Archive for July, 2007

Links for 2007-07-09

Monday, July 9th, 2007

Links for 2007-07-08

Sunday, July 8th, 2007

Something’s phishy? There may be more than money at stake…

Saturday, July 7th, 2007

The term “phishing” refers to the malicious practice of trying to extract sensitive information (such as passwords) from users. Compared to numerous other Internet-related terms, “phishing” is one of the least understood ones among users. I have found this in my work as have others in theirs. Of course, it may be that people understand the concept of phishing without knowing it is called as such. It is difficult to do large-scale data collection using more elaborate methods, but I implemented some related questions on a survey recently taken by over one hundred students who were randomly sampled from a diverse group. (See the end of this post for details about the data set.)

In the context of a larger study, I showed participants three hypothetical emails and offered several options for how they might proceed (respondents could check off several actions such as “delete it”, “ignore it”, “forward to tech support with a question”, etc.). When shown an email that looked very much like the one that comes from the IT department of the university (one that would not be hard to replicate by someone with malicious intent) over half of respondents said they would “follow the instructions outlined in the email”, which included going to a Web site and entering their username and password. Even more students said that they would “click on the links in the message and follow the instructions on those pages”. Less than 15 percent checked off the option of contacting tech support with a question or reporting the email as abuse. And in the open-ended field where respondents could explain what else they might do, only one student described actions that suggested the potential problem with the email. This among the generation that is supposedly savvy about digital media. See my forthcoming paper on The Role of Expertise in Navigating Links of Influence for more on this (especially pp. 12-19.).

When I talk to my students (at a different school than where the above study was conducted) about online privacy and security issues, and ask them about the potential implications, the usual response is about financial concerns: credit card numbers stolen, money lost. However, as I try to remind them several times throughout the course, financial issues are not the only ones at stake when managing one’s identity and actions online. For example, in the realm of health and politics one can easily come up with examples of cases where third parties should not have access to our information.

And then there is reputation. I have noticed some troubling incidents on Flickr recently and wanted to write a post about these experiences to remind people about the importance of being vigilant. Don’t stop reading just because you are not a Flickr user, by the way. These same issues could occur on lots of other sites as well.

Flickr is a photo-sharing community site where people post photos and often comment on others’ images. These comments sometimes include cute little awards that let you add your photo to an invitation-only group or whatnot. Recently, I received such a comment on one of my photos and clicked on the link included within it. This led me to a login screen seemingly still within Flickr. The people behind that site did a very good job replicating Flickr. You had to be very conscious of your actions not to proceed and follow what you were being instructed to do, namely, enter your Yahoo!/Flickr username and password.

Lucky for me, I did realize that there was something phishy going on here. I was already logged into Flickr so this login request did not make sense to me. I checked the location bar of the browser, and as expected, it did not say Then I did a search for phishing on Flickr groups and confirmed that this was not something I wanted to pursue. Others had encountered similar issues and had already reported them so hopefully the admins were aware.

So what could one do with the username and password of Flickr users who were not as cautious or who simply did not realize what might be going on? First, one’s Flickr username and password is the same as one’s Yahoo! ID and password so it allows access to one’s email account and all other associated services, none of which is desirable. Within Flickr itself, it allows the malicious user to post comments on others’ photos using the account.

And that is precisely what I experienced this morning. Click here for a screen shot of a picture I posted and the comment that followed immediately after. Note that this comment came from someone who is not on my contacts list and whose account I had never seen as far as I recall. The comment on my photo of a Dublin door reads:


Someone at RAMCON said you sell nude images of children on flickr(loldee etc..) and i was just wondering(if this is true) then how much do you charge and what payment methods you accept?


There is very minimal chance that someone from a paid account would leave such a message publicly on a photo.

Searching on Flickr, I see that others are experiencing the same issue with the exact same message, but using different people’s accounts. This can be really damaging to the person whose account is used for such messages especially if this person does not realize or does not understand what is going on. Already several people have reported the person participating in that discussion thread accusing him of having left at least three such messages.

So I thought a reminder was in order: before entering your username and password anywhere, be sure to check that you are on the Web site you think you are on, look at the address of the Web site in the browser and if it is not the one you expected then beware.

[*] Details about the data set: In February-March, we administered a paper-pencil survey to students in the one class at the University of Illinois, Chicago (UIC) that is required of all students thus posing no selection bias as to who was in the sampling frame from the university. UIC is one of the most ethnically diverse research university campuses in the US. We have a 98% response rate of the 85 course sections, and an 82% response rate of all students enrolled in the class. The survey data about understanding the term “phishing” represents the responses of 1,236 participants. We used stratified sampling (on gender and user skill) for the follow-up observational study (March-May, 2007) that also included a short additional survey. We achieved a 58% response rate on that portion of the study with 103 students participating.

Thanks to the MacArthur Foundation for supporting this work.

Links for 2007-07-07

Saturday, July 7th, 2007

Links for 2007-07-06

Friday, July 6th, 2007

How quickly fire spreads

Thursday, July 5th, 2007

Before I get evacuated (not a completely crazy idea with the sheriff right outside my office), I thought I’d post just how quickly fire can spread depending on the circumstances.

How quickly fire spreads

I realize those are not on the same scale, but the surrounding trees should help identify the areas. Understand that I was just trying to do some work this afternoon and then headed out periodically to take some pictures. I didn’t set up shop for a sequence.

The distance between the fire and the nearest road is quite big so eventually the firetrucks just had to head up on the hill. By the time I finished taking photos that entire patch was dark although it looked like the flames had subsided. Of course, that’s just the part I can see, chances are there is lots of action invisible to me from here.

Now I’m going to try to get back to work, helicopters notwithstanding.

Apple’s iRack

Thursday, July 5th, 2007

Invitations to GrandCentral

Thursday, July 5th, 2007

[UPDATE: I’ve given out the invites I could so this offer no longer stands.]

If you’d like an invitation to GrandCentral, let me know. It assumes you’re okay with giving Google your phone number, which is a big if. But if you are then let me know. I have a few to give out, not a lot though so first come first served.

Oh, what is GrandCentral? It’s a service that let’s you give out a phone number that you can then control much better than your direct numbers by filtering and selectively forwarding based on the caller. It’s similar to creating filters for various emails depending on sender.

I’ve used a similar service before for a research project and it worked well. GrandCentral was recently acquired by Google and they’re presumably revamping it a bit. There are, however, other such services out there if you prefer a site that is, for now, independent.

UPDATE: I will only send invites to people who send me an email from an address that has both last name and first name and preferably some Web site. You know my name, you know info about me and what I’m offering here would link us in the eyes of Google. I won’t do that if I have nothing to go on.

Links for 2007-07-05

Thursday, July 5th, 2007

Links for 2007-07-04

Wednesday, July 4th, 2007

Links for 2007-07-03

Tuesday, July 3rd, 2007

No Caption Needed

Monday, July 2nd, 2007

The link in my previous post is thanks to a new blog: No Caption Needed. It is both a book and a blog by my colleague Bob Hariman at Northwestern and his collaborator John Louis Lucaites at Indiana. This undertaking is “dedicated to discussion of the role that photojournalism and other visual practices play in a vital democratic society. No caption needed, but many are provided. . . .” The blog just started recently, but already offers all sorts of interesting images and commentary.

Now for something different…

Monday, July 2nd, 2007


Try it here.

I should probably add this:
Time sink!

Links for 2007-07-02

Monday, July 2nd, 2007

Links for 2007-07-01

Sunday, July 1st, 2007