Before you buy a new PC ... Take a few minutes to find out why your PC is so slow. Run the free PC Pitstop Optimize 2.0 scan and receive a free custom report detailing common issues that might be keeping your PC from running at full speed. Over 100 million scans run. Scan now! PC Pitstop

Are your computer's drivers up-to-date? Driver Detective provides the most up-to-date drivers specific to your computer! With more than 1 million drivers, Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers. Drivers HeadQuarters

Get your message seen by 400,000 readers Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 400,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement. Windows Secrets Newsletter

See your ad here

By Brian Livingston

Each month, we license new content that isn't yet publicly available, and we let our subscribers download the material as a sneak peek.

Today, our paid subscribers can get an exclusive 54-page excerpt — including the introduction and two of the best chapters — from a new book from Entrepreneur Press that won't be released to the general public until next month.

Blogging isn't going to make most people into millionaires. But there's no reason why you can't learn some of the tricks that make some blogs more than just a hobby.

Author Jason R. Rich has written 37 books on personal finance, e-commerce, and many other subjects. In Blogging for Fame and Fortune (photo, left), he covers techniques you may never have heard of for turning your own particular expertise into a paying gig.

Paying WS subscribers can download our excerpt between Mar. 19 and Apr. 15. To do so, visit your preferences page, updating your settings, and click the Save button. A download link will then appear.

Free subscribers can upgrade to get Windows Secrets' paid content by making a financial contribution of any amount. Immediately after upgrading, use the subsequent download link to get your bonus.

Paid subscribers: Set your preferences and download your bonus
Free subscribers: Upgrade to paid and download your bonus

Info on the printed book: United States / Canada / Elsewhere

I hope you enjoy this advance look at this new work. Thanks for your support!

Table of contents

By Becky Waring

Several firms have recently sprung up that provide tools to copy e-mail and social-network contact lists from Outlook, Gmail, Hotmail, AOL, MySpace, Friendster, and other sites.

Web site operators who lure unsuspecting users into sharing their address lists can then send invitations to all the contacts in order to swipe even more private info.

The names of some of the contact-scraping tools — Viralinviter.com, TrafficXplode.com, and TheTsunamiEffect.com — hide their true purpose. They present themselves as list-builders for site owners and e-mail marketers, and are indeed used by many legitimate companies. But these tools are attractive to all kinds of sites, not just trustworthy ones. Sites that use contact-scraping tools can build e-mail lists in a way that puts your privacy and security at risk.

You may have used an address-scraping tool already. Major social-networking sites such as Facebook, ShareThis, LinkedIn, and Plaxo offer a convenient way to build your initial "friends" list by importing your contacts from Outlook or other e-mail programs or by signing in to your webmail or social-networking service. The process is as easy as uploading a file or entering your user ID and password. (See Figure 1.)


Figure 1. Legitimate social-networking services — in this illustration, ShareThis.com — can create an initial friends list by importing contacts from an e-mail program or from Web services such as Gmail, Yahoo, MSN, AOL, AIM, and MySpace.

Viral inviter–type services take advantage of this familiarity by making their input forms look like those on the social-networking sites. (See Figure 2.)


Figure 2. The TrafficXplode service gives site owners an online form that scrapes contact lists from more than 20 popular webmail and social-networking sites.

Uploading a contact file or entering your ID and password into these forms, however, can transfer your password and/or all of your friends' e-mail addresses to a company that may not have a strong privacy policy.

How viral inviters overcome built-in suspicions

"But wait," you might say, "savvy Windows Secrets readers would never upload their address lists or enter their passwords, so they must be safe, right?"

That may be true of you and me, but it's not the case for the population as a whole. Your friends, relatives, co-workers, and random classmates from 20 years ago could easily fall prey to this data-scraping scam — and they could be the ones surrendering your info.

Imagine that your 15-year-old daughter is a member of Facebook, MySpace, Twitter, and ShareThis. She also might be a subscriber to chat services such as AIM, Yahoo, Skype, and MSN. She's used to sharing her address lists on social sites. That's how the services work.

So when your daughter joins a new site — very likely having been invited by a friend to do so — and is asked to go through the exact same list-building process she's familiar with from Facebook, she becomes easy prey. The viral scripts look just like their social-networking cousins.

A site may say that it won't store passwords or misuse addresses, but such promises mean nothing to a spam operator. Phishing sites can do even more damage by simply emulating a well-known social network to lure users into logging in via phony e-mail invitations.

Spammers are famous for manipulating big sites to do the work for them. For example, blogger Dave Taylor describes a standard Plaxo address-update request he received that he would normally respond to without much thought.

However, this request had various bits of old and incorrect info and was obviously cobbled together from different sources, which roused his suspicions.

According to Taylor, "a spammer uploads as much data as is easily found on tens of thousands of people, then triggers Plaxo sending out an 'update your contact information' message. Clueless or overly busy people see the contact info, say 'Whoa! Let's update that, it's way wrong,' and never ask themselves if they actually know the person sending the request."

David Lazarus of the Los Angeles Times has accused social-networking site Reunion.com of abusing e-mail contacts. The company's aggressive marketing tactics require you to surrender your address list to join up, in most cases. The site then sends out invitations in your name to all your contacts. Since Reunion.com charges for membership, the more members it can sign up, the more it makes.

This is not to say that every site posting a form provided by a viral-inviter service is a scam. Most are just typical Internet marketers out to make a buck with their weight-loss secrets or self-help videos.

But address-scraping tools can be gold mines when put in the hands of identity thieves — and the scripts are available to any Web site operator.

Web services can't control what people share

Why don't the big sites slam the door on the scraping of their contact lists? It's not that they aren't trying, but when a user gives up his or her ID and password to a viral-invitation site, there's not much the services can do.

Take Facebook. With more than 150 million members worldwide and a huge amount of data on every user, the site is a dream come true for spammers and identity thieves.

Facebook has an onerous end-user licensing agreement (EULA) that puts the liability for misuse of your account on you whenever you share your passwords or contacts. The EULA also prohibits the use of "automated scripts to collect information from or otherwise interact with the Service or the Site."

Facebook seems to be fairly successful in its attempts to prevent scripts from accessing users' data. For one thing, neither Viralinviter nor TrafficXplode currently claim to be able to scrape data from Facebook (although this ability was at one point claimed by TrafficXplode). This is probably because Facebook now presents address-book information in image form rather than text, which makes it harder to scrape.

Such techniques as cutting off users who make too many data requests in one session can also be effective. However, there's nothing stopping a shady site from storing the IDs and passwords it acquires and using the data later for malicious purposes.

LinkedIn's EULA has similar verbiage to Facebook's. Unlike Facebook, however, LinkedIn doesn't seem to actively prevent scripts from scraping its data. Viralinviter claims to work with LinkedIn accounts and even features the LinkedIn logo prominently on the Viralinviter site, along with logos of MSN, AOL, and others.

Linked social networks accelerate the problem

The arms race between the script builders and big-name Web services is just beginning. The massive data collections that the scrapers are able to accumulate are simply too valuable to pass up.

The problem will only get worse as social-networking sites create linked systems. For example, the Facebook Connect service that launched last year allows members to use their Facebook account to sign in to hundreds of third-party sites, such as CNET and MoveOn.org. (This is explained on a page listing Facebook Connect Live sites).

Facebook claims to vet each site before allowing it to join the Connect system, but as the list grows, it will be increasingly difficult for Facebook to control things. Google has a similar service called Friend Connect. (Google has posted its own explanation of the concept.)

Services such as these provide convenience, but when people become accustomed to entering their passwords on third-party sites, it's only a matter of time before users encounter phishing sites, or worse. Even experienced users may be fooled in this way.

Dave Jevans, chairman of the Anti-Phishing Working Group, told me in an e-mail interview, "Malicious software and scripts that take advantage of social-networking sites or that scrape e-mail address books are a growing threat. Because these messages appear to come from a friend or colleague, the recipient usually trusts the contents.

"There have been outbreaks where over 1 million people have been affected in a short period of time," according the Jevans. "These malicious systems can be used to drive users to advertising sites, thus driving ad revenue for the fraudsters. In some cases, they drive users to Web sites that install malicious software — malware or crimeware — onto their computers in order to steal passwords and credit card information."

Jordy Berson, group product manager for Check Point's Zone Alarm, echoes that sentiment. "Legitimate companies train us to use and trust their harvesting techniques, such as e-mail scraping," Berson said in an e-mail, "but in the wrong hands, they are extremely dangerous for consumers — and stolen e-mail [addresses] are just the beginning."

The bottom line: Assume your data can be scraped from any social-networking or webmail site, and plan accordingly.

Prevent your data from being scraped

Other than canceling all your social-networking accounts, what can you do to protect yourself against list scrapers?

First, be diligent about your own sign-in habits. Use strong passwords and enter them only on sites you trust. Also, make sure you have your browser's phishing protection turned on. The LinkExtend Firefox extension recommended by WS senior editor Gizmo Richards in his Mar. 5 Best Software column (paid content) will alert you to most malicious site operators.

Second, safeguard your e-mail accounts. As emphasized earlier, the main danger is not that you will give away your own information but that your so-called friends will do it for you. Use your work e-mail address only for communicating with colleagues and clients, not for shopping or registering on social sites. Most importantly, don't share your work address with friends and relatives.

Next, educate your contacts that you don't want them handing over their e-mail files or contact lists to any site that asks. You can't guarantee that everyone you know will comply, but there's no reason to let scraping services go unchallenged.

Finally, protect your primary personal e-mail address by using disposable aliases that are forwarded to your primary account. That way, you can track who is sharing your address and delete any addresses that become spam magnets. Google's Gmail and Yahoo Mail both make it easy to create throwaway e-mail addresses. (They work quite differently, however, as WS contributing editor Scott Dunn explained in his July 24, 2008, review of webmail services.)

The data-scraping problem will not go away any time soon, but taking steps to safeguard your personal data can help you keep the scrapers at bay.

Table of contents

By Dennis O'Reilly

Windows Secrets has always encouraged as many people as possible to get the paid version of our content by not charging a fixed fee.

Instead, we allow anyone to make a contribution of any amount, whatever they feel it's worth, allowing people of modest means as well as those more well-off to receive the information.

Now, the Mar. 6 edition of the Puget Sound Business Journal, a weekly magazine, has profiled the way this works to sustain our newsletter. The publication compared our pay-what-you-wish model to the way the band Radiohead's allowed fans to download its latest album, "In Rainbows," for any amount.


Figure 1. The Puget Sound Business Journal article on Windows Secrets was also carried in the related TechFlash.com blog. (Click the image to open the TechFlash article in a new window.)

In an article and a related interview with editorial director Brian Livingston for the TechFlash blog, PSBJ writer Todd Bishop calls Windows Secrets' pricing policy a potential lifeline for the publishing industry:

• "The name-your-own-price approach isn't new, and online publishers caution that people won't be willing to pay for all types of content. But as the economy cuts into advertising budgets, the experiences of Livingston and others may provide lessons for newspapers and bloggers seeking to build viable businesses in online media."
  

• "[Downgrading Vista is] not always as easy as the article makes it sound.
  
  "1) The biggest issue is drivers. Although it has gotten better lately, in many cases the XP disc doesn't have all the needed drivers. In fact, in most cases it doesn't have them. Trying to automatically find them usually doesn't work. So users can expect to spend a lot of time at vendor sites trying to find an XP driver. This can be a lot of work, especially just trying to find out what hardware is installed. Laptops are the worst.
  
  "2) Recommend that, rather than wipe the old drive, readers buy a new hard drive. Do a completely fresh install. A 160GB drive [costs only] $50 [and] is worth it. Then if XP is a major problem, you only need to put the original drive back in and boot. At least then you can still use the computer. Also, no backup [is] required (even though everyone should be doing it), as you just put the second drive in as a secondary drive or buy a USB box for $30 and drop it in there to get the data files.
  
  "3) Especially for laptops with SATA drives, the standard XP install disk may die during its startup because it doesn't have the required SATA drivers (example: HP laptops with SATA). One can download the needed driver. Another option is that the BIOS may allow you to make the hard drive look like a PATA drive. This worked on two HPs I have done. [There's a] minor loss of performance, but the user never noticed. XP loaded like a dream — although as noted above, I had to go digging for drivers for many of the devices."
  

Table of contents

By Katy Abby Social-networking sites have taken the online world by storm, forging connections between friends new and old. But just what constitutes a "friend" in this virtual community? Odds are your best pals from primary school, their mothers, and the kid who used to take your lunch money are all signed up. How do you choose whom to accept as a friend? Watch this hilarious sketch about how Facebook would operate in real life, and gain some comic insight to this pressing — or "poking" — question. (Warning: adult language.) Play the video

Table of contents

INTRODUCTION By Brian Livingston Get a bonus on blogging as an alternative job TOP STORY By Becky Waring "Viral inviters" want your e-mail contact list How viral inviters overcome built-in suspicions Web services can't control what people share Linked social networks accelerate the problem Prevent your data from being scraped KNOWN ISSUES By Dennis O'Reilly WS "contribution model" lauded by biz journal Downgrading Vista to XP may need driver search This Microsoft patch doesn't know when to quit WACKY WEB WEEK By Katy Abby Nothing friendly about this "friend" request

	LANGALIST PLUS By Fred Langa Test and improve your Internet speed for free Determining your actual bandwidth is tricky Old Windows still OK on old hardware? Looking for Vista virtual-memory tweaks Using Microsoft's SyncToy utility for backups
	WOODY'S WINDOWS By Woody Leonhard Multi-boot madness: Match the drive to the OS The reasons for dual- or multi-booting Windows Multi-booting Windows 7, Vista, and XP Tricks for identifying your boot drive
	PATCH WATCH By Susan Bradley Many gdiplus.dll files, but only one needs fixing Microsoft's gdiplus.dll patch might reappear What to do when a Vista update stalls

There's no fixed fee! Contribute whatever it's worth to you Readers who make a financial contribution of any amount by Mar. 25, 2009, will immediately receive the latest issue of our full, paid newsletter and 12 months of new paid content. Pay as much or as little as you like — we want as many people as possible to have this information.

A portion of your support helps children in developing countries Each month, we send a full year of sponsorship to a different child. Your contributions in March are helping us to sponsor Joan Emanuel, a 9-year-old boy from the Dominican Republic. Joan is a talented singer who also likes to play baseball. He lives in a village with his parents and one sibling. Children International channels development aid from donors to Joan and his community. We also sponsor kids through Plan USA, Save the Children, and other respected agencies. More info

More info on how to upgrade

Table of contents

• Visit our Unsubscribe page.
  

Table of contents