Sophos Cloud Optix
Every day we seem to warn the readers of the Naked Security site about the danger of rogue applications and unknown parties gaining access to your social networking accounts.
Scam apps claim – amongst other things – that you can find out who your top 10 stalkers are on Facebook, or how many hours you’ve spent on Twitter, or claim to offer up a video of a girl commiting suicide on her webcam.
The cybercriminals’ intention is to gain access to your social networking account, so that the can spread their links virally, and drive even more traffic to their money-making schemes.
And so you would think people would be wary of allowing a third-party app, which doesn’t explain its intentions and doesn’t explain who’s behind it, from gaining access to their Facebook or Twitter account.
But that’s exactly what thousands of people seem to be doing right now with Connect.me.
Thousands sign-up for Connect.me without knowing what it is
A new service called Connect.me is posting messages from Facebook and Twitter accounts saying:
Reserve your connect.me username [LINK]
If you follow the link and try to reserve your connect.me name, you’re encouraged to link the connect.me service with your Twitter, Facebook or LinkedIn account:
And yet, oddly, no-one seems to know what Connect.me is. Not that that stopped some of them from signing up anyway.
Even Connect.me is declining to give away much information, describing itself as a “better way to manage your social connections” but admitting that it’s unable to share any more information as it’s currently in “ninja stealth mode”.
Has Connect.me given you any reasons to trust it?
My question is this. Why should I trust these guys and grant them permission to post to my Twitter or Facebook pages? I don’t even know what their product is supposed to be!
And yet, thousands of folks appear to be signing-up without a second thought.
A little digging around reveals that a guy called Joe Johnston with a friendly beard is probably the brains behind Connect.me.
But facial hair and a friendly smile is not enough to convince me that I should hand over the keys to my Twitter and Facebook account. Chances are that Connect.me may have no bad intentions, and that Joe is a nice chap, but I am extremely uncomfortable with the willingness of people to join a service which potentially exposes their social networking accounts when they have no idea what it is they’re signing up for.
If you’re on Twitter and want to learn more about threats, be sure to follow Naked Security’s team of writers. Meanwhile, Facebook users would be wise to join the Sophos Facebook page, where we give early warning about new threats.
Update: The controversy continues. Connect.me has responded to this article. See what Connect.me had to say, and let us have your opinion.
Could it be a planned new social networking site which is aiming to take over from facebook / twitter? Signing up like this would make it easier to migrate to a new social networking site. It would also allow a mass campaign when everyone's profile would simultaneously post messages about the great new site.
If it offered better privacy – such as the ability to to control on an app by app basis on who sees posts made by that app, I'd consider moving.
But like you say until we know for sure, it's not worth the risk. Maybe they are worried Facebook or Twitter will stop them before they can launch their idea.
Graham – your general point is very well taken. People are way too willing to allow apps access to their data, the data of their friends & the ability to post on their behalf.
IN THIS CASE however, Joe is absolutely the real deal. A true champion of our digital rights. Perhaps with a bit more Googling, you could have seen that for yourself, rather than trigger un-necessary alarm and question his name publicly in this instance. I hope and trust you tried to make contact with him before posting this. He is not at all hard to contact.
I agree that he probably should have anticipated posts such as yours and provided a little more detail himself – in advance. I've emailed him about your post and i'm sure he'll show up here one's he's up and about CA time.
Thanks for the comment.
Like I said, chances are that the website has good intentions and that Joe is a nice chap.
The point is that people are signing up without thinking about what they are doing – as they have no information of what they are signing up for, and how they are allowing their social networking accounts to connect with an unknown third party service.
I'm not saying that this third party service is good or bad (like the rest of the planet, I have no way of telling) – but users' behaviour in this instance leaves much to be desired and illustrates just how easy it is for rogue applications to spread.
Why should we trust your word on it any more than his? I DID Google it and know no more than I did 10 minutes ago except that he thinks he can kill me for knowing what the hell he’s doing.
Let him f**king try.
He isn’t saying “don’t ever sign up for this service”, he’s saying “don’t sign up for this service, or any service, until you know what it’s doing with your information.” There’s no reason one cannot wait a little until we all know what Connect.me does.
As connect.me pointed out to us, the bit on the site which said "we're in ninja stealth mode so we can't say anything about ourselves or we'd have to kill you" (or words to that effect) has now been removed.
I agree with you. The "if I tell you I'll have to kill you" joke wasn't funny when Tom Cruise said it in Top Gun, and it's gone downhill in the 25 years since. As an official statement in a company's "About" comments, appearing close to the bit about how important privacy and control are, it was odiously out of place.
Anyway, it's gone now.
For fun, see: http://tvtropes.org/pmwiki/pmwiki.php/Main/ptitle…
Yes…I am reading some of this info. and all I have been trying to find out is "How do you know who visits your profile" People are posting that to facebook. I do not know if that is a scam, but the "police security" is going to know? There is no app for this as far as I know, but you have to sign up, and purchase by the month…what is your take
The "Check out who's been viewing your profile" messages on Facebook are scams. There have been many different incarnations.
Here's one article where we've written about them: http://nakedsecurity.sophos.com/2010/11/26/can-yo…
I felt the same way about Quora. If I'm presented with a page that asks me to register and log in with no obvious link to let me check out the functionality of your site, I'm suspicious. If I dig around, it's on every other page — why not on the homepage?
Maybe you have invented the greatest thing since sliced bread, but it seems more likely that it's a ploy to claim higher subscription numbers than you're worthy of. And if that's what you're doing, I refuse to be counted.
So many websites have no functionality to delete your account once they are opened, and I have to think claiming a subscriber base is part of it. I have no doubt that Facebook hides the link to delete your account for this very reason.
If you're the real deal, act like it instead of manipulating people's curiosity. Be transparent. And if you're a user, refuse to be manipulated.
Posting a comment here to ask about the aforementioned regaling of my account keys by allowing connect.me earlier, has entailed ironically handing the keys to my Twitter account to IntenseDebate by Automatic. #potkettle?
You can comment as a guest on the Naked Security site (and many people do), which means that you don't have to associate a Twitter or Facebook or WordPress or IntenseDebate account with your comments.
Of course, some people choose to login via one of those services (which can mean they can get a snazzy avatar and some other benefits).
But at least IntenseDebate is pretty transparent about what it is…
If you don't like the web app, why even complain because you can just easily say no and not signup or allow them to see your information. The internet is like the streets of a bad neighborhood. You might or might not be mugged or robbed. In real life, anyone with the common sense would say no and stay away from that neighborhood. The same with the internet, be smart and stay away from something you consider dangerous. It's that simple! But it's your choice to do it or not, so complaining or warning people with said accusations will just make them do what you're asking them not to do. I have a strong opinion on this but judging a book by its cover isn't right. So I could go either way with this article but for the moment I'll do the smart thing and wait until they release more info.
Actually, the internet isn't much like the streets at all. Real-world analogies involving roads almost always get you into trouble – as soon as you make them, you're stuck with issues like, "Should we have internet driving licences? Precise regulation by public servants? Toll roads? Congestion charges? Should we have left-turn-on-red by default, or not?"
As for judging book by its cover – in this case, there IS only a cover. So you must judge by that. You can only ask "About connect.me" on the main page, and that tells you that "We believe privacy, control, and portability are requirements, not features."
The key words here – privacy and control – are coloured red to make them look both important and clickable. Apparently, however, to this site they are neither.
Incidentally, you agree with Graham – his point was not to judge too early, but to wait until you have enough info, a useful caution which thousands seem to have abandoned in this case…so much for encouraging this behaviour by warning about it 🙂
I agree with what you are saying, but that pointless sarcasm at the end threw me back. lol just kidding. I can rant sometimes to where it feels like I’m running off subject, so please don’t take that in a bad way. My question is though, why not leave a situation like this run its course to where it could fail our succeed? My point is, the website looks official in a way but seriously needs more attention to information. In other cases websites that are scams look crude and far out from being what they are actually preaching. So, confidentiality is up to the user who clicks on the share button or gives out their email address. It’s a dog eat dog world, trying to stop it with making attention to it won’t fight the fire. In the aspect of Facebook, only they can try to stop scams via their web service. The same goes out to Google, and MySpace, and maybe even your own personal site. You just can’t bring the warning to the user, because the user will go back and ruin the message that’s out there to help them. The way to stop this process of scamming is to go to the source!
But there are some scams, most notably some of the banking phishes, that look completely legit. The point is that users need to replace the old heuristic in their head that just because a site or an e-mail looks slick means it is good and safe. Simple appearances can go a long way towards lending people credibility and authority, whether or not they deserve it. Con men often invest in nice clothes. FakeAV companies often create professional looking "products."
We need to be asking: do I know who is (really) asking for the information, and do I trust them for good reason?
Where's this guy's CV? What have the principals done in the past (details, please). Where are his references? The decision to give data or credentials over to a website should be like a job interview. If the person comes highly recommended from a trusted other, fine. If not, can he really do the job?
Connect.me is also manipulating one of our biggest weaknesses by employing the scarcity principle (get your name before it's too late!).
Personally, I'm a late adopter, so I wait for these trusted others to put their word in. I don't jump on every bandwagon that rolls by offering the latest and greatest, especially when I am so obviously being pressured to do so.
I don't know why everyone is getting their panties in a twist, this article makes a very valid point.
You are handing over access to one (or all) of your social networks with no knowledge of what it is doing with said account (bar spamming a link to itself everywhere). Very rash if you ask me.
Calm down people
You do make a good point, and I will admit to being one of those who rushed out to signup. I find my mentality is that there are so many new social apps out there that I want to get in on the ground floor. As you can see with platforms like Twitter, usernames are at a premium, so acquiring a desired username on the next up and coming service is something that appeals to me.
From my perspective, a premium domain name, good layout and typography, connect.me passed the sniff test for me.
Whatever it is, it's pretty sad that so many people are signing up for it and allowing it access to their FB and Twitter accounts. But that's how the majority of social network users are for now. Maybe in 10 years the majority will be naturally practicing safe computing.. but until then we'll continue to see tinyurl links and MUST SEE NOW facebook pages on a daily basis.
Very valid point – too bad i signed up just before reading this article. It did cross my mind, but i thought: i'll do it with my twitter account. I use it all the time to post links and article of interest, but there is nothing really private about it – whereas my facebook account is. So i signed up with twitter, feeling it's public data anyway. Am i being naive?
Not sure if this privacy policy was already there yesterday – I had to scroll down to find it. Anyway – I think it addresses your concerns.
http://connect.me/co/privacy
Who cares? A privacy policy is only as good as the people/company who stand behind it. Anybody can buy a domain name and publish any old crap; it doesn't have to be true.
This post opened my eyes! Thanks!
Looked a bit deeper myself – legit group IMHO; ironically focused on the VRM / consumer privacy segment and working on a formal rollout at SXSW – more here http://www.equalsdrummond.name/?p=418
Now that all being said Grahams point about ppl giving away their info and account access blindly – he's right, it's not the right way for consumers to act, but they do it. BTW, they did comment about Grahams article in their post too so, yes, social media is working very nicely today.
Joe, Drummond, Dean & Marc – let's see what this baby has under the hood…
It's all explained here folks: http://www.equalsdrummond.name/?p=418
I used LinkedIn then quickly killed its access on the LinkedIn Account Settings page for Application Access : https://www.linkedin.com/secure/settings?userAgre…
Suprisingly, I didn’t see this link come up when I did a Google search. Maybe it’ll help others…
Valid point by author for non-savvy Internet users.
Take a look at incliq.com if you're worried about connect.me or Facebook in regards to online privacy. It's a peer-to-peer social network that never transmits or stores your data on their servers.
This begs the question: and who the hell are you?
I mean, really, did you read the post or the comments thereon? You have no privacy policy either, and there's no name associated with your service that anyone can go have a look at. No press releases, no PR, no reviews, no nothing.
Methinks you're next in line for a blog post calling you out. Assuming you're big enough to bother. . .
@rolfvb – clear as mud. I think it is absolutely shocking that nothing more than a blog post, a presentation at #sxsw and a “nice guy” twitter feed at @simple 10 has 10,000 people signing up to give access – Graham’s point is absolutely correct and that is users should not be handing out access to their account until they know what the service is actually doing that they are handing the information over to.
But by now I should know better…
The fact that people give up identifying data and access to their social grid is certainly a concern, especially if you don’t know who it is or what they are doing. I know the people at connect.me and they have very high integrity and are actually doing something that could be useful in navigating the social web. They are establishing a social vouching and discovery infrastructure across all major social networks. The product is still in beta but you can find out more at http://connect.me
Gary Rowe http://garyjrowe.com
I like connect.me because it allows me to "touch" and organize and see how many VCs, founders and startups are following me. @simple10
I joined Connect.me after it was recommended by someone I trust. Ironically, that is what Connect.me is all about… credentialing people through first-hand knowledge.
Graham makes a good point, though. I haven't taken my social identity as seriously as I should. As a social media explorer, I have to try out these sites. From now on I am going to use my junk account to take my first steps.
Thanks, Graham, for waking me up. (I'm still a fan of Connect.me though).