First I’ll start off with this story, by the Washington Times. It is about how Facebook Ads Target You Where It Hurts. Rachel Beckman, the author, goes on to say how Facebook delivered targeted ads insisting that she had a “muffin top” and she needed to lose weight. Needless to say, she was taken aback by this. I would be too. Facebook knows a lot about us, as she goes on to say, because we tell Facebook so much about our personal lives. Our age, our relationship status, our friends, our activities, and so on.

Facebook advertisers have no problem offending people it seems. Below are a series of ads showing in my profile.

As you can see, highly targeted ads. Facebook knows I’m single, knows I don’t want to be, and they laugh at me. They display painful ads. Yes, painful. Like rubbing salt in and pouring lemon juice in at the same time. As you can see from the 6th ad, they boast about their targeted ads. My complaint in the Thumbs down? “Other-Nice guys finish last.” Sometimes, depending on the ad, I’ll say “Other-100% guarantee that these girls will talk to me?” Why? Because I’m tired of having these ads shoved in my face. Facebook, right?

So I’m going to go with a little experiment. I’m going to set my profile from “Single” to “Married.” No, I’m not actually married. But I’m getting tired of being painfully reminded that I’m not.

Google recently release a new browser they call “Chrome.” It looks nice, has a decent set of features, but I for one am worried.

11. Content license from you

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.

Why do they need to know what I post? Furthermore, someone viewing my site with Chrome gives Google permission to modify my content. My content. Not their content, not the content the user created, but my content. And you thought Google’s motto was “Don’t be evil?” Ha! They look at what you post, what you view (you know, that steamy message from your boyfriend/girlfriend/husband/wife?), and what other people post, who did not explicitly give Google permission to steal their content.

But it gets better. As Microsoft Watch pointed out, Google specifically tracks you through a unique installation number. Why on earth does Google need a unique installation number? How does this help them achieve their goal of not being evil? Sounds like some people at Google need a good wallop upside their head.

I debated about sharing this story for a number of reasons. Firstly, it is still happening. Secondly, it could cause trouble for one or more parties involved and I have enough problems to deal with. And lastly, I’m just so tired of all these problems. But maybe, just maybe, someone can learn from my misfortune and avoid the same mistakes and problems.

So here it goes. As I hinted (okay, outright stated) in another post, I’m attending more than one college at the same time. Here’s why.

I graduated high school in June 2002. Yes, that puts me in the neighborhood of 23-25. I won’t tell you my age though. I feel old enough. I worked as an intern at a local company handling tech support, running network cables, some network security, and various other tasks that are meant for interns. In the fall, I grabbed myself another job at a company that was for outsourcing from other companies, the area hospital, and of course area residents that needed computer help. I was able to put some decent money in the bank while working those two jobs, and in December of that year, I applied at a local college. It was Baked Alaska getting in. (here’s hoping I start a new trend :P)

When I spoke to the advisers/counselors, I said that I was interested in computers, law enforcement, and I wanted transfer to a 4 year school. I was put in the computer program. I started January of 2003. I went through, took some Criminal Justice courses, and was to graduate in the Spring of 2006 with an Associate’s Degree in the computer program that they offered.

Note I said was. That’s very important. I spoke to a college recruiter from another university in the hallway one day and was told I was in the wrong program to transfer. Wrong program?!? After talking to a couple of people in the counselor’s office, turns out that I was indeed in the wrong program. Why then, had I been put in the wrong program? After 3 years, interactions with faculty and staff, including the counselors, more than one dean, including the Dean of Instruction, my boss and coworkers, I had to hear from someone that didn’t work with the college that I was in the wrong program. I was devastated. I put all that work, time, and effort in to getting good grades (I made President’s List several times), only to find out it was more or less for naught. I ended up failing the last course I needed to complete the computer program that spring. I was later put in to the right program the following summer. However, I overloaded the courses and failed them all, except for one that I dropped out of. That was not a fun summer.

In the fall, I spoke to the Criminal Justice instructor, and he said that I could graduate from his program in two semesters, and transfer to a 4 year school. So I took classes that fall, did well, and took the last classes I needed for that program in the spring, only to find out part way through that no, it was the wrong program again. So the running tally right now is almost done with two Associate’s degrees, and started on a third. However, by this point, the General Studies program that was the correct program for me to be in so that I could transfer had another twist added to it. There was now a Criminal Justice-concentrated program. So now I have 4 degrees underway. I dropped the Criminal Justice courses as they were just a waste of my money and time. I then spoke with the 4 year school of my choice and was able to make a deal.

This deal was that if I took just 3 more classes, I would be accepted to the school. I was guaranteed admission as if I had my Associate degree, and much of what I had taken over the years would transfer. For those not following, this happened in the spring of 2007. So in the summer of 2007, I took two classes that I previously failed, and passed them with an A. Do you think that maybe, just maybe, this doesn’t have to do with difficulty, but rather extreme stress I was put under because people decided to withhold information from me? Turns out one of the counselors admitted to me that she knew I was in the wrong program and knowingly did not tell me. Thanks. Aside from the fact that this raises questions of competency (not that there weren’t before), thanks to this person and others, I have spent thousands of dollars in books and tuition that could have and should have been spent elsewhere.

Well, back to the story. As I said, I completed the two summer classes with an A in each. I then registered for one more class in the fall that year, and squeezed out a B for the final. I was on my way to a real school! You would think my problems ended here, but you would be wrong.

I got my papers and everything from the new college days before I was to be there. When I got there, I did not have classes registered because my ID was not setup yet. So I did not have an ID card, which meant no way of getting food, no way of getting in to my room, and various other complications. Fortunately I was given a temporary card so that I could get in to my room, and my parents gave me some money so I could eat. That was on a Sunday evening. Classes started Monday morning. So I walked all over campus getting lost (it isn’t a small campus, but not the biggest either, fortunately), managed to pick up a map of campus after getting lost once, and went to another part of campus to talk to my adviser to get registered for classes. Before continuing, it should be noted that I did not get to attend orientation or anything because of the way things worked out. In fact, I was so stressed, I didn’t eat anything until Wednesday night. So I get in to the classes, go along, and I’m not doing very well. I just don’t have the energy. I’m burned out, tired, stressed, angry, depressed, and come to find out, the problems from my old college followed me. I have to take various assessment tests and general education classes because I didn’t get an Associate’s degree.

As if I wasn’t under enough stress, I have to go back and take classes I have already taken at my old college because of problems they caused. Well, I was able to find a potential way out of this, and worked with the various offices at school to get it approved, or so I thought. Well, back to the spring semester. I continued to struggle to get past the lack of energy, anger, and stress, but I ended up failing 2 of the 3 classes I took that semester. My GPA bombed, and because I was a transfer student with 60 credit hours, I was booted out on my bum. That’s right, I was kicked out of school for an entire year. Once again, the problems caused by my old college plagued my life. Now, I’m not saying I’m not at fault too, because I should have done better, but the way I see it, I wouldn’t be in this situation had I not been under such intense stress trying to complete classes and fix the problems caused by my old school.

Well, I immediately filed for an appeal and thankfully I was granted readmission. Then I took the two summer classes at my old school to get closer to get not one, but two of the General Studies degrees. One standard, and one with a slight focus on Criminal Justice. If you are wanting to update your tally, at this point, I have 0 degrees, almost done with 4 Associate degrees, and not even halfway through a Bachelor of Science. I could take possibly 3 semesters at my old college and have all 4 degrees from there. However, back to the story. So I take the 2 classes this summer. One teacher hardly communicates with the students, posting assignments nobody knows anything about, and then goes for weeks without responding to emails. I’ll skip the rest of that and let you know I managed a B in each of the two courses. So when I call my new school to let them know about this, I get told that I shouldn’t have been approved to take the two courses because it didn’t result in an Associate’s degree. What!?!?! I specifically explained what I was doing and why when I applied for the approval to take these classes at my old school. So I re-explained for the xth time.

After a long and deafening pause, the person on the other end told me that I was in the clear after all. Well good. But let me back up a little. Because I was kicked out of school and readmitted, I was not eligible for financial aid or a loan. That’s right, apparently I can’t get certain types of private loans. I still don’t understand how this works. A private loan is one that has nothing to do with the federal government or its rules about maintaining a certain GPA. But apparently some do. After arguing with my financial aid office for a couple of weeks, I got that straight. For now.

And now I am in the present. The last conversation I had with the financial aid office was a few days ago. I still have no way to pay for this school year, but at least I get to go. So what does all of this have to do with my topic title? Well, when I’ve tried to explain this to a few people, they’ve rolled their eyes, told me that they spent 16 years in school, told me that Colonel Sanders was 64 when he came up with KFC, and various other things. These are not things you do and tell people who have been through the living nightmare that I’ve been through. I don’t care if you spent 16 years in school. I don’t care if Colonel Sanders got in to the restaraunt business at age 64, these are my problems, not theirs. I am not anybody else but me. Unless you can sit there and tell me that you went through exactly what I went through, shutup and give me a little respect. It ticks me off that people treat me like this, after all I have gone through. Is it supposed to make me happy to know that I may not be able to support myself until I’m 64 years old? Is it supposed to make me happy that you switched majors however many times, causing you to spend more time in school, when I have not switched majors? People don’t understand. When someone speaks, you listen to them. Personally, I’m angry, embarrassed, stressed, and simply burned out. Most of the people I have spoken to seem to be unable to grasp that concept. This is not about you, Colonel Sanders, or anybody else. This is about me and what I have dealt with to get where I am now. I have been going to school non-stop since January of 2003 until now, which is August 2008. In fact, I can only think of one summer semester where I didn’t take classes.

I mentioned waaaaay up there that there might be something for you to learn from all of this. Well here it is. Don’t take anything your school tells you at face value. Get it in writing. In triplicate if you can. Verify, verify, verify. If you are told that you can do xyz, go behind that person and ask someone else. And another person, and keep going. Read the guideliness. Read what you have to do to transfer. Read the requirements for your program. Always, always, always have an exit strategy. This goes back to my education in both Computer Science and Law Enforcement, but you must have a way out. This exit strategy will not only help you, but will save what’s left of your sanity. If you have to, use what you got in writing to take the person in front of review boards. Fight for your rights. Don’t let anybody talk down to you. If they do, tell them that you don’t appreciate it and that they should give you more respect (but do it nicely, otherwise you won’t get the respect you deserve!).

Some time ago, the CEO of Lifelock had his identity stolen. Remember those commercials where he put his Social Security Number on the side of a truck, saying how he was so confident in his company, that he was giving away his information? Well, his identity has been stolen at least once. That’s right, at least once.

According to the ABC News article, the CEO has been waving his information in front of criminals for the past couple of years, making him a special target. If this happened months ago, why am I writing about it now?

Good question. This has been in a private “Ideas” post for some time now, and I’m just getting around to going through it. The other reason is that even though this is old news, it still presents a lesson to be learned. You must be careful where, when, and to whom you give your private information. Posting it on a TV commercial is not being careful. Remember the old addage “don’t talk to strangers?” Still holds true. People, even people who should know better, are forgetting this.

But this is not the only tale of ID Theft I have to tell. While taking online summer courses this past semester, one of the sites the class was to use was for taking quizzes and general classwork. The site did not make use of SSL, or Secure Sockets Layer, to encrypt the information going to and from their server. Not a big deal, you may say. And you’d be right, if the site in question didn’t ask for your student ID and/or your Social Security Number. Red flag! Why does a site like that need your SSN? Supposedly the site hooks in to software called Blackboard and according to this site, some schools still use your SSN as your identifier. Bad, bad, bad, bad, bad! This is not acceptable. Needless to say, I did not put that information in. Fortunately, my school doesn’t use your SSN as your identifier.

The fun doesn’t end here, no, there’s more of the tale to tell. Another school I attend (yes, I’m going to more than one college at once, maybe I’ll write a post about that later) has a Single Sign-on service. Not bad. It uses LDAP (I can’t tell you how I know this, or I might have to get MIB to erase your memory ;)), so various school-related websites and computers can verify your login information. For example, because I’m in the Computer Science program, I have access to both a Windows lab and a Linux lab, so you are able to login to both with your ID because the school uses this SSO deal. Not bad at all. They even use SSL on your webmail, account management, and so on. All except one place. When you login to the portal that Reslife has setup, they don’t use SSL, but you still login with your SSO ID and password. Oh the fun. It doesn’t matter if SSL is used everywhere else, if one place doesn’t, that’s the chink in your armor and it will be game over if someone decides to exploit that vulnerability. Can I say it? Please? EPIC FAIL!

Lessons learned? Let’s start with not giving out your PII, even if you are the CEO of a credit monitoring service. I think it is a good idea to use a credit monitoring service, but it should go without saying, stay away from Lifelock. Then, if a website doesn’t use SSL and/or asks for more information than you feel comfortable giving, either leave the site (I didn’t have the option, obviously), or don’t put it in. Lastly, just because SSL is used in some places, that doesn’t mean you can ignore the rest.

As you may or may not be aware, Blackhat 2008 just happened. One of the things to come from that conference was research dubbed “GIFAR.” For those who haven’t been following things, this basically masks a Java JAR file inside a GIF, JPEG, and a variety of other formats such as DOC. GIFs (and other image formats) are typically trusted by web applications, but following this attack, attackers can stuff in Java-based exploits, like the old ByteVerify and have users run the code in the context of the website the image-applet was uploaded to. This means they bypass the SOP, or Same Origin Policy. I discussed this in a previous post. Now attackers can use XSS, CSRF, and a variety of other fun things.

Let me be clear: This is a Java issue, and not a web application issue.

Now here comes the problem. Sun, for whatever the reason, installs updates as new versions, meaning old versions are left behind. This has been done and known for quite some time, and I’m sure many a debate have started over this. This is just another nail in Sun’s coffin. Sun is going to be releasing a patch for this. It will be pushed out, and users will update eventually (the process leaves much to be desired, as I have somehow managed to skip a couple of versions in the past without being notified I was out-of-date). However, it is possible for the applet HTML tag to request an older version if it is on the system, bypassing completely the patch that Sun has released.

It could be argued that Sun does this for the enterprise (which Sun does, apparently). However, Sun needs to at least notify users that older versions were left behind and give them the opportunity to remove the older, more vulnerable versions. Most users don’t want the older versions on their systems, and don’t worry about breaking things.

How do I fix this, you ask? I was pointed to software called JavaRa. After a brief run-through, the software seems to do its job of finding and removing old Java versions. It offers other functionality, such as finding updates to Java, and various advanced features. The update function didn’t seem to quite work for me, so I’ll play with it and see if I can find out why. I didn’t try the advanced features.

So that’s why I say Sun needs to revise their strategies. They aren’t doing their users any favors by leaving old versions behind where most users don’t know they are there. I even forget from time to time. Don’t worry, I do still uninstall old versions. My point is though, something needs to change. ByteVerify is still affecting people, partly because of this problem of leaving old Java versions behind.

In the post I’m talking about, the developer lists a few bogus reports and more than once mentions something called “same domain policy.” Another more common name for this is called Same Origin Policy. Basically what this means is that the browser executes code within a sandbox and if code tries to run outside the domain of the website, it gets flagged is not being of the same origin, and doesn’t get executed. Clear as mud? Yeah, I thought so. Let’s look at this a little differently then.

Note I did not say domain name, but domain. While you could technically say they are the same thing and be right most of the time, this time you are not. What I mean by domain is its other meaning. Domain in this case not being math-related, but rather something similar. This being that the domain is restrictive.

So here is how it works. Let’s say I have JavaScript on me.example.com. Same Origin Policy would not allow it to escape me.example.com, to say, you.example.org, or me2.example.com, or me.example.com:8080. This distinction is important. SOP differentiates between me.example.com and me2.example.com as well as different ports. While they have the same domain name, they are different “hostnames.” However, I can set document.domain, and allow the JavaScript to escape only to .example.com. This means I could escape the SOP for my domain (this time referring to the name) to the root. Mozilla calls this hostname when you have me.example.com. I disagree with that, but it is an easy way to think of it.

Still confused? Try this. JavaScript on the hostname me.example.com is bound by the SOP and cannot talk to example.org. This is its sandbox. However, by setting document.domain, JavaScript on me.example.com can talk to me2.example.com, but not example.org. However, there are a few things that are exempt from the SOP. Mozilla has them listed:

Set Location (but not location.host, etc.)
History.go(), History.back(), etc.
Document.write()
Window and frame objects

To wrap up, the Same Origin Policy is a measure to keep things inside a sandbox and prevent execution from places it doesn’t belong. It doesn’t have to be JavaScript, but can also be Java, Flash, and so on. If you want additional reading, try these sites:

http://blog.sweetxml.org/2007/11/javascript-security-model-same-origin.html

http://www.kirkouimet.com/blog/2008/05/pseudo-ajax-circumventing-the-same-origin-policy-using-the-script-tag/

http://www.mozilla.org/projects/security/components/same-origin.html

http://www.mozilla.org/projects/security/components/sectalk/slide4.xml

http://www.mozilla.org/projects/security/components/sectalk/slide5.xml

http://en.wikipedia.org/wiki/Same_origin_policy

You heard correctly. The website you are visiting may not allow you to have a strong password. I’ll let you pick your jaw off the floor before continuing.

For argument sake, let’s say that a strong password is the following: ([a-zA-Z0-9-#$@]+)

That’s not the world’s best regex, but it works for this. What this does is it matches any lowercase or uppercase letter, number from 0-9, and the special characters “-”, “#”, “$”, and “@.” Now let’s say the max length of your decently strong password is only 7 characters long. So your super-cool password of “this-is-the-s0nG-Th4t-n3v3R-#nD@” would be invalid, not because it contains invalid characters, but because it is too long. Sad, but that’s what happens on a lot of websites.

Example 1:

ERROR: The new password is too long. It can not be longer than 10 characters. Please fill out the form again and resubmit. - Removed for privacy

Example 2:

Minimum length is 6 characters. Enter a unique password containing only letters and numbers. - Sourceforge.net

Normally you’d think people would encourage the use of longer passwords and passwords that contain special characters, like “!@#$%^&*-_+<>.” No wonder people have problems creating stronger passwords, they aren’t allowed to!

Now for the fun part. One of the comments on her blog made by a visitor made the mistake of confusing peaked and piqued. Yes, I realize it was actually the person who commented that made the mistake, but I like referring to inanimate objects as animate objects. For those who aren’t sure, piqued is used when you’ve raised someone’s interest, for example. “You piqued my curiosity.” Peaked on the other hand is suggesting reaching a plateau or reaching the end of something. “His energy levels peaked before he had to stop running.” It is a common mistake and not something that would really get me to dedicate a blog post, but this is on a blog that encourages proper grammar, and hopefully, proper spelling.

Now, let me say that I am by no means perfect and I make mistakes all the time. However, this time it just bugged me. So what’s with the subject, you ask? Mixing up words, of course!

Haven’t you ever seen someone use loose when describing someone losing something? “You can use this software without loosing your changes.” Or their in place of there? “Their, in the woods.” Or “There campfire went out.”

How about using the wrong it’s? Many people make the mistake of thinking that all apostrophes show possession. The English language is funny like that. There are words, like its, that show possession without the apostrophe. The problem? This is something learned in elementary school. Or should have been. Apostrophes also show, as I’ve explained before, contractions. It’s is actually it is. Its, however, shows possession. “Its tail came off to fool predators.

Though not strictly related to this post, next is using me at the beginning of a sentence. I see this more amongst the British, but Americans do it too. “Me arm is hurting.” No! That’s wrong! The correct way to say it is “My arm is hurting.” Subject-verb agreement and all. Update: I was just informed by a friend in the UK that putting me in front of a sentence is no longer acceptable.

And lastly is mixing up first-person with third-person. I’m tossing this in because I didn’t think I could get a long enough post out of it by its lonesome. Facebook, Myspace, and others allow users to update status messages. These types of messages are always third-person. And yet, people quite often think they belong in first-person.

Let me explain. “Micheal is going to pick up his car this evening.” That’s third-person. I’m referring to myself as if I were a separate speaker. Sounds strange, I know, but that is what is happening. If someone else were talking about you, they would use the third-person to refer to you. However, I see something like this quite often. Too often. “Micheal is going to pick up my car this evening.” Does that even sound right? No it doesn’t.

fws1.com is another site I came across in my research.

Who.is: http://www.who.is/whois-com/ip-address/fws1.com/
HTML check: http://www.websitehostingreviews.com
Who.is: http://www.who.is/whois-com/ip-address/websitehostingreviews.com/

Bluefishhosting.com?

There’s more still, but I think you get the idea. Stay safe out there.