Facebook’s long memory: Hotel California still in place…

As I remarked in a previous tweet, people these days seem surprised when you say you’re not on The Book. So, as I came back after seeing a friend and yet another person asked me to add them as a friend on Facebook, I thought I might reconsider my previous position.

So I signed up… typed in my name, email address etc… and what did I see?

I saw a list of “suggested friends”, which was essentially everyone I knew before I deleted my account, as well as a bunch of people I knew but hadn’t connected to.. the social graph in action I guess.

I would be interested to find out where this information was obtained if my account was truly deleted, from my former connections? But surely, I could be any Marcus Povey? True, emails are “unique”, but I’m fairly sure that at least half of the suggested connections never knew my email address (social graph again)… besides, that’s missing the point.

To be clear, at the very least Facebook is remembering my name/age or email address as unique identifiers, and who I am connected to. So while the delete account option may remove your pictures etc, it clearly doesn’t remove the connection data – which I have previously stated is actually quite a powerful and private bit of information.

Am I alone in being a little freaked out by this?

Clearly, even though they provide a way of deleting your account, much of the important connective information is retained. Your account still isn’t being deleted.

In other words; “You can check out any time you like, but you can never leave”.

Suffice it to say, I reconsidered my reconsideration. I deleted my account again (for what good it will do), my first instinct was correct.

I guess people are just going to have to email me.

Old Skool.

Barcamp Oxford 2010

This weekend was Barcamp Oxford, and suffice it to say it was utterly fantastic. While a delicious ham cooks, I just thought I’d jot down some notes.

The day for me started early on Saturday with a walk into town (Oxford’s buses being resoundingly useless), still it was a lovely sunny day and I had some good tunes on my mp3 player so I didn’t mind working on my tan for a while.

Anywho, got to the Oxford Club in time for registration and for the slots to be put up… a dizzying array of very interesting possible discussions were soon put up.

Obviously I couldn’t go to all the sessions, but those I did go to were fantastically useful.

Highlights were a thought provoking, passionate and mature discussion of women in technology, and education in general. Additionally, met a bunch of very cool people who I hope to keep in touch with!

The beeper has just gone on my oven so I must tend to my food. Suffice it to say, I found the event both highly enjoyable, stimulating and very very useful.

Props to all the people who worked so hard to make this happen, you are all awesome!

Same time next year?

Image by Sylwia Presley

How to set up ProFTP, MySQL and Virtual Users

ProFTP is a configurable FTP server available on most *nix platforms.

I recently had the need to get this working and authenticating off a PHP maintained MySQL backend, and this post is primarily to aid my own memory should I ever have to do it again.

Installing ProFTP

In order to use MySQL as a back end you need to install some packages. If you’re using a Debian based distro like Ubuntu, this is easy:

apt-get install mysql-server proftpd proftpd-mod-mysql

The database schema

Next, you need to install the database schema to store your users and passwords.

CREATE TABLE IF NOT EXISTS users (
userid varchar(30) NOT NULL default '',
passwd varchar(128) NOT NULL default '',
uid int(11) default NULL,
gid int(11) default NULL,
homedir varchar(255) default NULL,
shell varchar(255) default NULL,
UNIQUE KEY uid (uid),
UNIQUE KEY userid (userid)
) TYPE=MyISAM;

CREATE TABLE IF NOT EXISTS groups (
groupname varchar(30) NOT NULL default '',
gid int(11) NOT NULL default '0',
members varchar(255) default NULL
) TYPE=MyISAM;

One important thing to note here – that caused me a fair amount of hair pulling when I tried to use encrypted passwords – is that the password field shown in many howtos on the internet is much too short. This causes the hashed password to be quietly truncated by MySQL when saved.

This results in a somewhat misleading “No such user found” error to appear in the logs when using encrypted passwords.

To end all argument I’ve allowed passwords up to 128 chars, but this field could probably be a good deal shorter.

The user table looks much like /etc/passwd and is largely self explanatory. The uid & gid fields correspond to a system user in most cases, but since we’re using virtual users they can largely be ignored. Homedir points to a location which will serve as the user’s default directory. Shell is largely unused and can be set to /bin/false or similar.

Configuring ProFTP

Next, you need to make some changes to the ProFTP configuration files stored in /etc/proftpd. While doing this it is handy to run proftp in debug mode from the console:

proftpd -nd6

proftpd.conf

1. Make sure the AuthOrder line looks like:
   

   AuthOrder mod_sql.c

2. Ensure that the following line is uncommented:
   

   Include /etc/proftpd/sql.conf

3. For belts and braces I’ve included the following at the end, although I’m not entirely sure it’s strictly required:
   

   <IfModule mod_auth_pam.c>
AuthPAM off
</IfModule>


4. Our users don’t need a valid shell, so:
   

   RequireValidShell off

modules.conf

1. Make sure the following lines are uncommented:
   

   LoadModule mod_sql.c
LoadModule mod_sql_mysql.c

sql.conf

1. Set your SQL backend and ensure that authentication is turned on:
   

   SQLBackend mysql
SQLEngine on
SQLAuthenticate on

2. Tell proftp how passwords are stored. You have a number of options here, but since I was using mysql’s PASSWORD function, I’ll defer to the backend.
   

   SQLAuthTypes backend

3. Tell proftp how to connect to your database by providing the required connection details, ensure that the user has full access to these tables.
   

   SQLConnectInfo database@host user password

4. Define your table structure in the format tablename fields….
   

   SQLUserInfo users userid passwd uid gid homedir shell
SQLGroupInfo groups groupname gid members

Adding users

I manage users from within a PHP web application that I’m developing, but in a nutshell adding FTP users from this point is a simple insert statement looking something like:

mysql_query("REPLACE INTO users
(userid, passwd, uid, gid, homedir, shell)
VALUES
('$userid', PASSWORD('$password'), $uid, $gid, '$homedir', '$shell')");

Have fun!

The Facebook question: is privacy dead?

The other day I took the decision to delete my Facebook account.

There has been a lot about Facebook and privacy in the tech press over the past few weeks – making live chats public, the ABC bug, criminalising violations of their terms of service, etc.

Facebook has a clear habit of leaking data, and a general disdain for their user’s privacy. As we can see by the changes to their Terms of Service and default privacy settings over time this is a deliberate strategy, which makes perfect sense since Facebook’s entire business model depends on their users sharing everything.

There’s a problem here of course, because even if you delete your account or were never on Facebook to begin with, the chances are you still are on Facebook.

Crowd sourced surveillance

Facebook crowd sources its intelligence gathering by encouraging your friends to continually update it with fairly sizable amounts of information about you, even if you are not a member. The simplest example of this would be the invite system… Facebook user Alice uses the Facebook interface to invite Bob, who is outside of Facebook, to a party… innocuous at first glance, until you consider that Alice has just told Facebook (and by extension: advertisers, government agencies, application developers etc) that Alice knows Bob (expanding the social graph) and has informed them of Bobs email address.

Image tagging presents another interesting problem. Facial recognition has reached a stage where by a machine can tell whether a face belongs too the same person from picture to picture. This feature was included in the latest version of iPhoto for example, but even without facial recognition, a tagged photo provides confirmation that a group of people were together at a certain time – and with geotagging enabled – in a certain place.

Facial recogniton is on Facebook now (via a third party app – although I would imagine Facebook will be developing their own version), Google is also following similar lines of research.

Of course, the algorithm can’t know who you are…

… until someone helpfully tags you of course. At which point you can be identified in any image on Facebook and the wider internet.

Governments have access to this technology as well of course (biometric passports anyone?), and we have already seen moves to incorporate this sort of face tracking and recognition technology in the next generation of CCTV cameras allowing automated tracking of people throughout our cities.

Anyone considering wearing a mask or similar as an obvious countermeasure should take note that the wording of the “burka ban” law recently passed in Belgium… which does not specifically ban the burka, rather bans any clothing that conceals the wearers identity. French and German MEPs are pushing for similar laws throughout the EU.

… first they came for the hoodies, then they came for the Muslims…

Question of ownership

I could easily be accused of being paranoid, but all this is perfectly possible and is an extrapolation of current trends.  It also serves to underline two central problems; first, that information is collected and added about you regardless of you do, and second, that this data is not considered to be yours - leading to unintended outcomes should the people holding the data change how they use it.

So much data is collected about you through the usage of online systems. Facebook in particular has extended this intelligence gathering capability out into the wider internet with its seemingly innocuous “like” button, or by secretly installing applications (which have full access to your profile) when you visit Facebook enabled websites (decidedly less innocuous).

Each bit of information gathered is fairly harmless on its own, but when aggregated over time present an incredibly detailed picture of your life – online and offline.

This information is packaged and sold.

That this data doesn’t belong to the person its about – even if it is of a deeply personal nature – is, I think, a rather corrosive assumption. Unfortunately we see this assumption at work all over the place both in government and the private sector, and although I’ve focussed particularly on Facebook in this post, it is only one part of a much wider problem.

Question of control

Fundamentally if you don’t own your data, you can’t possibly control what is done with it. Privacy controls and the like are at best a comforting placebo.

For this reason, I am suspicious of “free” services as money must be being made somewhere, and if it is not a direct fee then where?

So how can you keep control?

This is actually a very hard problem, because the obvious solution – not using the services in the first place – increasingly handicaps you.

Facebook has made a push to become the social architecture of the web with their “like” button, which isn’t the end of the world. However, more and more sites are using Facebook, Twitter etc for logon. Linking sites around the internet together and forming a more complete picture of your online habits.

If I want to use Microsoft’s online word processor Docs.com, my only option is to sign in with Facebook. Google docs needs a google account etc..

As Twitter, Facebook and Google etc all compete to be “You” on the internet you will see this kind of thing happening more and more.

Can I live without these services? Possibly. But what if a client uses them to share a specification document, can I refuse to view it? I guess it depends on how understanding your client is.

Is privacy dead?

Privacy is important, and anyone who says that “if you have nothing to hide, you have nothing to fear” should be encouraged to read Anne Frank’s diary.

However, we now live in a world were both online and offline we are encouraged to give away more and more of our private information. What information we don’t give away is obtained by monitoring our actions or provided by others – “Marcus was so wasted at Dave’s party last week, look here’s a picture of him passed out on the floor! LOL”

So much of this is out of your control, and what data is generated is not yours, but at the moment you still have a little wiggle room – if only because all these systems are still rather fragmented.

However, I believe that privacy is going to be one of the main societal battle grounds of the 21st century, and the first salvos have already been fired.

Privacy may not be quite dead yet, but it is certainly missing in action.

Image from ICanHasCheezburger

Open Sores pilot episode

Open sores is a podcast put together by myself and Ben Werdmuller about what grinds our gears in technology.

Discussed in this episode:

• Digital Economy Bill and government procedure
• Apple iPad & locked down platforms
• Where now for the bedroom hackers?

Download audio file (Open%20Sores%20S1E1.mp3)
Download: MP3 Torrent

(This is the pilot episode, and there may or may not be another one. It was recorded for our own amusement. Production values are low. Contains swearing and general nonsensical rambling.)

Multiple site support with MP’s Multisite Elgg

I have just Open Sourced an “itch scratching” project I’ve been hacking on for a little while. So, without much further ado, I’d like to introduce you to Marcus Povey’s Multisite Elgg!

It is currently in Beta and the code could do with a bit of a tidy, but this is Open Source so roll up your sleeves and get involved.

What is it?
Multisite Elgg allows you to run multiple separate Elgg sites off of the same install of the codebase, saving disk space and making administration a whole bunch easier.

Currently based around the latest Elgg 1.7 release, once installed adding new Elgg sites is a matter of clicking on a button and entering in some details.

What can I do with it?
You can do everything that you can do with Elgg, but with the ability to create new networks on demand. This will for example let you:

• Set up your own version of Ning! What with Ning phasing out free accounts, it is my hope that Multisite Elgg will let a thousand more Nings bloom!
• In your organisation or institution, easily set up Elgg sites for each department.
• If your one of the Elgg hosting companies out there, you may want to look at multisite in order to simplify your work flow.
• … etc…

Installation
Once you have downloaded the installation package you will need to do a few things in order to get up and running. Multisite Elgg assumes that you have some knowledge of how to set up and run a server – there is no wizard just yet!

1. Unzip the package on your web server.
2. Point your master domain at the contents of the install location on your web server. This is your master control domain, go here to configure your sites. Because of this you might want to consider putting this behind some further access restrictions.
3. Point any sub domains to the contents of the docroot folder, eg (/var/multisite/docroot). This directory forms the base of all your Elgg installs. To make things even more automated you may want to consider making this an Apache wildcard domain, if your DNS provider supports it.
4. Chmod 777 docroot/data: This is the default location for multisite domains.
5. Install schema/multisite_mysql.sql: Create a new database on your Mysql server and install the Multisite schema – this is your master control database.
6. Rename settings.example.php in docroot/elgg/engine/ to settings.php and configure:
   

   $CONFIG->multisite->dbuser = ‘your username’;
   $CONFIG->multisite->dbpass = ‘password’;
   $CONFIG->multisite->dbhost = ‘host’;

   Make sure this user has sufficient privileges to create and grant access to databases and tables on your server. This will allow the admin tool to create the databases for your hosted sites automatically.

7. Visit your master domain and configure your admin user
8. Begin configuring your sites!

Creating sites
Once you have created an admin user, adding sites is easy. Currently you can only create one type of site, but in the future Multisite Elgg will let you create sites which have quotas and other access restrictions.

You have a box to enter database details, or you can leave them blank to use Multisite Elgg user defined above (which you may not want to do for security reasons).

You can also select which of the installed plugins you want to allow, this lets have different sites have different plugins available while still installing them on the same codebase.

Contributing
So, that was a brief introduction to Multisite Elgg. I hope that at least some of you out there find it useful!

As I said before, it’s Open Source, so if you want to get involved here are the important details:

• Project homepage: http://code.google.com/p/mp-multisite-elgg
• Bug Tracker: http://code.google.com/p/mp-multisite-elgg/issues/list
• Code Repository: svn checkout http://mp-multisite-elgg.googlecode.com/svn/trunk/ mp-multisite-elgg-read-only
• Discussion forum: http://groups.google.com/group/mp-multisite-elgg
• Direct download!

If you want to contribute patches, feel free to use the bug tracker or discussion forum!

Enjoy!

Digital Economy (#debill) passes, UK ceases to have one

Otto von Bismarck once said: “Laws are like sausages. It’s better not to see them being made.”

To my mind, few things could have illustrated this clearer than yesterday’s vote on the Digital Economy bill, where – as the vote was finally called – the room quickly filled with MPs who had completely missed out on the debate of the last two days.

Faster than you could say “Stitch-up” or “Democratic deficit” the vote was overwhelmingly passed thanks to a reported 3 line whip and a back room deal with the Conservatives. Only the Liberal Democrats and one awesome Labour back bencher did the right thing.

It should be noted as well that the Labour back bencher in question was actively tweeting during the proceedings.

So that’s pretty much that. The bill as passed will pretty much regulate away the UK technology industry and provide a quick and cost effective mechanism to curtail free speech and governmental scrutiny, leaving only big business and a gagged population.

Someone much more cynical than me may suggest that this was the idea. Afterall, it is in both big business and government’s interest that you are unquestioning ignorant consumers – simple economic units that work, buy stuff and pay taxes.

So, with this and other laws worthy of East Germany making the UK feel less like a country and more like a cage, I and many others are left looking about for a free country to live in.

While I do that, I will just point out that Labour and the Conservatives are the same people – so please remember this when it comes to the ballot box.

2011 Census

On the 27th of March next year all UK households will be compelled by law to fill in a Census.

I admit that I get more worked up about this sort of thing more than most people. The arrogant presumption that we are somehow state property, the compulsion to complete it & the sheer impertinence of the questions being asked are all things that stick in my craw.

With all else that’s going on – ID cards, mass surveillance, not to mention badly written laws made to put minority interests ahead of the citizenry – it seems that the census hasn’t yet appeared on the radar of most civil liberty campaigners.

However, as with previous years the number of questions has increased (34 in 1991, 41 in 2001). This year, there will be 56 questions prying into every aspect of your life.

Ostensibly a census is about resource allocation, but if that was the case the only question the government can legitimately ask is “How many people live in your house?“.

Gender is irrelevant as this is more or less going to be an even split. Birth rate isn’t going to suddenly shoot up so there’s also need to ask about the number of children.

I’d argue that even this one question isn’t really required as any areas which have resource problems can be identified more readily (and I’d argue more accurately) by deriving the information from other sources – class sizes, waiting times at hospital etc.

Some of the questions being asked

Further details of the census can be found here.

Many of the questions being asked certainly do not have anything to do with resource allocation.

For the first time you will be compelled to disclose any other passports you may have. Also, if you’ve previously lived out of the country you will also have to say when you came into the country and for how long you intend to stay.

You will also be compelled to give the names and addresses of any guests you have staying over on the evening of the census, as well as their sex and date of birth – which has led some to call this the “Snooper’s census“.

Compulsion

You are required by law to answer these questions, and if you choose not to answer these questions – questions which in my opinion the government has no business asking – you will have committed a criminal offence and receive a stiff penalty.

Worse still, the contract for processing the data has been handed to the arms manufacturer and surveillance company Lockheed Martin, which has already raised some eyebrows.

Oxford Twestival today

Just a quick post to say that Oxford Twestival 2010 starts today at 7pm at the Living Room. A night of music and general merry making, all in aid of a good cause!

Barcamp Transparency is helping out as a sponsor, and it’s looking like it’s going to be a fantastic event.

There are still tickets available, so I hope to see you there.

Also today, I’m going to be on a panel session from 2pm talking about social media and internet technology in education and the 3rd sector.

Busy day!

#debill passed back to the commons

So, it would seem that despite firm opposition by the Liberal democrats the utter abortion that is the Digital Economy bill has made it through the house of lords and has been passed back to the commons.

It is the government’s hope that MPs will not exercise their right to debate this bill further, and if the debate doesn’t happen the bill will be made law.

I can not express how bad this authoritarian and protectionist bill is or how much damage it will do to the UK economy.

It will increase the already disastrous brain drain, as well as losing any party which supports this bill the sizeable UK technical vote.

Please write to your MP now and ask that the bill is debated in full!

Image “closed” by Gill Holgate