terriko

Tuesday's post on Geek Feminism entitled : "Quick Hit: Men, Medicine, and Meritocracy vs Affirmative Action" has some interesting discussion going on in the comments. The article is about how med schools in Canada are seeing more female applicants than male ones (and are accepting a lot of women) and some of the "stealth" affirmative action that's been taken to keep medicine from getting very disbalanced.

Wednesday's post on Web Insecurity is about firesheep. Nothing too insightful, just lauding the cleverness of it in a social hacking sense, and thinking, "why didn't we ever bother to build this in university?" (We did similar hacks for fun and education of our peers.)

Wednesday's CU-WISE blog post is on the subject of Dot Diva: The Webisode. (You can also see an extended version of the dot diva post on Geek Feminism.) We see a lot of outreach aimed at teaching girls computer science, but this is a project that tries to tackle the image of computer science. Their inspirations included the changed attitudes towards forensics thanks to shows like CSI. I'm torn because I found parts of the webisode awkward, but others fun, and I really think they've got some good brains and ideas behind this project.

Thursday's Web Insecurity post Why 12 year olds may be our best bug hunters is about this cool 12 year old boy named Alex Miller who collected on one of the Mozilla bug bounties. I always find adult reactions to smart kids can be a bit strange and sometimes condescending, so this is me musing on how the 12 year olds I've worked with are actually pretty awesome.

In non-blogging news, I'm working on some stuff about web standards vs attacks and vulnerabilities that I'll probably be posting privately soon for comments and ideas before I start putting together more comprehensive ideas for the IETF websec group. Their current discussion on dnssec irks me because it seems... mildly irrelevant to some of the real problems I assumed the group was destined to solve. I'm biased on the subject of DNSSec (see The Futility of DNSSec), but surely websec should be talking about more broad initiatives?

Crossposted from Web Insecurity. Please comment there if you want to comment!

I think twitter may have among the simplest privacy settings of any social network. Your choices are either everything you post is public, or everything you post is private.

But simple does not mean that things will stay private. Just like everything on the internet, the minute you post something someone else might choose to share it. Some researchers have actually studied how often people retweet private content on Twitter.

Something I haven't seen studied, however, is how private information can leak out through twitter lists.

Twitter allows you to make lists of people who you'd like to have grouped together. For example, I have a list of technical women who I follow. These are women in technology who I've met in person or interacted with extensively online, and I really made it for my own personal use but since it's a public list others can (and do) follow it. Presumably they're looking for more cool women to expand their social networks.

Twitter allows you to see what lists a person has been added to, and this is where it gets interesting. Let's take a look at the lists of which I am a member and see what we can learn about me.

Here's a few things you can get a glance:

• I have a lot of real-life friends on twitter (and now you know many of them are)


• I'm a musician


• I work in security, technology and on open source software


• I'm speaking at an upcoming conference and have attended a variety of events


• My friend Leigh is stalking me ;)


• I live in Ottawa

Wait... what? Despite the fact that I explicitly chose to say a more generic "Canada" in my profile information, my current city can be determined by the fact that it shows up in several of the lists I'm on. There's of course no way to be sure that any of this is true, but when more than one person lists me as being in Ottawa it seems fairly reasonable to guess.

I'm not personally concerned (obviously, since I'm talking about all this information in a public blog post!) but some folk are much more private than I am.

So what are your options if you want to hide this information? Well, if I don't like the lists I'm on, I can... uh... There's no apparent way to leave a twitter list. I suspect one could block the list curator, but the people revealing your location are most likely to be actual real life friends: people you wouldn't want to block. So you'd have to resort to asking nicely, but that's assuming you even notice: while you can get notifications of new followers, you do not get notified when you're added to a list. I've been asked about exactly two of the lists I've been put on (thanks @ghc!) so obviously it's not the social norm to ask (I certainly have never asked anyone I've listed!)

A quick check says I can usually get the current (and sometimes some former) cities for many of my friends, as well as information related to their occupations, interests, and events they've attended. For most of these people, I know this isn't information they consider private either. But it's obviously possible that this could be a problem... I wonder how many people it affects in a negative way?

Maybe this is a potential little workshop paper if I have time to analyse a whole bunch of twitter lists. Anyone want to lend me a student who's interested in social media privacy?

Edit: A note for those concerned about not being that privacy-violating friend. You can make twitter lists private if you want (it's just not the default), so just do that for the lists you think are sensitive and you're good to go!