Today I broke a world record, and got on TV

Today I broke a world record, and got on TV

Achievements for today:

Perl for Android

I have an Android phone. I love it. After scanning a barcode it now runs Perl. Sure, the example Hello World program dies with an error, but there's already a patch to fix that.

This is a massively exciting achievement for me, and is even better for it having all of ninety seconds. It's now tantalisingly easy to do some pretty amazing things from my phone. I don't think I'm going to be short for a project any time soon.

(read more...)

Talk like a Pirate Day

Talk like a Pirate Day
This Saturday was International Talk Like a Pirate Day, as well as Software Freedom Day. This year I sided with the pirates, donned a particularly swashbuckling outfit, and joined about 150 other pirates to march through Melbourne, fight off ninjas, and singing the only sea-shanty known by every member of our scurvy crew.

Afterwards, there was the world's best pirate cake, crafted by jarich.

I have some pictures of the day and the party, including the Jolly Tux. For those people on Facebook, there's a lot of photos on-line.

(read more...)

Rocking out at MXUG

Rocking out at MXUG
For a while, Melbourne has been running MXUG, the Melbourne X Users Group, where X is a technology you're interested in. It has a nice format: 15 minute talks, timed, with five minutes for questions. Then beer, pizza, lightning talks, and a trip down to the pub.

Despite me apparently living in Melbourne, I've never attended a MXUG meeting, but I'd been hearing good reports about them. Apparently one can become a speaker just by adding themselves to the speakers list (which is editable by members), and so I aggressively volunteered to give my (still formative) talk on facebook privacy.

The talk went really well. The audience was warm, interactive, and laughed at all my jokes, even the really lame ones. Since I judge my self-worth on the size and enthusiasm of my audience, I decided that I really liked MXUG. Normally, that would be enough for me to call the night a success.

However enough people asked me about how I used my wiimote as a presentation device, so I volunteered for one of the five minute lightning talks. I had no slides. I did no preparation. I spent all the time I'd normally be working on my talk eating pizza, drinking beer, and talking to MXUG members.

So I was especially happy when I showed off how to use Xwii to enable a tilt mouse, and as a presentation device. I then showed off how I could use the wiimote to control my music player, and sung a few bars from "I've got a feeling" from Buffy on stage. That would normally be enough to count the night as doubly-awesome, but oh no! It gets better.

My last Xwii profile showed how I can hook into a Guitar Hero controller, "but I don't have one of those here, so I can't show you". Sure enough, someone produces a guitar out of nowhere. A few seconds to pair it with my machine, a few more seconds to start up Frets on Fire, and I am rocking out on stage in front of a cheering crowd of 50 people.

I then got to sit back down in the audience, and read about my exploits on twitter. ;)

That, ladies and gentlemen, was my thrice-awesome night at MXUG.

(read more...)

Dark Stalking on Facebook

Dark Stalking on Facebook
For a while I've been using Facebook's API and Facebook Query Language (FQL) via Perl's WWW::Facebook::API module to run fairly innocent queries on my friends. If I visit a town, I'd like a reminder of who lives there. If I want to go rock-climbing, it helps if I can easily search to see which of my friends share that hobby. This is good, innocent stuff, and makes me glad to be a developer.

Last week I decided to play with event searches. If a large number of my friends are attending an event, there's a good chance I'll find it interesting, and I'd like to know about it. FQL makes this sort of thing really easy; in fact, finding all your friends' events is on their Sample FQL Queries page.

Using the example provided by Facebook, I dropped the query into my sandbox, and looked at the results which came back. The results were disturbing. I didn't just get back future events my friends were attending. I got everything they had been invited to: past and present, attending or not.

I didn't sleep well that night. I didn't expect Facebook to share past event info. I didn't expect it to share info when people had declined those events. I haven't found any way of retrieving friends' past events using Facebook's website, but using FQL made it easy. Somehow, implicitly, I thought old events would fade away, only viewable to those who already knew about them. I didn't expect them to stick around for my code to harvest, potentially years into the future.

Finding my friends' old events crossed a moral boundary I honestly didn't expect to encounter. Without intending, I really felt like I was snooping. It didn't matter that these friends had agreed to share this information under the Facebook terms and conditions. I would personally feel uncomfortable with this much information being so readily available, and assume my friends would feel the same.

However my accidental crossing of moral boundaries wasn't the only thing that kept me awake last night. I was also kept awake by wondering just how much information could I tease out of the Facebook API. What could I discover? What if I were evil?

However I'm not evil, so I put my code on hold for a while and made a call for volunteers. I'd be restricting myself to just using the Facebook API, and without them installing any additional applications. I wouldn't share their data in any way, but I'd be able to inspect and use it, and would try to provide them with a copy when I was done. To be honest, I was surprised by the response; I now have almost two dozen people who have agreed to participate, covering a wide range of lifestyles and privacy settings.

The results have been very interesting. I expected to be able to obtain personal information, including things like events, photographs, and friends; it doesn't take much imagination with the FQL tables to find those. What was most interesting are some of the more creative queries I was able to run.

Most recently, I've been able to obtain status feeds, even for users who have very tight privacy settings, although I had to tweak my own application's privileges to do so. I don't know how far into the past these go, but they also come with likes information, and comments. This gives me a wealth of information on the strength and types of relationships people have. A person who comments a lot on another user's posts probably finds that user interesting. If I descended into keyword and text analysis, I may even be able to determine how they find that user interesting.

But by far the most interesting part of all of this have been dark users. Like dark matter, these users are not directly observable, usually because they've completely disabled API access. In fact, some of these users are completely dark unless you're a friend. They don't show up in search results. They don't show up on friends' lists. You can't send them messages. If you try to navigate to their user page (assuming you know it exists), you get redirected back to your homepage. These users have their privacy settings turned up real high, and are supposed to be hard to find.

However like dark matter, dark users are observable due to their effects on the rest of the universe. If a dark user comments on a stream entry, I can see that comment. More importantly, I can see their user-ID, and I can generate a URL to a page that will contain their name. I can then watch for their activities elsewhere. Granted, I can't directly search for their activity, but I can observe their effects on my friends. For want of a better term, I've been calling this "dark stalking".

What makes this all rather chilling is that I'm doing all of this via the application API. If your friend has installed an application, then it can access quite a lot of information about you, unless you turn it off. If your friend has granted the application the read_stream privilege, then it can read your status stream. Even if a friend of a friend has done this, and you comment on your friend's status entries, it's possible to infer your existence and retrieve those discussions through dark stalking.

While I've always considered people's own carelessness to be the biggest threats to their own privacy, in the social 2.0 world it seems we need to be increasingly worried about our friends, too!

I'm preparing a detailed paper with the results of my research (which is still ongoing), but I will be presenting my preliminary findings at BarCampMelbourne, this weekend (11-12th September 2009), with a further update at the University of Tasmania Computing Society (TUCS) on the 2nd October. A conference talk will invariably follow.

If you want to keep track of my research, then you can join the facebook group, or the facebook privacy group. I prefer comments and questions to directly to the facebook privacy group, or to me directly.

(read more...)

Bitcoin QR code This site is ad-free, and all text, style, and code may be re-used under a Creative Commons Attribution 3.0 license. If like what I do, please consider supporting me on Patreon, or donating via Bitcoin (1P9iGHMiQwRrnZuA6USp5PNSuJrEcH411f).