Category : Security

in Security
trackback-spam

Fighting Spam on Tagged

Spam is a problem that plagues most social websites, and Tagged is no exception. On the Security team, we think about spam all the time. For those who aren’t as familiar with the issue, I’d like to share details about our team’s motivation for building the solutions we have put in place.

Fighting spam is a constant battle between security agents and spammers. It’s an area of software development that is truly a virtuous cycle of advancement since both sides are actively trying to outsmart each other. These challenges have helped me grow professionally by forcing me to become accustomed with some of the leading-edge techniques being used in the industry right now. Machine learning in particular has taken the spotlight in the software industry as a means to present users with more relevant information. In the case of spam on Tagged, our system learns what content looks bad and then blocks or deletes it.

Spam detection and prevention is a perfect opportunity for investment at Tagged since the area directly ties back to providing a great user experience. Nobody should think that the Internet is a scary place where one wrong click can be a costly mistake; our goal is to create a safe environment for our users. We continue to have room for improvement in this area with blocking spam and removing fake profiles. At the core, Tagged should be a site for real people to come and connect with other real people.

The most important takeaway I’ve learned from working against spam has been that solutions do not need to be as daunting as the problem. It’s easy to get caught up in solving edge cases or trying to think too far ahead, and sometimes it doesn’t hurt to just try something and see how well it works. Some of the more successful techniques being used against spam are surprisingly intuitive and simple at their core. For example, rather than using some complicated heuristic for labeling what content should be called “spam,” we can just crowd-source the problem to our users by looking at the results of the spam reports they submit. Although there is a lot of noise in this data, the important cases do bubble up. These results can then be used to feed data into our automated systems.

The Security team is dedicated to protecting our users, and one of our core values at Tagged is “Users are #1.” With over 330 million members, we are always trying to stay ahead of the game so that anyone who visits Tagged can have a great experience.

Andrew Neilson is a Software Engineer on the Security team at Tagged with a passion for making ice cream and playing hockey. You can follow Andrew on Twitter.

in Events, Security

Security for Real Life

RSA Conference

Today with many of my colleagues, I’m off to RSA Conference, a five-day event focused around information security. While getting ready for the conference, I spent a little time reflecting on my personal security practices and lessons I’ve learned over the years.

Once upon a time I played a very fun game called how many email addresses can I have? That soon expanded into how many online merchants will I shop with, how many blogs will I update and how many game and news sites will I participate in?

Around this time I cleverly decided that my master passwords for “work stuff,” “school stuff” and “personal stuff” should all be different — just in case. I’ve always been paranoid, so all of the passwords were eight-plus characters with numbers, a healthy mix of upper and lowercase letters, and some special characters thrown in. Of course, not all sites allowed long strings or special characters, so I had a few shorter passwords available for sites that limited password flexibility.

By the time online banking and e-pay options took off, I had a whole new crop of passwords to remember. Financial passwords, health-related benefits passwords, government passwords – the game was a little higher stakes and so of course each of those sites needed their own passwords.

This inspired a mental model redesign: in addition to having different passwords for “work,” “school” and “personal,” I started stratifying by risk level. I had throw-away passwords for sites that I rarely use and don’t have much info on me that needs protecting, all the way up to unique, highly complex passwords for sites that, if my account was compromised, could have an impact on my privacy or productivity. These “families” of passwords worked for the most part, though I have to admit the buffer in my brain for passwords was starting to overflow.

The train went off the rails when sites that used email address as usernames started getting compromised en masse. Now, my entire families of passwords needed to be replaced. As a result, I’ve given in — I can’t remember them all! Instead, I’ve gotten software that will securely store all my passwords in one place, regularly backed up to multiple locations (and in encrypted form, naturally). I have it setup to be available on all my regularly used devices and the software will create passwords for me too. These are randomly generated strings with as much complexity as I like!

I’ve also opted into SMS or mobile device-based authentication where possible, so that if someone hijacks a session or brute forces my password, I have an added level of security. SMS-based authentication for users was recently introduced at Tagged and I’m excited that so many users have opted into stronger security.

As an industry, we used to assume that more security meant more inconvenience, but simplifying strong authentication has definitely made my life more convenient! So no more password families and no more password construction “rules.” Just easy, secure authentication wherever I go online.

I use 1Password and I’ve heard good things about several password management options available on the market. Lifehacker gives a nice roundup of its top five.

Allison Miller is the Director of Security and Risk Management at Tagged.