Month: May 2006

Last week, Reuters ran a story about the “growing problem of Internet addiction” that was picked up by CCN and other major news outlets. You can read that article here.

It quickly spawned follow-ups, such as AP’s survey the next day showing that half of workers who use the Internet at work would rather give up their morning coffee than lose their Web surfing privileges. That one’s here.

It’s not a new issue; concerns over “Internet addiction” have been in the news intermittently since the early 90s, when commercial ISPs started offering access to the public at affordable prices. The spector of a generation hooked on getting their computer “fix” has been the subject of a few sci-fi books and movies.

“Addiction” is a popular buzzword these days: in addition to drug and alcohol addicts, we now have gambling addicts and sex addicts. Those who overeat are food addicts; those who spend too much money are shopping addicts, those who lose their tempers are anger addicts. Back in the olden days, before newspeak took over the language, addiction was a very real medical condition. People who are addicted to opiates or alcohol or nicotine or even caffeine go through measurable, painful, sometimes life-threatening physical withdrawal symptoms.

Obsessive or compulsive behavior does not equal addiction. Simply engaging in an activity “too much” does not make one an addict. Yet we have doctors like the one quoted in the Reuters article – people who are supposed to be trained in the difference between physiological and psychological manifestations – saying that the Internet may promote “addictive behaviors.”

Why the rush to label all undesirable behavior as a disease? My theory is that doing so benefits both doctor and “patient.” If the person engaging in the behavior can pass it off as a disease or addiction, that relieves him/her of the responsibility for changing that behavior. The addict can’t just quit cold turkey; that’s too hard. He/she needs help. Enter the doctors who cater to these pseudo addicts. If it’s a disease, their services are required – at a hefty price, of course. We all expect “healthcare” services to cost a bundle. And of course, if we can get it official recognized as a disease, maybe the insurance companies will pay for it.

I guess you can tell I’m not too impressed with the whole “Internet addiction” crisis. Sure, some people spend way too much time online. Some folks might say I’m one of them. I make my living writing, mostly for online publications, so I’m at the computer between six and ten hours a day. I have dozens of friends with whom I’ve been communicating online on a daily or weekly basis for over a decade, some of whom I still haven’t ever met in person. Even for keeping in touch with my “real world” friends and family, most of the time I prefer to zap off an email rather than picking up the phone (and thus risking bothering someone in the middle of something).

But am I “addicted?” I don’t think so. If I have to be in a place where there’s no Internet access, I miss the convenience of being “connected” but I don’t break out in sweats or get excruciating headaches or start to shake uncontrollably. Far from interfering with my “real life,” the Internet has enabled me to participate more fully in it – I find out about community events and neighborhood meetings that I probably wouldn’t attend otherwise, I obtain consulting gigs and speaking engagements. My cousins and I had drifted out of touch for years until everyone got Internet access; now we keep each other apprised of what’s going on in our lives and coordinate, via email, monthly lunch get-togethers.

Sure, the Internet can be used for nefarious purposes, too. There are predators who hang out in chatrooms to look for victims. There are also predators who hang out in parks for that purpose. The CNN article implies that the Internet causes divorces. Doesn’t it seem more likely that the people who engage in “online sexually compulsive behaviors” probably aren’t/weren’t models of marital fidelity offline, either? Ah, but it’s so much more convenient to be able to protest that “the Internet made me do it.”

The article paints a dire picture: sleep deprived addicts suffering from dry eyes and carpal tunnel syndrome who get “cybershakes,” characterized by typing motions of the fingers when not at the computer. It’s enough to make you want to go out and pass a Constitutional amendment enacting a new Prohibition, this one on Internet Service Providers. I can just imagine the black market that would spring up, with shifty-eyed techies standing on street corners, offering surreptitious connections to underground wireless networks for cash.

What the addiction proponents seem to ignore is the difference between addiction and habituation. Hanging out on the ‘Net can become a habit that’s hard to break. So can watching TV, playing the guitar, or talking on the phone. Are those addictions, too? Will we soon be seeing meetings of Unlimited Minutes Anonymous? Hmmm … one might even those who feel compelled to label any and everything an addiction are Addiction addicts.

Tell me what you think. Am I way off base here? Am I just an Internet addict who’s deep in denial?

Or is the issue being hyped by both misguided helper types and those who stand to profit from turning excessive ‘Net surfing into a dire disease?

Do you know anyone who suffers from “cybershakes”? Do you get withdrawal symptoms if you’re deprived of your monitor and keyboard? Is the Internet damaging your real world relationships, destroying your marriage, turning you into a compulsive cybersex fiend? 

Deb Shinder

How to automatically close non-responding programs
It can get old: a program hangs and stops responding, and you open up the Task Manager and click End Program (sometimes several times before the uncooperative program finally shuts down). Why not just have Windows close programs that quit responding so you won’t have to? You can do it with a registry tweak. As usual, we recommend that you back up the registry before making any changes. Here are the steps:

1. In your favorite registry editor, navigate to the following key:
   HKEY_CURRENT_USERControl PanelDesktop
2. in the right pane, right click the entry AutoEndTasks.
3. Select Modify.
4. In the Value Data field, change the value to 1.
5. Click OK, and close the registry editor.

If you want to change Windows back to the default behavior (not closing unresponsive programs, just repeat the process and change the value back to 0). You’ll need to restart the system for the change to take effect.

Some add-ons aren’t listed in the IE Add-on Manager
Internet Explorer with XP Service Pack 2 includes an Add-on management tool that lets you easily disable and enable browser add-ons, but you may find that some of the add-ons you know are installed don’t appear in the list when you open the Manage Add-ons dialog box. This can happen because a flag was set in the registry during installation of the add-on that prevents it from being managed this way. There’s a fix available that you can download from Microsoft. See KB article 888240 for a link to the download and more info.

“Delayed Write Failed” error message
If you get an error message that says “Delayed Write Failed” when you try to save or move files in Windows XP, this can be caused by the configuration of your hard disk controller and a feature that enables write caching on the disk. You may need to change a setting in your system BIOS and/or turn off the “enable writing caching on the disk” feature. For instructions on how to do so, see KB article 330174. 

Incorrect battery information on laptop computer
If the total battery power remaining and other information displayed on the power meter tab after you resume from a suspended or hibernated state on your portable computer, or the computer stays in low battery hibernation mode even though the battery is fully charged, it may be because you replaced the battery with one of a higher or lower capacity after putting the computer in suspension or hibernation. There is a hotfix for the problem, but Microsoft recommends that you wait for the next service pack unless you have a special need to correct it. You can read more about how to get the fix in KB article 889816. 

Today, we officially announced our new Ninja Messaging Security product for Microsoft Exchange.  It’s a pretty significant milestone for us, as we’ve been working on this product for over two years, with a considerable financial investment for a company of our size.

In fact, it’s one of the most impressive products I’ve been involved in during my 20–odd year career in the high tech arena. I don’t say that lightly, either.

The story of Ninja started after we shipped our spam filter for Microsoft Exchange, iHateSpam Server.  It did well in the market, but we really felt that the whole messaging security space could be looked at differently. After all, what’s the most critical protection point for security in an enterprise?  Email. 

To give you some background, the email security space is dominated by the major vendors, like Symantec, McAfee and Trend.  Then, there are the players like Sybari (now owned by Microsoft) and GFI, and then the hosted security solutions like Postini.

However, none of the existing solutions work perfectly for managing email security in an organization.  None of them present a truly comprehensive solution.  Most don’t provide a layered approach, where you have multiple scanning engines and security checks that an email has to go through before being passed on to the user.  Some are downright cumbersome to use. And most are quite expensive.

Let’s further dissect the key problems with email security:

1. Lack of comprehensive solutions:  You may buy an antivirus program from one of the big security vendors to stop email-borne viruses. But will it also do a good job of stopping spam and malicious attachments, provide content filtering and content auditing, as well as handle your other needs like corporate-wide disclaimers?  No:  You will have to buy multiple solutions for a hodge-podge approach. 

Why is this bad?  Well, one key issue is security.  With multiple products running to handle your email security needs, you have multiple patch points.  Another key issue is  learning.  You have to keep up on multiple different products, with their own methods of operations, their own quirks.   Reporting isn’t pulled together for all modules. And then there’s cost.  It just costs more to have dedicated solutions for each problem you’re trying to solve.

2. Lack of policy-based solutions.  All security solutions should be policy based, but most aren’t.  This simply means that you can establish one set of security policies for one group or person, and another set of policies for a different group.  For example, let’s say that you want some people in the company to be allowed certain attachments, but others, no attachments at all. You would simply create a custom policy for each group of people. 

3. Reliance on one vendor.  Relying on one antivirus company to stop viruses through email is asking for trouble.  In fact, I would call it dangerous.  eAs we’ve seen on this blog in the past, antivirus companies are in constant catch-up, trying to keep up with the latest outbreaks.  If they’re a few hours late with one virus, it could mean absolute havoc for your company.   So one AV filter for email might work for the home user, but to an organization, it’s an incredibly dangerous approach.  It’s like relying on only one lock on your front door, in tenement housing in a bad part of Manhattan. You’re going to get robbed.

4. Touch-and-go quality.  Quality is all over the place in messaging security.  Let’s look at attachments as one example.  Did you know that the most common way that people bypass attachment filters is to rename the file extension?  So you could have someone sending in an .exe file into an organization, but by simply renaming the file to a .txt extension, it blows by most attachment filters.

Or, take content filtering.  With most solutions, you can’t filter content inside the organization.  You can only filter content that is going in or out of the company.  So Billy Bob who sends around endless joke emails inside the company, wasting time and creating potential security risks with stupid links, is actually completely ignored by most content filters.

In answering these problems with email security, our solution was to do the following:

1. Create a framework.  We created a framework in which best-of-breed security plug-ins could be inserted.  Ninja is basically a large security interface to Microsoft Exchange, and the plug-ins do the work.  We ship three plug-ins with the product:  Spam, antivirus and attachment filtering. More, such as content filtering and auditing, will be added in the coming months.  

2. Make it policy based.  Ninja is policy based from the ground up (with the one exception of antivirus, where you must filter all email with one policy).  You can create endless policies to specifically tailor the application to your own organization’s needs.

3. Create plug-ins with a layered approach.  Both Ninja’s antivirus and antispam plug-ins use multiple scanning engines.  For antivirus, we use BitDefender and Authentium.  For spam, we include Cloudmark’s antispam engine along with our own home-brewed engine.  These are all included in the cost of the product.

4. Improve the quality of security.  Our attachment filter actually looks inside many types of attachments, so you can’t fool it by renaming the extension, and it can look at all attachments — inbound, outbound or internally within the company.  And so on.  Everything in Ninja is just world-class quality.

5. Make it free or insanely cheap.  One of Ninja’s hottest features, the intelligent attachment filtering, is free.  You can download it today, and have the best attachment filtering in the business at absolutely no cost to your organization.  And the rest of Ninja is very aggressively priced. 

Ok, so now I’ve said my piece.  If you’re an Exchange administrator, take a look, let me know what you think.  

More corporate propaganda here.

Alex Eckelberry

Former AT&T technician Mark Klein’s statement about the company’s alleged collusion with the NSA has been under seal in a San Francisco courthouse as part of EFF’s lawsuit against AT.

Wired just released statement. 

In San Francisco the “secret room” is Room 641A at 611 Folsom Street, the site of a large SBC phone building, three floors of which are occupied by AT&T. High speed fiber optic circuits come in on the 8th floor and run down to the 7th floor where they connect to routers for AT&T’s WorldNet service, part of the latter’s vital “Common Backbone.” In order to snoop on these circuits, a special cabinet was installed and cabled to the “secret room” on the 6th floor to monitor the information going through the circuits. (The location code of the cabinet is 070177.04, which denotes the 7th floor, aisle 177 and bay 04.) The “secret room” itself is roughly 24-by-48 feet, containing perhaps a dozen cabinets including such equipment as Sun servers and two Juniper routers, plus an industrial-size air conditioner.

Link here.

Alex Eckelberry
(Hat tip to the indefatigable Ferg.)

VA official takes a bunch of discs home with 25 million social security numbers. They get stolen.

WASHINGTON – Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday.

Link here.

Alex Eckelberry
(Thanks Catherine!)

A break-in that lasted over a year.

In a disclosure that hasn’t been widely reported, one of the compromised servers, which held Social Security numbers belonging to 137,000 people, was penetrated by U.S. and overseas-based hackers for at least a year and possibly much longer, Sams said in a phone interview Sunday with CNET News.com.

Link here.

Alex Eckelberry

From our WServerNews, many of you have seen this, but it’s worth passing on to newbies.  Sample scam site. Link here.

Alex Eckelberry

System administrators use the command-line program HFNetChk to audit a list of service packs and hotfixes installed in Windows computers.

A new program gives admins all the commands for the app in a GUI. SearchWinSystems has more here.  I just took a quick look and it’s very basic but quick way to run HFNetChk on systems.

Alex Eckelberry
(Hat tip to Stu)

Pretty interesting… 

“Emails were sent to specific individuals within the organization that contained a Microsoft Word attachment. This attachment, when opened, exploited a previously-unknown vulnerability in Microsoft Word (verified against a fully-patched system).  The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed.  After extracting and launching the trojan, the exploit then overwrote the original Word document with a “clean” (not infected) copy from payload in the original infected document.  As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file.  If the user agrees, the new “clean” file is opened without incident.” They are working with Microsoft on this.

“We are still analyzing the trojan dropped by the exploit.  What we do know is that it communicates back to localhosts[dot]3322[dot]org via HTTP.  It is proxy-aware, and “pings” this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute.  It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in “HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows”.  Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.

We have traced nearly this attack to the far east; specifically, China and Taiwan.  IP’s seen are registered there, domains seen are registered there, and the emails received originated from a server in that region.  The attackers appear to be aware that they have been “outed”, and have been routinely changing the IP address associated with the URL above.

Link here via F-Secure.

Alex Eckelberry

Symc sues Microsoft over storage technology.

Alex Eckelberry

Turk hacks thousands of websites in one day.

Yesterday the Turkish cracker going by the handle “Iskorpitx”, succesfully hacked 21,549 websites in one shot and defaced (on a secondary page) all of them with a message showing the Turkish flag (with AtaTurk face on it) and reporting:

“HACKED BY iSKORPiTX

(TURKISH HACKER)

FUCKED ARMANIAN-FUCKED FRANCE-FUCKED GREECE-FUCKED PKK TERROR

More here, and stats here, both via Ferg.  And check out the Google search here for “Iskorpitx” — lots of hits, although not all are related to this attack (Thanks Richard).  

Alex Eckelberry

Ah well, it was only a matter of time.  Link here.

Alex Eckelberry

You can see if your machine is ready for Vista here.

More at CNET.

Alex Eckelberry

Online poker site Checkraised accidently ships trojan/rootkit thingie in the payload of a rake calculator (“rake” is a term denoting the percentage the house charges in a poker game):  

In December 2005 we contracted a programmer to create a rake calculator for us. The rake calculator (known as rbcalc, rbcalc.exe) was an executable file that a player would run on his machine to calculate rake from hands he previously played (stored in hand history files or a poker tracker database).

It has recently come to our attention that early versions of this program that we received contained a virus that installs itself every time the user runs rbcalc.

The virus goes undetected by Norton AntiVirus and Microsoft Defender, even to this day. This is why we never noticed it until a 3rd party contacted us about the malicious software.

Link here.

ComputerActive has a bit more:

The malware then covertly stored gamblers’ information and the executable files allowed hackers remote access to the victims’ computers.

The stolen information has been used to log into various online poker websites including Partypoker, Empirepoker, Eurobetpoker and Pokernow. Having gained access, the hacker can then play poker against himself, losing on purpose and reaping the rewards.

Absurd.

Alex Eckelberry
(Thanks Catherine!)

Real Time Blackholes (RBLs) have had their share of controversy in the past, but they can be quite useful in stopping spam (if you weight their responses).

However, I recently noticed a post by someone on one of Sunbelt’s discussion forums.

We had a (now-former) employee install a bunch of spyware on a workstation late Friday. One of the messes was a spam generator of some kind. The workstation’s offline now.

The problem is we only have one external visible IP, so now my mail IP is blacklisted all over the place. Is there a magic process for getting off blacklists?

I’m googling as we speak  

Ok, that’s understandable.  So what happened?

He started the process of getting off the blacklists (something, incidentally, you can check yourself by going to dnsstuff.com and doing a Spam Database Lookup).

However, he hit a roadblock. One blacklist, UCE Protect, refused to even consider his request in a timely manner, unless he shelled out 50 euros.  From their webpage:

FREE OF CHARGE REMOVAL:
There is no need for you to request removal, if you do not want to pay.
Every IP at Level 1 will expire 7 Days after the last mail from it hit our SPAMTRAPS.
This means your IP will be removed automatically after that period.

PAID IMMEDIATE REMOVAL :
If you do not want to wait 7 Days, you may request a paid immediate removal.
Fee for this is 50 Euros per IP. Payments are accepted by Paypal only.
Removal will be done by hand, as soon as Paypal tells us, they received your money.
Click here if you want to request a paid removal.

Well that’s nice. You need to pay to get expedited service, because of a mistaken blacklisting.

On related subject, he’s also having  trouble with SORBS, because SORBS is convinced that his IP is dynamic, when it’s static and one his company has had for over four years (according to him, “SORBS is apparently blocking IPs with a rDNS TTL of less than 12 hours, and his IP is blocked because SORBS feels that the TTL of 3 hours indicates that it’s a dynamic IP and dynamic IPs are used by spammers.”)

On the subject of RBLs, there are a number that should not be used, and DNS Stuff’s list of blackholes is useful in that regard.  It will tell you which RBLs are too aggressive (some are run by real vigilantes who believe in blacklisting an entire carrier — that kind of thing).

Alex Eckelberry

Todd Underwood looks at the BlueSecurity PR spin:

The timeline from bluesecurity (BS, as it’s such a great acronym in American English) is frustratingly vague. It uses phrases like ‘tampering with the Internet backbone using a technique called “Blackhole Filtering”.’ As Thomas Pogge, a philosophy professor of mine, used to say: that’s not even wrong yet. There is no “Internet backbone”, there is no technique known as “Blackhole Filtering”, and blackhole routing is not normally described as tampering. So the whole explanation is nonsense. It is literally non-sense: cannot be made to refer or mean anything. I don’t actually care whether BS knowingly redirected a DOS at the Six Apart sites or not (Although I’m sure that BS and its lawyers do). What I care about is that millions of angry netizens are being miseducated about how the Internet works. In the following, I’ll try to correct some of that miseducation. 

Link here.

Brian Krebs has an update: 

Hours after anti-spam company Blue Security pulled the plug on its spam-fighting Blue Frog software and service, the spammers whose attack caused the company to wave the white flag have escalated their assault, knocking Blue Security’s farewell message and thousands more Web sites offline.

Just before midnight ET, Blue Security posted a notice on its home page that it was bowing out of the anti-spam business due to concerted attacks against its Web site that took millions of other sites and blogs with it. Within minutes of that online posting, bluesecurity.com went down and remains inaccessible at the time of this writing.

Link here.

Also, /. frenzy here. Security Focus article here (it’s good, too).

Alex Eckelberry

It’s over.  BlueSecurity has given up and shut their doors.

Before I get waves of loyal BlueSecurity users bemoaning the demise of the company, let me tell you what I think the key reason that the BlueSecurity idea was doomed from day one: They had a Do Not Email list.

BlueSecurity was effectively a proxy for their subscribers, fighting spammers by using the legal means available in CAN-SPAM (basically, aggressively unsubscribing their users).  And that’s not necessarily a bad idea, as long as the user’s email address is never exposed.

However, BlueSecurity exposed their users to attack by having a Do Not Email list.  While the list was not open, it was easy for spammers to find out who the users were, by simply running their lists of email addresses against the Do Not Email list.  Who came back as not mailable was the BlueSecurity users. Then, the attack could start. 

Of course, that’s exactly what happened.

The idea of being a proxy for Do Not Spam is not necessarily a bad idea.  And I know it made people feel good to fight back, and I think legally fighting back is a fine idea.  But getting users involved invites the possibility of collateral damage.  Such a fight should be done by a coordinated network of volunteers, with one face to the spammer.  You expect spammers to respect your list?  Good luck. 

Brian Krebs writes about the demise of BlueSecurity:

I had a chat with Blue Security’s CEO Eran Reshef shortly after the attack, and he shared with me some records of his online conversations with two spam sponsors, individuals in the business who handle everything from keeping the online pharmacy and other spam product Web sites running, to hiring and paying the people who do the actual spamming. Reshef said attacks from the company’s software had convinced six out of the top 10 sponsors to scrub their spam e-mail lists to remove the addresses of people who use Blue Security’s software.

Link here.

Alex Eckelberry
(thanks Michael)

If you’re running the popular VNC remote control program, you need to make sure you’re running the latest version.  There is a fairly serious flaw in versions prior to 4.1.2.

Link here (via Slashdot).  (This apparently is only for RealVNC — thanks Larry)

Alex Eckelberry
(Thanks Dodi)

How can you download more than two things at a time with IE?
Internet Explorer limits you to two download sessions in order to comply with RFC 2068, an Internet standard. You can also have one queued download. This standard originally made sense because spreading the bandwidth between multiple downloads would cause them all to be very slow. However, these days many folks have access to ultra high speed Internet connections via cable and fiber optic, up to 10, 20 or 30 Mbps. That means it’s now feasible to have many downloads going at the same time. You can edit the registry to change the limit. Here’s how to set IE to allow ten download sessions:

1. Open the Registry editor and navigate tot eh following key:
   HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings
2. Click Edit and select New, then click DWORD Value.
3. Name the new value MaxConnectionsPer1_0Server.
4. Double click it and give it a value of 10 (Decimal).
5. Click Edit | New again and click DWORD Value.
6. Name the second new value MaxConnectionsPerServer.
7. Double click it and give it, too, a value of 10 (Decimal).
8. Close the registry editor.

As always, take care when editing the registry and back up your registry first.

Can’t access WebDAV folders from XP computers
The WebDAV (Web-based Distributed Authoring and Versioning) protocol is used to allow users to create, change and move documents on a remote Web server. If you get error messages when you try to access WebDAV web folders using your XP computer, it may be because the WebDAV folder contains more files than XP allows. The error message you get depends on how you try to access the folder, but may include Error 31, a “disk is not formatted” error or a “folder is not accessible” error. The good news is that you can edit the registry to enable XP to allow larger maximum file count. For detailed instructions on how to do so, see KB article 912152 here.

Can’t play licensed content in WMP after removing SP2
So you uninstalled XP Service Pack 2 and it took your ability to play some of your licensed media content goes with it, even though you were able to play it before. This only happens in specific circumstances: when you’ve upgraded from Windows 2000 to XP, installed XP SP2, and then removed SP2. Luckily, there is a way to ensure that your licensed content is still available to WMP after removing SP2. Instructions are in KB article 843020 here.

How to protect yourself from spoofed Web sites
A spoofed site is one that appears to belong to a particular organization or individual but really belongs to someone else. Spoofed sites hide their true identities in several ways, including by disguising their URLs. There are ways that you can protect yourself from spoofed sites (and the malicious hyperlinks that may lead to them). Get the full scoop in KB article 833786 here.

Deb Shinder

The term “social networking” is being bandied about a lot these days, but it was actually first coined way back in the 1950s by author and professor J.A. Barnes, and it’s a popular topic of study in the fields of sociology and social psychology. In the original sense, it refers to the ways that individuals or organizations connect to one another. A social network could be a family or household, the members of a club, or even a whole country.

A key element of the “network” is that individuals who don’t know one another are connected through other people that they both know. In the 60s, a psychologist named Stanley Milgram postulated that any two typical U.S. citizens who aren’t acquainted with each other can be connected through a chain of no more than six others. This led to the theory of “six degrees of separation” and subsequently a movie by the same name about a con man who, in the 1980s, convinced many people that he was the son of a famous actor.

With the growing ubiquity of the Internet, a new meaning for the term has emerged. It refers to Internet applications that help people, often otherwise strangers, connect and form relationships. No longer a bit of jargon known only to sociology professionals, social networking is now a mainstream concept, popularized by Web sites such as Friendster, Facebook and the current frontrunner, especially among teenagers and twenty-somethings, MySpace.com.

Social networking sites usually allow users to create personal profiles, write Web logs (blogs) to share with other members or the public, engage in live chat/instant messaging and share files (especially photos).

While Barnes’ contention was that a typical social network consists of a maximum of 125 to 150 people, the Internet has greatly expanded those limits. MySpace.com had over 77 million members as of May 2006, according to Wikipedia. In fact, you can see a list of popular social networking sites and their user count at here.

Of course, the actual social networks within these sites (that represent the people to whom any given individual is “connected”) are much smaller. You’ll also note that the sites that are more “specialized” tend to have much lower numbers of users. While Friendster, MySpace and other generalized sites have memberships in the millions, sites such as aSmallWorld (dedicated to the European jet set and social elite) and Nexopia (which focuses on Western Canada) measure their users in the tens or hundreds of thousands.

Some social networking sites, such as OkCupid, are essentially just dating services. Others, such as Classmates.com and Reunion.com, were created more for the purpose of finding old, lost friends than making new ones. And many of the social networking sites, such as Tagged, Studybreakers, The Student Center, myYearbook, ProfileHeaven, Facebook and many others, are aimed directly at high school and/or college students – although they are increasingly attracting younger children as well.

And therein lies the problem. There have been numerous reports of sexual predators using the social networking sites to troll for victims and there have been several arrests. One of the most recent was reported May 12 in the Chicago Tribune here.

Older people may pose as kids themselves to con naïve teenagers into agreeing to meet them or give them personal information. Many young people put information that will allow them to be tracked down in their public profiles.

Most young people downplay the dangers and see the sites as harmless fun, insisting that all it takes is a little common sense to avoid being victimized. However, many parents are up in arms, not only about the risk but about the amount of time teens are spending on these sites – time that could be devoted to school work and “real world” friends and activities. Now (surprise, surprise) the government is getting into the act.

This month, a bill was filed in Congress, called the “Deleting Online Predators Act,” which would require schools and libraries to block access to social networking sites. You can read the actual bill here (PDF).

Note that it doesn’t impose criminal or civil sanctions on schools that fail to abide by the rule. The requirement is for “recipients of universal service support” – that means if you don’t obey, your federal funding can be yanked. Proponents feel this is a necessary step to protect children. Critics of the legislation point out that it puts an undue burden on the schools and libraries, requiring them to invest in more expensive filtering software and punish them (by withholding funds) if inappropriate sites somehow get through.

But is this law even enforceable? Most filtering software works by consulting a list of sites deemed inappropriate (“blacklists”) and blocking those that are found on the list. However, as described in this recent article in the Dallas Morning News, tech savvy teens can get around the filtering by going through proxy sites.

Atlhough those who maintain the blacklist can also add proxy sites to the lists, new sites pop up every day. Trying to keep up with them all may be a losing battle.

The only way to effectively ensure that students don’t visit undesirable sites is to use “whitelists” instead. With this type of filtering, instead of trying to keep a list of sites that aren’t allowed, you maintain a list of sites that are. The software blocks all sites that aren’t on the list. But some educators see this as overly restrictive; it limits students to only pre-approved sites and prevents them from freely surfing the ‘net and makes it more difficult to do extensive research and discover legitimate, safe but new sites that haven’t made it onto the list.

Other critics of the law opine that a government mandate to block these sites will only make them more attractive to kids, and say that most kids who are being victimized by online predators aren’t communicating with them during school hours, but after hours on home computers. Still others oppose the law not so much on its intent or content, but simply feel it’s not a matter for the federal government to legislate; since schools are run by local entities, shouldn’t the decision to force such provisions on them be a matter of local or state legislation? And many are asking why this is suddenly an issue – how do such sites really differ (in inherent risks, if not in sophistication) from the old AOL chatrooms or IRC channels?

Tell us what you think. Are the dangers of social networking sites (like, perhaps, the danger of bird flu) being vastly overexaggerated? Or are these sites cesspools of depravation that should be wiped from the face of the earth? Something in between? If they do present a risk to children, what’s the best way to ameliorate the dangers?

Should we be making a federal case out of it? Or should states and school boards be handling it? Or is this a matter better addressed by education than by any level of legislation?

If you’re a young person, do you participate in social networking sites? If you’re a parent or teacher, have you seen problems caused by social networking? How about the business-oriented social networking sites? Have they helped you in making contacts to advance your career?

Deb Shinder