Remember, it isn’t private, ever.

MegaphoneWhen using social media services, the biggest mistake folks make is to believe – even for a minute – that anything they say is private. That leads to embarrassment, possible employment termination, and lots of other consequences.

For example, many users believe that their Twitter direct messages are not shared with anyone but the recipient. That’s not necessarily the case.

When you DM someone on Twitter, the message can be seen by everyone who subscribes to their timeline if:

– There is an image attached to the DM – image services are not private, and will carry the text of the message as a caption to the image on the photo-sharing site.

– There’s a link or you use a tweet shortening service (like TwitLonger). This one burns people even more than the image services, as you may have a shortening service enabled for all tweets in a 3rd-Party Twitter product on your desktop or phone. links and other URL shorteners are also public, so links in tweets can become public very easily.

– They retweet it. Twitter will try to stop them from doing that, but there lots of ways around that.

– You accidentally replied instead of sending a DM. It’s easy to do, and you’d be surprised how many times it happens.

On Facebook, all the default security settings make nearly everything in your profile and posts public information. Even if you think your data is shielded, a change to profile information policies can flip things to public without warning – it’s already happened several times.

The same goes for Pinterest and other sharing sites. Even though you can try to keep everything private, the sites are designed from the ground up to share, and with one wrong click the world can see whatever you posted.

Just before this went to post, Eileen Brown posted an article that proves the point. Twitter is allowing 3rd-Party companies to mine historical data from their archive, which means that your tweets could be used by another company. While they don’t seem to want to expose DM’s, one poorly-coded script could make that happen.

So, use social media wisely. Remember that it’s supposed to be SOCIAL, and that sites and networks are designed to facilitate public communication. Even if you think something is private, there’s a good chance it’s not – or it may become public later.

Photo Credit: floeschie

Growl Comes Roaring Back

With Apple’s release of beta code for the upcoming OS X Mountain Lion release, one thing had many folks talking.

The Notification Center, a very popular component of iOS 5, will be coming to Mac desktops and laptops when Mountain Lion is released. This led many (myself included) to think about how Growl would be able to continue when the OS began to incorporate that functionality natively.

Growl – for those who haven’t seen it – is a notification app that runs on nearly every Mac. If you use applications that pop up notification windows to alert you of events, you’ve probably seen Growl in action. A few months ago, Growl went from a free application to a paid app, and suddenly a great number of people who never even knew it was on their machines became very aware of it. Having to pay for the new version will do that to folks.

For the most part, the switch to a paid app was accepted well by the general public. While it’s worth every penny of the US$1.99 they charge for it, that is because there isn’t another app that works as well, as seamlessly, and as integrated to the OS itself. Now, with Mountain Lion getting Notification Center, the folks behind Growl have a real fight on their hands.

To kick off the battle, Growl has posted a blog article showing all the ways that we’ll still need – or at least really want – Growl on the OS X platform.

The argument is pretty straightforward. The Notification Center platform will only cover apps bought from the Mac App Store, and will not have all the functionality of Growl itself.

That’s great, but there’s an issue that may still cause problems for Growl. More and more new Mac Users only know about the App Store for getting new software for their Mac. They rarely use non-App-Store-purchased packages, and therefore don’t need a 3rd-Party alert tool.

I think that Growl will continue to be a great application. For Mac users who get software from multiple sources, it’s still a vital app to have; and even if you only use the Mac App Store to buy software, there will be many apps that continue to stand by Growl.

With luck, Growl will indeed integrate into Notification Center, but continue to supply alerting and tracking to all apps on Macs.

Photo Credit: Ernst Vikne

Yep, I got hacked!

HatchetWell, that happened faster than I thought.

Yesterday, I spent quite a few hours rebuilding my blogs, as nearly all of them managed to get hacked. It was a porn-site redirection attack, inserting javascript into each and every PHP page in the WordPress system.

It started with one blog, but by midday, it had spread to three of my four sites. The site that got hit first was the newest one, so it was surprising that a site with very little traffic was indeed a target to someone out there.

While this issue is never fun to deal with, I expected it would happen at some point, and took the appropriate precautions. They saved my bacon.

Luckily, I have a few friends in the security world, who had armed me properly for how to identify and overcome an attack like this. They also had me prepare to block such attacks, but in this case the hacker found a way around the defenses. That’s not unusual, as new attacks are created every day, and tools like WordPress firewalls and exploit scanners only update so fast.

So, how do you prepare for a potential attack?

1 – Prep your site. Install plug-ins to ward off the more common attacks before they hit. The WordPress Firewall and Exploit Scanner can help quite a lot with this. Both tools were able to deflect quite a few attempts to access my sites before whoever got there yesterday found a back door.

2 – Know what’s on your site – always. There’s a great plugin called WordPress File Monitor that scans your files regularly to see if anything has changed, and alerts you by email when it finds anything that has changed. Sometimes, it gets annoying, but this time it let me know that all my WordPress files had changed at once. This was something that allowed me to address and fix the problem so much faster than I would have been able to do otherwise.

3 – Back everything up. There are plugins that can back up entire WordPress sites – with their content databases – to Amazon S3, DropBox, or your hard drive. Use them! If you do get attacked, you will have to restore from a backup, and so you better have one handy. I had been backing up, but a configuration error meant that many posts ware lost. I have copies, but that will take some time to restore manually.

Luckily for me, I saw the attack happen, confirmed it, and started cleaning up everything all within hours of the actual attack. That kept my readers safe and my headaches limited to the fact that I mis-configured my backup and lost some posts.

And if you do get hacked?

@Snipeyhead – a noted WordPress Security expert – has posted a great guide on what to do next. You can find it via this link. [Note, she does not pull punches, verbally or visually, so her site is very mildly NSFW] The article is a bit old, but the strategy is sound, well researched, and spot-on still today. Follow the process she shows in that post, and recover what got hit before your visitors get infected by drive-by downloads or you lose face due to defacing of your sites.

Remember, change ALL passwords, including the FTP/sFTP logins and your web host login. That’s in addition to the site logins, database logins/users, and any other security info you have on your site. If you can’t identify how you got hacked, then play it safe and change everything.

Now that everything is back online, I can say I weathered the storm. It can be MUCH worse, and it’s never fun, but you can indeed overcome attacks against your site quickly and effectively if you prepare ahead of time.

Photo Credit: neoliminal

Can you hear MP3 now?

This AM I downloaded the audio for the Republican Primary 2012 Debate from the 19th. Before anyone asks, I feel strongly about listening to ALL candidates before making any voting decisions.

The issue is that nearly every version of the audio and video I found has horribly low sound levels. On a PC, you’d use a 3rd-Party product to re-code the MP3 to a higher audio rate, lose a little bit of quality, but get a file you could hear clear sound on.

On a Mac, it’s actually easier!

Credit where it’s due, I found the basic instructions here on POI-Factory, but there were some hiccups along the way with iTunes 10.5.1 (the current version for Lion).

First, download the audio. You can get it from wherever you want, I found it on Ron Paul’s podcast. His Podcast team has been posting the audio from every debate within 24 hours, so very convenient; and I didn’t have to do anything quasi-legal like recording the YouTube version.

Next, load the audio that’s too low into iTunes. The easiest way is to just drag and drop the file from wherever you downloaded it right into a playlist. If the audio in question is a podcast, then you can just find the podcast episode in iTunes.

Right-click (CTRL-Click) the track in iTunes and go to “Get Info”

Go to the Options tab

Slide the Volume slider to the right to increase the volume level for just this track and hit OK.

This may take a little trial and error to find the right level for you, but iTunes will remember the level each time you hit OK.

By the way, the same trick works to LOWER the levels, should you ever download an audio file that has the levels set way too high.

Changing Default in OS X

I often check Replyz to give back to the Social Media community and answer questions folks have on a few topics that I have some knowledge of.

One of the frequent questions on using Mac OS is “how do I set the default application for a file type?” It’s actually pretty easy to accomplish this, all you need is a file of the type you want to assign an application to, and a mouse/trackpad.

irst, right-click (or secondary-tap) the file and choose “Get Info.” This will bring up the dialog box shown to the right. You may have to click the little arrows at the top-left of each section to expand that section out.

About half-way down the Info page, you can see an “Open With” section. This contains two objects, a drop-down list for choosing the app, and a “Change All…” button.

To select which application will open this file ONCE, just drop down the menu you see and choose one of the listed applications. This list contains all the installed apps that have registered as able to open that type of file. If the app you want is not on the list, choose either “App Store” or “Other” from the menu (they show up at the bottom of the drop-down list).

If you choose App Store, the Mac App Store opens for you to find and install a software package for this file type. If you choose Other, Finder opens to your Applications directory so you can choose an app you already have installed. Note that you may need to change the drop-down menu under the file view from “Recommended Applications” to “All Applications” in order to see all the apps you have installed.

The “Always open with” checkbox on this page applies ONLY to this one file, so leave it unchecked when you choose the app you want to use for ALL files of this type.

Once you select a file type, you can then click the “Change All…” button under the drop-down menu on the Info window, which will allow you to specify that ALL files of this type should use the selected application to open/view, from now on.

That’s it, from then on, any time you open a file of that type, it will open with the selected application!

Note that there are two instances where the default app will change. 1) you can manually change it again using the same method you just went through. 2) a newly installed application can take the file type over. Usually you get the ability to stop a new app from doing that during installation, but sometimes it happens automatically. If that happens, you will have to manually set the file type to open with your preferred program once more.

How Spammers Get Around CAPTCHA

I’ve written in the past about CAPTCHA, the technology that shows you a picture of a group of letters or words that you must type in before you can log in to some sites, or sign up for free services like Gmail. As annoying as CAPTCH is, the automated Turing Test has stood for several years as a standard way of ensuring that a real person is trying to access a service, instead of just some kind of automated system.

The problem is that spammers and scammers have found more an more ways to get around the CAPTCHA tests to ensure they have access to these systems just as easily as legitimate users do.

Initially, the bad guys just used sophisticated character recognition engines to look at the images digitally, and figure out what the letters or words were. This worked for a time, but then site owners started skewing the letters or adding in “noise” – dummy lines, dots and other static that made it more difficult for a scanning tool to figure out what was part of the CAPTCHA code and what was not.

So, spammers have taken a new route to getting around CAPTCHA. Since the codes are designed to only be human-readable, they’ve been employing humans to read them. Yup, that’s right, you can now hire someone to break CAPTCHA by solving thousands of codes a week for you to use to send spam. See this article for more information on such services.

Social Networking is no stranger to this problem, as thousands of fake blog comments, even entire blogs and RSS feeds full of fake information, are common. Spammers set up thousands of fake Twitter accounts to blast out spam, malware and fake gift certificates, only to create yet more new accounts as soon as the existing ones are flagged and banned. The same thing happens on Facebook, Windows Live and just about every other social network out there, as the spammers simply change their tactics and continue doing what they do, no matter how good the technology to stop them seems to be getting.

How do we stop this? Simple, make it economically inefficient to spam. Most of my readers already refuse to click links in email, or accept links/codes/certificates from anyone they don’t know on Twitter, G+, etc. Now we have to spread the message. Make sure everyone you work and play with knows that they shouldn’t accept offers, click links, or approve blog comments that come from anyone they don’t know. Those coming from people they know should even be suspect.

Set your blogs to require approval for all comments, and weed out the spam. Approve comments but remove URL’s if you’re not sure. If you see tons of spam comments in a blog, alert the author that they need to turn on approvals or they’ll lose a reader.

If you have the ability to flag posts as spam, do it. Same for Tweets, Posts and other social media sharing. Don’t be abusive or obnoxious about it, just flag them and move on.

Eventually, the cost of successfully spamming the world will become greater than the revenue generated by the spamming. Money talks, folks, and if it’s too expensive to make money by spam, people will stop spamming, but not until then.

In the meantime, ignoring links and flagging spam posts and comments will keep you safe from a lot of the malware running around out there.

Photo Credit: yandle

Get an Image

When you go online, visual experiences are some of the most powerful. Video speaks louder than audio alone. Blog postings with pictures tend to have a better impact on readers than text alone.

This holds true to your profiles as well. As you can see on my own home page, I have an icon image that I use for my online profiles. Mine was done for me by a web-comic artist (Woody Hearn of and wasn’t free, so not everyone will be able to have this kind of profile picture set up for them. That’s not to say you can’t have anything!

Even if you’re not paying for someone to make a profile picture for you, that’s no excuse for having the default “person” or “egg” icons that services like Twitter and Facebook provide. You need to change the default profile image to something that represents you, as soon as you can.

Now, this doesn’t mean you have to draw it yourself, or even use a real photo if you’re uncomfortable doing so. You just need to get something in there that is not the default icon that brands you as a new user.

For example, the image at the top of this post was created by John Kovalic (who writes Dork Tower, another online comic). He did it to show just how easy it is to create simple, but powerful user icons without a lot of technical expertise.

Here’s a few more of his icons – that he’s made available to anyone who wants to use them, free of charge:

With just a few clicks in some simple graphics programs (that you most likely already have free of charge on your PC or Mac) you can create a cute, funny icon that is clearly not the “default user” graphic.

So why don’t you want the default icon?

1 – it brands you as a “newbie” – a person who just started and has no clue what they’re doing. Even if that’s true, you probably don’t want the world to know that if you can avoid it =)

2 – It’s unprofessional. If you’re using Social Media for your job, the last thing you want is others discounting your opinion because you didn’t change the default user icon.

3 – Spammers use the defaults. Spammers create dozens of spam accounts at once, therefore they tend to not even bother to change the icon (after all, the accounts are going to get blocked pretty quickly). If you keep the default icons, many folks will instantly suspect you of being a spammer.

So get an image! Build it, buy it, or borrow it (make sure you have permission to do so, though).

Photo Credit: John Kovalic

Why You Should Not Auto-DM on Follow

I’m noticing more and more of this lately, and figure it’ll make a good topic for my first “Do’s and Don’ts” column.

Many folks – even those who have been working with Social Media for a good amount of time – will DM every new follower on Twitter with a message. Usually it’s a “thank you” with a request to follow them on other networks.

I’m very much against this for a few reasons:

1 – Twitter is about public conversation and social sharing. Yes, there are some times you need to DM a person. Usually it’s to give out an email address or phone number or some other information you don’t want the world seeing. Links to your Facebook profile and fan page are *not* private information.

2 – It’s annoying. Most of us get DM’s on our mobile phones or via email in addition to our Twitter clients. That means that I’ve got alerts going off to tell me that you’re looking for me to follow you on Facebook.

3 – It’s useless. The vast majority of people I know will specifically NOT follow you anywhere else, and many will immediately un-follow you on Twitter, for doing this. In other words, you’ve done the exact opposite of what you were trying to do with the DM.

Now, this isn’t to say you shouldn’t say hi to your followers. You absolutely should! But do it with an @Reply instead of a DM. This allows more than just your new followers to find you on other networks, and opens a public conversation, instead of a private message.

You’ll note that if you try to send the same message (e.g. “Thanks, follow me here and here and here, too!”) to dozens of people, Twitter will stop you. They’ll attempt to keep you from posting the identical message to multiple people, and lock you out as a spammer if you keep trying.

So, if it’s not acceptable to send a message to each person in an @Reply, why would you do it in DM’s, where you’re being annoying in addition to getting flagged as a spammer?

Talk to your followers, share that someone followed you with your network, share your other networks with your Twitter followers. Just reserve DM’s for their intended purpose – sending one person information that you don’t want the entire world to hear.

Photo Credit: brainware3000

Linux is coming to Azure

Well, Microsoft has been busy while we were all enjoying the holidays!

For those who aren’t in the know about Windows Azure, that’s the name that Microsoft has given to its nascent Cloud platform. Right now, the only publicly available components are SQL Azure and Azure Storage, which host SQL databases and cloud-based data storage, respectively.

Over the last couple of weeks, however, Redmond has announced that the upcoming Azure VM Role will support many other applications that can run in a Windows 2008 R2 Virtual Machine – which was expected – and also Linux Virtual Machines. This last bit was quite unexpected to many, but a welcome holiday gift from Microsoft.

Mary Jo Foley broke the news, and has a great write-up of the potential Azure VM structures, in her article from January 2nd.

Azure is going head to head with major cloud service providers like Amazon (AWS, EC2, etc.) and RackSpace; so offering Linux capabilities is a welcome move. Without Linux support, Azure was risking becoming a niche platform that would only be useful for basic Windows operations and Microsoft SQL databases.

Azure VM will be based on the Windows Hyper-V technology platform, extending that platform into the cloud. Today, Hyper-V and Hyper-V Server are slowly gaining ground in the corporate datacenter, but have not fared well against the major players like VMware. Since most cloud rollouts will be net-new implementations, Microsoft has a much better chance of becoming a large fish in a small pond by rolling out a solid Infrastructure as a Service (Iaas) platform with the Azure VM initiative, joining the Application as a Service and Database as a Service platforms already in Azure.

Now, there’s no official release date for the Azure VM Role, but it is in beta as I write this, so it does look like it will be launching at some point this year. How much of an impact Microsoft makes in the Cloud world is still to be seen. But, with the addition of multiple OS support, Azure just took one giant leap toward becoming a major player in the cloud space.