On January 15th, AP carried a story about a woman who was connected with an unknown Facebook account (Read Article). She didn't hack into the account, she simply went online, connected to Facebook and was greeted with a a smiling face - unfortunately, it wasn't her own. She called her friends and at least one of them experienced the same problem - though this person was granted access to a completely different Facebook account. Both were using the AT&T wireless network.

AT&T spokesman Michael Coe is quoted saying that "its wireless customers have landed in the wrong Facebook pages in "a limited number of instances" and that a network problem behind those episodes is being fixed".

So everything is fine? Case closed? Not so fast. First let's look into the details of this problem.

Most websites (not only Facebook) use "Cookies" for authorization and other purposes. Cookies are small pieces of data that are created by a website, transmitted to you and automatically stored on your computer. Whenever you return to that website, your computer will re-send the Cookie to it and you are authenticated. For security reasons, your computer will make sure that all Cookies are only sent to the originating website. So, if, say, Facebook sends you a Cookie, your computer will send it only back to Facebook. This is very important because whoever has your "Cookie" can use it to login to your account - even without password. Cookies are only exchanged directly between a website and your browser - the Cookie is a 'key' and your browser knows which 'key' to use for what 'lock' (website). Though it is not perfect, it's a pretty save method.

Unless there's a man in the middle.

In cryptography, the man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. (Source: Wikipedia)

Should the "man in the middle" lose track of which data to send where, Cookies are fumbled and people are able to view (and modify) other peoples profiles. Is that what AT&T calls a "network problem"?

But this "network problem" uncovered a shocking and almost unbelievable truth: There is a "man in the middle" in AT&Ts wireless network. In other words: Somebody (most likely an organization or company with three letters in it's name) may have all Cookies and, by definition, access to all accounts. Not only on Facebook, but on each and every website that is using Cookies for authorization. All the data stored in social or business websites, on your email-accounts, maybe even your banks website - in plain view to, well, whoever it is.

What can you do?

Well, you may want to finally surrender your privacy once and for all. Take a piece of paper, write down all your usernames and passwords and mail them to AT&T. That saves a lot of data storage. And you will never again be tempted to expect any 'online' privacy again. Or you can make sure to use HTTPS (Hypertext Transfer Protocol Secure). Never connect to a website by typing 'website.com'. Type 'https://website.com' - like https://www.facebook.com. Your data will now be encrypted and the "man-in-the middle" can't use your data (including your Cookies).

If a warning pops-up - don't use the website. If you can't connect to a 'https' website - don't use it. But it must be HTTPS (notice that 's' at the end - that's for 'Secure'). Make sure the website doesn't re-route you to a different address without the 'https' in front of it.

All of your current accounts are already compromised. Will it help to change your password? That depends on the website - but is surely doesn't hurt. Keep an eye on the "visit tracker". Most websites tell you how many times you have visited. Write it down and check if it increases without you logging in.

Support the Electronic Frontier Foundation (Go There) and let them help to defend your digital rights. Unless of course, you have no problem with 'you know who' sharing your data with 'you know who' ...

Hi there, and happy holidays. I am currently working on the SigMe System, a new social kind of service, though with a 'Michaela' touch. Anyway - during the development, I also came in contact with Google sponsored 'Open Social', a protocol (API) that allows applications ('Gadgets') to access ones profile data (name, gender, list of friends, activities). It most certainly appears logical, that profile-data should be available for other than 'I like you' and 'You Like me' activities. Think about being able to have a synced database of contacts within you email program - always current, always accurate. Or a plugin-in to your favorite phone-application that always has the correct number for the correct person. Think about shared calendars, business-card listings .. you get the idea.

But OpenSocial has a different scope (yes, I know about RESTful ..) It is mostly meant to be used to allow 'Gadgets' to run within the protected environment of a web-service, a program within a service. People can add own (or other) gadgets to their own account, but those gadgets will only run within an OpenSocial website (e.g. 'facebook') , not as an external application.

There are quite a few gadgets available for people to add to their personal environment @ their favorite Web 2.0 service - however, as soon as it comes to 'gadgets' the Open in OpenSocial ain't open anymore. There are almost no freeware gadgets available, most gadgets are developed by an advertising driven gadget-industry. No wonder, most of those gadgets are mindless time burning games allowing the player to bother friends with 'gifts' so that they too are motivated to play the game and watch the advertising. Viral has a new meaning. I'd rather fight the swine-flu virus.

Now - a few creative people grabbed the gadgets (remember: HTML + Javascript = Sourcecode) and simply removed the advertising or in other ways modified the gadgets. This of course lead the gadget developers to add protection mechanisms. The gadgets now require a correct 'password-key' which will be provided by the environment the gadget is supposed to run on. Since I don't have anyweb.com's key, the 'new' gadgets won't run on my or any other site.

But that is not the only problem with OpenSocial. OpenSocial is a HUGE collection of interacting protocols that add up to a hill of beans - the size of Mount Everest. In order to even toy around with OpenSocial, you need the free 'Apache-Shindig' OpenSocial container. You need 'partuza', a freeware Web 2.0 environment that is able to interface with 'shindig' to see how you would be able to patch your own databases into the OpenSocial environment. You need to understand the difference between 'oauth', consumer-keys and a variety of other security mechanisms. All of that to allow a user to access his or her OWN data?

Well, we don't think so. This is whe we are developing what we call openSigMe. It simply works like this:

You POST the correct key and questions to me, I POST you the requested data. The simplicity of the protocol will provide for very easy integration into external applications so that Squirrelmail, Evolution and Firefox may, in the future, have APIs to access the data stored in your profile (that includes friends, contacts [...]) at Sigme.com or any other openSigMe supporting Web 2.0 service.

KISS is still the word.

Michaela