illusionofjoy | Frienditto

Picture this: you see a billboard advertising a service which will take every piece of mail that you've ever received and file it away for posterity. All that you have to do is mail the company willing to provide this service the keys to your house. Sound like a good deal? No, I didn't think so. Apparently, when the keys are so many invisible characters in a text box, then it is okay to hand them to any schmuck promising a free service.

This is the core of the Frienditto saga. The site is currently a splash page that asks for donations to help with "bandwidth costs" and "legal fees," however, a Google cache page of the site reveals the following on their default page:

frienditto.com will archive livejournal posts for you. Simply submit the url of the post along with a title for it and a short description and frienditto will archive it and put its information into a database. You can then search the database for entries or link to them. If you have friends only access to a journal you can also archive that.

If you want to archive posts, but keep them private for yourself you can becaome a frienditto member. This gives you a special password protected portal that is only available to you or to anyone that you share your frienditto password with.

It all seems fairly innocuous, albeit unnecessary. Provided one does not violate Livejournal's terms of service, one need not worry about the archive of their own journal being deleted. If one wishes to save any locked entries that those on their friends list may create, pressing F3, or going to the "File" menu and selecting "Save As..." generally does the trick.

The issue, however, comes from several users who signed up for Frienditto and were asked for their Livejournal usernames and passwords. When I looked at the Google cache of the site, it seemed to me that it was a thinly-veiled phishing scheme - any site in which one is asked to give away sensitive information about another site should fall under such suspicion. It should also be questioned as to exactly how they were going to archive "friends only" posts, if Frienditto themselves was not a user with the same Livejournal friends list. The big give-away is the fact that they allegedly asked for usernames and passwords.

If one goes to ditto_cops, there is a list of journals which have had their "friends only" posts compromised by people who were on their friends list who signed up for Frienditto. While it is unfortunate that these entries were compromised, there is not much that can be done. Giving out a computer password is like giving out the key to a house - those who are in possession are those who have access. One should always post their entries, bearing in mind that if they decide to let any other human beings read them, their information may end up being absorbed by eyes that it wasn't intended for.

As a phishing - or the blanket term "social engineering" - scheme, Frienditto is pretty weak. Usually, a scam site will try and lure seemingly random users via an email in order to that they can enter a bank account number or a password and user name for a site such as Paypal. It seems like Frienditto is nothing more than a high-school prank, as access to a Livejournal account doesn't yield much more than private information. One can not access another's bank accounts via a "hacked" Livejournal, unless the user has written private entries which include their credit card numbers. Given how many people were suckered into giving away Livejournal passwords to Frienditto, I wouldn't be too surprised if there were some credit card numbers floating around in some private Livejournal entries somewhere.

That is how social engineering works: find someone who trusts stupidly and strike. You'd think that people would learn.