust settles in my mind to know whether I really want to use this stuff. It’ll remain anyway as one of my most creepy experiences of late.

Already we see blog posts everywhere flowing about people who’ve unknowingly leaked private information to bosses, ex-husbands and so on. Too many to mention.

Update: Sixth error, the blocking of followers is not real security over leakage. It’s cleaning up after the fact (see the blog post linked-to above).

Update (21h41): Seventh error, and now (since when? since Buzz? No idea whatsoever, seems new since it also appears on my buzzes now) my Orkut photograph has been imported to my Gmail profile and appears to all my chat contacts. I never asked for that… it’s a photograph of me at the age of 3 months! Never meant to be visible in Gmail.

Eight error: so obvious I missed it… the followers/followee list is public by default “Display the list of people I’m following and people following me”. Which means you have a privacy leak in your contact list, since that’s where the followers come from.

This is insane. I think Google really has jumped the shark, this time. I’m out of Buzz for the foreseeable future.

Update (23h38): additional thoughts in relation to the above… Google apparently doesn’t realize that mail contacts (many kinds of people) are very different from friends in a social network; the contact or chat list may look like a friends list functionally, but they do not contain the same kind of people and do not serve the same purpose. It’s obvious if you look at  who’s in your own respective lists. A lot of confusion stems from that. Google is trying to “Facebookize” the Gmail ecosystem and the fit just can’t be good. Maybe that’s a cultural problem.

Update (0h06): an idea I just got. If the Buzz follower/followee lists actually were new lists, treated like real friends lists starting from zero (i.e. not based on any contact list, not even with a pre-filled checkbox list), with a reciprocal acknowledge just like in social networks, the user would really be more in control, with the actual feeling of starting up his own, separate network.

No tips yet.
Be the first to tip!

Like this post? Tip me with bitcoin!

1JpYTX6MNCwiMJJKvHep9uZxqTKGqr37tJ

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're also telling me what you liked, in addition to contributing to the blog hardware and electricity, and perhaps a few beers if you don't mind 🙂

Google Buzz

Okay. I’ve just learned I’m the proud and lucky (thanks to my guardian angel) owner of a Google Buzz account.

What is it? Actually, I’m still trying to figure that out exactly.

Try to imagine Google Talk (chat) extended with bits of Twitter (followers and followees, but that’s not how they’re called) and geolocation, integrated within Google Mail with an interface that’s slightly reminiscent of Google Wave presented in a blogpost-like format (there has to be a RSS feed somewhere underneath, but I didn’t find it); with possible post upvoting as in Digg or Reddit (but no downvoting).

And you can also mix in stuff from Picasa, Google Reader, Twitter itself, Flickr or blogs.

The above looks like a web 2.0 keyword soup; this is a good reflection of my first impression 🙂

That’s what I was able to gather after using it for 5 minutes. I certainly missed a boatload of things and got some wrong.

No tips yet.
Be the first to tip!

Like this post? Tip me with bitcoin!

12cL7Cygxo5hUahHPv8LqTYtFTL9vSdQgW

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're also telling me what you liked, in addition to contributing to the blog hardware and electricity, and perhaps a few beers if you don't mind 🙂

Android pattern locking: a horror story

45 seconds of play, ~5 hours of desperate hacking.

A few days ago, my 4 year old daughter was playing with my mobile phone running Android 1.6. To let her play with the screen while avoiding any mishap, I locked the phone. It was obviously not enough, she instantly found the MENU key to unlock it.

So I had the brilliant idea to put on a locking pattern, the pretty method used on Android to really lock the screen.

After 5 unsuccessful tries, which my daughter reached in about 15 seconds, the pattern unlocking incurs a 30-second guard delay. I decided that the game was too risky (I found out later there’s also a 20-try hard limit, but we didn’t reach it) and took my phone back.

There, I had another brilliantly fatal idea: I clicked on the “forgot the unlock pattern” button which just appeared, just out of curiosity to see what would happen next. The phone asked for my Gmail account and password. I filled the requested information, but it didn’t unlock the phone; apparently this is a known Android bug that I didn’t know about. And, contrary to what I naively assumed, there was no way to get back to the unlock pattern screen. I rebooted the phone. No change, no escape.

Then it dawned on me that I was 600 kilometers away from home, for almost a full week, without all my computer tools. And I was locked out of my own phone.

Continue reading Android pattern locking: a horror story

No tips yet.
Be the first to tip!

Like this post? Tip me with bitcoin!

19VLfxc4QjTTXYPxbs8cN8eeoKUCEHL3dn

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're also telling me what you liked, in addition to contributing to the blog hardware and electricity, and perhaps a few beers if you don't mind 🙂

The Google Toolbar and the Russian mafia

It can sometimes be fun to do computer support for your close family (or similar life-having, non-technical people):

– can you have a look at my computer ? It says something new about Sidevski… or some similar polish/russian name.

Sidevski ? Don’t know what that is. Maybe you mean Kaspersky ? Perhaps an antivirus warning… or ad, or spyware?

– No, that was more like Sidevski. Here, look.

– Oh, the Google Toolbar in your browser. Holly crap, you meant THAT and THAT?!

A good laugh.

No tips yet.
Be the first to tip!

Like this post? Tip me with bitcoin!

15BLaaa18KBccv1brDni6SqmUD9sK4Qy4y

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're also telling me what you liked, in addition to contributing to the blog hardware and electricity, and perhaps a few beers if you don't mind 🙂

Accessing the IPv6 web with squid 3.1

That’s it, Squid 3.1 is in the FreeBSD ports. Squid 3.1 is still a beta but it’s nearing a release.

This means I can now access ipv6.google.com (and obviously other IPv6 sites), through my local proxy. Unfortunately I’m redirected to the French version, which seems to lack the dancing “Google” letters. The good old Kame turtle works, on the other end. How’s that for a killer-app?

IPv6 is the unleaded gas (or the organic food) of IP: it doesn’t seem to bring anything concrete, unless you look at the bigger picture.

No tips yet.
Be the first to tip!

Like this post? Tip me with bitcoin!

1PsY3XXS8aiJJKdAgDKeYpRCnPNtm436PV

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're also telling me what you liked, in addition to contributing to the blog hardware and electricity, and perhaps a few beers if you don't mind 🙂

IPv6 connectivity survey

A request from CAIDA and WIDE to (hopefully) happy Unix IPv6 users for IPv6 connectivity data gathering:

http://www.caida.org/data/how-to/scamper/ipv6-collection-2007/

In March 2005 CAIDA and WIDE coordinated a global collection of IPv6 topology measurement in order to generate a IPv6 AS core map. We would like to repeat this experiment with probe runs between Tuesday 27 November and 4 December 2007. Please help us measure the IPv6 Internet! Instructions below.

[From my friend Philippe]

No tips yet.
Be the first to tip!

Like this post? Tip me with bitcoin!

1DHVMJyUavA9WsZwUc8f1MPfg5CrGbCdZo

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're also telling me what you liked, in addition to contributing to the blog hardware and electricity, and perhaps a few beers if you don't mind 🙂

IPv6 at RIPE-55 and an upcoming communication

The RIPE-55 meeting takes place this week in Amsterdam. The hot matter currently is the expected death-by-[address-]exhaustion of IPv4.

So, on Monday, the main matter was IPv6 deployment (a lot of interesting stuff, most presentations are accessible as PDF files).

IPv4 address depletion was on the agenda Tuesday afternoon:

IPv4 Depletion Session

  • ETNO Common Position on IPv4 Exhaustion – Mark McFadden, BT – pdf [ 29 KB ]
  • Changing IPv4 Allocation Policy – Remco van Mook, VIRTU – pdf [ 76 KB ]
  • IPv4 Depletion and the Afterworld – Geoff Huston, APNIC – pdf [ 2.25 MB ]
  • Open Microphone / Discussion

Tuesday’s first two presentations reflect on future IPv4 address allocation policies. They don’t agree on what needs to be done; the first one, from ETNO (European Telecommunications Network Operators Association), is firmly opposed to a would-be “IP address marketplace”. The second document, from VIRTU (a Netherland-based hosting provider) holds almost the opposite view, saying that the various regional RIRs should be able to exchange address blocks to adapt to local needs, and leave LIRs invent and apply their own policies regarding address trading.

My personal conclusion is that a lot of wrestling over IPv4 addresses is to be expected in the coming years, and it will only get worse and worse with time.

The third document is a must-read, an updated version of the Geoff Huston presentation I already wrote about [fr] . I liked the train crash illustrations :-). The conclusion obviously remains: we’ll need to transition to IPv6 no matter what, and the sooner the better.

In that spirit, RIPE is discussing a Community Resolution (draft) on its IPv6 and Address-allocation mailing lists. Such a communication is desperately needed: most professionals (network administrators, network consultants) I spoke with about the Geoff Huston documents had a skeptical reaction along the lines of “Transition? Yeah right, I’ve been hearing that for 8 years now, so maybe one day”.

No tips yet.
Be the first to tip!

Like this post? Tip me with bitcoin!

16wCJ6fnSEzXHGhWEJ4qUgMAqZjxTyj7g8

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're also telling me what you liked, in addition to contributing to the blog hardware and electricity, and perhaps a few beers if you don't mind 🙂

Using mod_proxy to convert a legacy IPv4 web site to IPv6

In preparation for the impending doom of IPv4, and in order to put my money where my mouth is [fr], I decided to make this blog natively accessible through IPv6.

The first problem I ran into is that my blog runs in a FreeBSD jail. Jails are a fine way to run a virtualized environment but they only support IPv4 at the moment. So I had the following options:

  • implement IPv6 in jails myself (this wouldn’t have happened overnight);
  • wait for someone else to;
  • abandon the idea;
  • find a workaround.

Finally I found a workaround, using Apache mod_proxy as a separate server to provide a IPv6 frontend (a configuration called reverse proxy). Continue reading Using mod_proxy to convert a legacy IPv4 web site to IPv6

No tips yet.
Be the first to tip!

Like this post? Tip me with bitcoin!

1DGDnQRE1eGxJ6VuhS29vDZUNCPmt33dh

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're also telling me what you liked, in addition to contributing to the blog hardware and electricity, and perhaps a few beers if you don't mind 🙂

Thunder noise at Mozilla

Like many other people, I was somewhat perplexed by the Summer announcement of the Mozilla Foundation that Thunderbird would be further developed by a separate structure, a spin-off of the Mozilla Foundation.

The foundation has a huge heap of money generated by Firefox (Google donates a lot of it), whereas Thunderbird generates no significant revenue. Separating structures means that the Mozilla Foundation will have to inject cash (currently $3M as seed funding) to keep the new structure running until it is self-sustaining (which probably won’t happen overnight). It also means that Thunderbird will lose some of the huge visibility associated with the Mozilla Foundation.

From a strategic standpoint, I was perplexed. So I assumed that other, internal considerations went into play. Accounting, management, organizational reasons; whatever; I don’t know.

Last month, the new structure (dubbed Mailco for now) was finally announced.

Just a few days ago, both full-time (paid) lead developers of Thunderbird announced, in turn, they would leave the foundation next Friday. They will continue working on Thunderbird as (unpaid) volunteers. They didn’t explain why they were leaving, one can only assume they disagree with the new setup.

So now I’m even more perplexed. Things don’t seem to bode very well for Thunderbird, at least in the immediate future.

Note: from now on, my articles will be tagged either en or fr according to the language they’re written in, as I don’t intend to translate every article. This will hopefully make it a tiny bit easier for readers. I haven’t yet figured out a way to generate separate RSS feeds for that, though.

No tips yet.
Be the first to tip!

Like this post? Tip me with bitcoin!

17bBQhrvesFfkKffd17DZU5brpJVLyQcFL

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're also telling me what you liked, in addition to contributing to the blog hardware and electricity, and perhaps a few beers if you don't mind 🙂