In casual talks with employers and managers around the city the predominate feeling is that if an employee or potential employee has a blog, facebook, twitter stream, or any other online presence the it is the employers right to know. While no one would admit to actively hunting these resources out the reactions did indicate a certain “right to know” attitude. The reality is that some employers are doing extensive searches of current and potential employees online habits. A recent Deloitte survey found that 30% of employers were informally monitoring social networking sites for employee’s habits. People have even been dismissed for content they have posted online. A quick search for “Fired for blogging” will give you an easy dozen links to choose for with related stories.

Now on the flip side many employees will argue that their online actions are none of their employers business. According to the same Deloitte survey 53% of employees think that their social networking habits are none of their employers business. Even though over 70% understand it is easy to damage their employer’s reputation online. I think the reasons for this is quite obvious and do not warrant an in-depth discussion. Employees do not want to be held accountable at their employment for things they do off the company time. The basic social contract of mutual financial success, that is I perform a set of duties to assist the company in being profitable and am justly paid for those services, is the underlying principal of this. For many people the employee/employer relationship ends there and unless the employees external actions prevent or inhibit that process, what the employee does is their business.
So where do you stand? Where does the employee/employer relationship end? At what point do you feel the employer is overstepping its bounds of intruding into your personal life? Leave your comments below. I would love to hear from employers and employees alike on this.

Since then a new security risk has been discovered that exposes all you photographs to potential viewer though simple website address manipulation. Thanks to the work of Computer Engineering Graduate student Dave Churchill this simple exploit can allow anyone to view the full album of someone who is not on his or her friends list.

The conditions for doing this are quite simple. First, you need the address of a photograph in an album that belongs to someone who is not in your friends list. The easiest way to obtain this address is by viewing a photograph that has been tagged by someone you know. Make sure that photograph belongs in an album of someone you do not know and in an album you cannot view through standard navigation. This is necessary as it provides all the information necessary to make the hack easy and demonstrates that it indeed works.

At this point, the simple removal of a parameter in the address bar will expose all the photographs in that album. In this case the “&subj=123456789” portion of the address. If you remove that piece of data and hit enter and you now can view all the photographs in that album.

If this was an album of someone you did not know and as such would not be able to view otherwise, you have just bypassed Facebook’s lacking security with the preverbal Mac truck. I have tested this and found I was easily able to view full albums I otherwise would not have access to view.

This simple oversight in the development of the Facebook code is alarming. If this very trivial hack can be applied to albums what other hacks can be applied to expose further data. Since Facebook relies on cookies to track if you are logged in or not, this URL and many others are essentially open to the pubic.

How much longer will Facebook’s lack of security and questionable content policy be accepted? From the blanket user agreement that anything users post on Facebook is free for Facebook to reuse and even sell to others, to their substandard security. Facebook is facing mounting pressure to answer questions to how they use users information and how they protect that.

It is starting to look increasingly like Facebook is a wolf in sheep’s clothing.

See Dave’s original document here

According to CNet.com’s coverage of the outage Facebook had to address a problem that allowed some users to access what should have been inaccessible information. Some examples of that are other peoples inboxes and profile information. This was due to some of their proxy servers caching information and serving it up to other users. This problem brings into question the security behind massive user based sites like Facebook.

While this seems to be an isolated incident for Facebook, the idea that a large portion of our information may have been accessible to others is quite disturbing. For most, the information we store on Facebook or other sites is accessible though other means for those determined enough to get it. That said breaches in security though bad code or a hackers genius can potentially open up a massive database of information to spammers and identity thieves. Imagine a spammer gaining not only access to your email address but you list of preferences, information you messaged to others, and worse where you live! For those who trade in personal information Facebook is a goldmine. The results of them gaining access to your information is endless and starts with simple spamming and runs the gambit to identity theft.

This is just small mishap for the site and hopefully future breaches will be non-existent. No system is perfect though and as such, users of social networking sites like Facebook have to be aware of a few simple things.

• First thing: Remember the site if 100% voluntary. You do not have to share everything or anything for that matter. It does go against the idea of the site to have a blank profile, but to each their own. So be picky about what you do share. If you do not want people to know your read Harry Potter, do not share that information.
• Second thing: Learn how to use the privacy settings. Most social networking sites like: Hi5, Facebook, and Linkedin have privacy setting so you can restrict who can see and can not see your information. Facebook in particular even allows you set a limited profile so people on your friends list can see some but not all of your information, and even a block feature so a person cannot see anything you do on the site. Including posting to discussion groups, other people’s profiles etc.
• Thirdly: Unlike Email where a recent court decision in the US states that you have a reasonable expectation to privacy (more about this another time), you do not have that in these sites. Do not send personal information through these sites and I would go further to say even be careful with doing it in email unless you are using security technologies like PGP.

Follow these simple suggestions and for the most part, you should not have any trouble. Even if the site has a security failure and someone you do not want to have access to your information gains it you will not have much to worry about.

I recently attended the local theater to catch a flick where I was given a promotion card for 3 free music downloads from the Purtracks store. This is combined promotion from Hershey’s Chocolate, Coke, Empire Theaters, and Puretracks. The cards contain a serial number and a PIN number that you can use to redeem for the three songs. The problems started when I attempted to scratch the coating that is over the PIN number (much like a scratch and win ticket). As you can see in the image the coating did not remove easily and I ended up scratching the ink off the card, rendering the card useless. Not wanting to give up I decided to register for an account and see if I could decipher the numbers so I can get my 3 free songs.

The registration process was easy, simply provide the typical information; first name, last name, email, postal code, password, and a few check boxes for news letters. Once logged in to the music store I found that just about all the albums were available in WMA format only, and few were available in mp3 format. Knowing that WMA does not play well with Mac OS or any Linux/BDS variant this limits the customer base greatly. I would assume that any store would want the widest breadth of consumers possible.

Having surfed around and found 4 songs I like – I received a free song with registration – and added them to my cart and proceeded to the checkout. Attempting to decipher what numbers were I was ultimately unable to figure it out after several attempts. Having felt enough frustration in finding MP3 songs, knowing I could never use the service at home since I am a Mac user (you can not even view the website from a Mac), and the inability to redeem a coupon due to low quality printing, I decided to deactivate the account. Feeling that I would never likely return to the service as it does not fit my needs I clicked the “My Account” button. Searching high and low I could not find the deactivate account option. So now I am stuck with this Purtracks account, meaning they have my name and email with the potential to spam me in the future.

Once again I feel Purtracks has totally missed the boat on providing a quality service to its users. Using WMA, and the DRM contained within, limits the playability of the songs, restricting the access to even surf the store to Windows computers is unlikely to attract any attention from Mac or Linux users who might choose to use them. Finally, the inability to remove your information from their site is one of the largest privacy concerns I can think of and could be a violation of PIPIDA (Canada’s privacy laws). They can do much better.