Firefox Extension for Applied Social Networking

wanderingstan writes "Outfoxed is my masters thesis project about trust. (Nutshell overview) The extension uses a social network for personalized searching, phishing/spyware protection, file/process validation and more. It's related to del.icio.us, StumbleUpon, and those Kevin Bacon things, but goes a lot further. Mathematically, it's based on the network behavior of small world networks (pdf). Built with Javascript, Python, SQL, and XSLT. 366 testers so far, but we need the network to grow!"

Re:Using social networks for personalization

[capt.Hij]

Another example is the state of Utah! Salt Lake City is the smallest city to have its own SEC office, and the state suffers from a high rate for people getting ripped off by people they know. This has been attributed by the close network of people within the LDS Church. Somebody who is intent on ripping someone off can join the church and instantly gain a large web of trust.

Good idea in theory

[mister_llah]

... but in practice, you open the door to increased risk... navigating bookmarks of someone you don't know could run you right into spyware/malware... there aren't enough filters in the world to keep up with what is put out there.

Sadly, too, the concept of Monkey Sphere comes in, too...

http://www.pointlesswasteoftime.com/monkeysphere.h tml ...

Though it will start small, it will eventually become just too big, if it survives... it will become just another random maze of links for people to click through at 3am when they should be coding for a project due at midnight the next day.

===

Sorry to be a drag, just being realistic :/

Identity evasion

[Paul+Crowley]

For recommendations in favour, this sounds great, so long as the trust metric is attack resistant as described in Raph Levien's thesis. Google PageRank is an example of an attack resistant trust metric.

For recommendations against, it's very hard to make this work, because it's hard to make the shit stick; every time the global reputation of a particular identity takes a dive, it's easy to shift to another one which has no recommendations either way.

Creating hard-to-evade IDs is a very hard problem.

sql go boom

[farker+haiku]

Every file and process should have a chain of trust leading back to the user. Any file or process without such a chain is being taken on faith, and the user should be warned accordingly.
For example, every process run by a computer should have a chain that looks something like this:

wuauclt.exe [executed by] Windows Update [installed by] Windows OS [installed by] User [trusted by] Root User
matlabserver.exe [executed by] MatLab Application [installed by] User [trusted by] Root User
And similarly, every file should also have a chain:

desktopicon.ico [created by] FireFox Application [installed by] User [trusted by] Root User
mydocument.doc [created by] MS Word Application [installed by] Root User
Ideally, management of trust should be done at the lowest levels of computation: in the operating system or even in the microprocessor itself. This limits the ability of malicious software from disrupting the chain of trust back to the user. Outfoxed, because it is just an extension, has many vulnerabilities. Primary is the vulnerability of the locally stored trust database.

The next step would be to have trust storage implemented as a continuously running process that could be queried by other applications. [Note 22/03: The new version does this, using HTTP for queries.] So the browser, email client, and word processor could all draw trust information from the same source.

The best solution would be to have this process integrated into the operating system itself, so that the OS could also take advantage of the trust information by only running trusted applications. Trust managed at this level, combined with a good security methodology, would give us the ultimate trustworthy environment.

Re:sql go boom

[dodobh]

Trusted by whom? Just because your OS vendor trusts someone does not mean that the rest of us do.

A trusts B
B trusts C

does not imply A trusts C

Re:sql go boom

[Lorkki]

Interesting idea but when Micro$oft proposes the same thing the local /. denziens go bonkers.

On the other hand, the real difference is that the Palladium concept insists on you, the user, to trust an omnipotent outside third party in determining what is trustworthy and what isn't.

Maybe this is a FASQ, but

[RealProgrammer]

what's to stop social-network-bookmark spamming?

"Green Tennis Shoes are the best! Come see my kewl site about Green Tennis Shoes!"

And you're taken to some guy's blog. Is there a rating system, and if so, how well does it work?

who are you going to trust?

[udderly]

The example in the "nutshell example" seems like a good enough idea, but I'm curious, what's to ensure that the results stay good as the connections increase? In this example, it very quickly gets to a friend-of-a-friend-of-a-friend status. It seems that for each hop you take away from the most trusted people in your social network, good advice gets exponentially harder to find.

For example, if you asked your brother--who just had his bathroom redone--for a recommendation on a good plumber, you might expect some good advice. But how much credence are you going to give the advice of your brother's co-worker's nephew's best friend?

Re:who are you going to trust?

[wanderingstan]

I cover this a little bit in calculating path length. As tdvaughan said, there's a built-in decay factor. And moreover, it should be said that Outfoxed is just a metadata aggregator: it will dutifully tell you if a friend-of-a-friend-of-a-friend-of-a-friend thinks a plumber is good. But it's entirely up to you if you will trust the recomendation.

Objections

[Orion83]

He answers objections about spamming and "dumb friends" by saying that the network will basically allow someone to be discredited fairly easily. Any sources that gives bad advice will quickly be given a few bad reviews.
The problem with this is that "goodness" is somewhat subjective. If you ever use amazon, you know that pretty much everything has at least few marks against it. If you want a network to be big enoguh to come up on searches, chances are that you're going to have a wide variety of opinions

Re:Using social networks for personalization

[natrius]

As another person mentioned, the people you entrust while using this system don't actually have to be people you know. For instance, if you take a look at someone's del.icio.us links page and there are tons of things that interest you, you would probably trust them to inform your browsing decisions.

This system looks like a good way of implementing spyware/adware prevention and the like based on trust, but I don't think it will do so well for general browsing as you point out. There are plenty of people I would trust to help me stay away from spyware who I wouldn't want pointing me to web sites to read, mainly because I read vastly different things on the Internet from many of my friends. A system tha would work for this is something like Amazon's recommendation system. Without fail, Amazon emails me stuff that I'm actually interested in based on things I've bought from them. If something could use my web browsing history and compare it with that of others to suggest sites to read, that would be awesome. There are tons of privacy issues there, but putting those aside, I think such a system would be very effective.

One thing that might break such a system would be spammers. Spammers like to break anything that's good on the Internet with advertising, and this would be no exception. I think it would be hard to replicate a normal browsing history while inserting a few ad links, and submit those histories on a large enough scale to make those sites show up as results.

Anyway, I've gone off on a bit of a tangent. My point is that trust works well for many of the stated goals, but not so much for what I really want: all the good information on the Internet pumped straight into my brain.

Here's the thing about personalization

It *must* go hand in hand with privacy. I used to work at a company that made a website personalization product and the engineering code-name for the product was "orwell". It took us a few days before release to remove all references just in case customers would have a negative association with such a term.

But I did not enjoy working on such a product. It convinced me back then that I don't like the nature of the web, which is fairly centralized relative to the internet itself. For example, I much preferred the old USENET model, and I wish something like "USENET v2" would come out as a blend of the web (for presentation only...dhtml rules but http sucks) and file distribution/management something like a cross between bittorrent and akamai.

Friends of friends are sometimes not friends

[FunWithHeadlines]

"On the other hand, friendships are not a good predictor for recommendations since your friends often have different interests from you."

That's been one of the little mysteries in my life. You know you have Friend A and Friend B, and you like them both a lot? Then one day you introduce A to B and realize they don't like each other...at all. Yet you still like A and you still like B.

Some part of your personality is responding to something each of those people has, yet clearly they are each appealing to a different part of your personality, and sometimes those parts don't get along! :)

Interesting

[brontus3927]

Interestingly enough, this Firefox extention is more or less the same premise that someone on K5 thinks would be the perfect base of a p2p file sharing program. But like others, I think the problem is friends don't share the same interests a lot of times, especcially to the same degree. My friends all have the same basic interests: computers, music, movies, and sports. However, for friend 1, the priority is music, movies, sports, computers. Friend 2 is music, sports, movies, computers. My priorities are computers, movies, music, sports.

I think a hybrid approach between a social network and Amazon recommendations would be ideal. Based on bookmarks and preferences that you post to the server, an algorithm could reccomend other uses with similar tastes. I could then agree or disagree (on a 10 point scale) with the recommendation. That user would then enter my network, and I could browse other users in their network. You would be able to see their rating by other users. Additional ratings would refine the algorithm's ability to find new "friends" You would be notified when someone made you their "friend" so you could check them out and decide whether or not to reciprocate.

You don't want Trust.... We want Experts

[TedTschopp]

You want something else. There are different dynamics where you trust people. For example, no one should trust me with regard to South American history and politics. The reason, I know nothing about those areas. There needs to be a connection between Trust and areas of knowledge.

For example, I trust my parents, but I would never trust them to make decisions about computers. But if it came to building a building, I'd trust my father a bit more as he is an architect and his field is related to the construction of buildings. But I would never trust my mom regarding that. Now if the issue was the development and educational patterns of children in a bi-lingual situation, I would trust my mom, but I would never trust my father. He isn't a highly trained educator, he is an architect.

This type of trust network is good, but really is just an extension of the database that AOL has had for their buddy lists on AIM for years.

What is really needed is a way to rate peoples expertise in areas. If this can be done, a whole new dynamic internet could be formed.

Just one example of this would be to filter Wiki articles based on the level of expertise that author has in the subject.

Another example would be to filter all the recommendations you see on amazon. Wow, an English professor at Oxford recommends I read this book about the development of the symbolic languages, perhaps I should pay attention. -OR- Wow, this Policy Wonk who works for this special interest wants me to trust his opinions about the enviroment. Nope!

So to restate it, we need an Expert Network, on top of our Trust Network. And the trust networks are already in place. Just use any IM network, and apply a trust value to that connection. Now getting the Expert Network established, that's another problem. Perhaps tying a connection between each user and a DMOZ catagory. Or something along those lines.

Ted Tschopp

Re:You don't want Trust.... We want Experts

[wanderingstan]

You're might trust sources in only specific areas. The shot at this, IMHO, is tagging (which I wrote about here)

Outfoxed uses tags to help resolve conflict within the database. If two equally-trusted informers give conflicting reports on a page, tags can be used to break the tie. When a user adds an informer, they can add tags indicating particular areas where this informer is trusted (or not trusted). For example, if your friend Bob is a good car mechanic but with very different political views from you, you might give him the tags "car repair auto -humor -funny". This means that his reports will take preference on pages tagged as auto, repair, or auto, and that his reports will be deprecated on pages tagged as humor or funny.

[Disclaimer: This feature isn't implemented yet, although all the tagging hooks are in place.]

But I don't think it's a ship-sinking issue for Outfoxed. It only tries to present you with the most relevant metadata for what you're doing, which you can look at or ignore.

And all things being equal, someone trusted by you is more likely than a stranger to share your values about what constitues good, bad, boring, funny, etc...

Re:Social networks cannot save us from dumb friend

[wanderingstan]

"Against stupidity even gods struggle in vain."
-Schiller

Nice article on BBC (via) about how most users don't even know the words for threats on the internet.

Confusing "geek speak" used by experts and media included "phishing", "rogue dialler", "Trojan" and "spyware".

Eighty-four percent did not know that phishing describes faked e-mail scams.
...
A quarter said they knew what "spyware" was, although almost one in 10 of those thought it was a computer program that kept an eye on unfaithful partners.

This is why I something like Outfoxed is needed: Even if you had magic browsers which could tell users "This is a phishing website," most users wouldn't even know that this was a bad thing!

The bottom line is that telling people to "get smart" will not help a computer novice who doesn't know the difference between Gator and Macromedia.