Scott Hanselman

Facebook's privacy settings are too complex for ANYONE to use - Change these settings today

April 13, '12 Comments [19] Posted in Blogging
Sponsored By

The Friends privacy setting on status updates extends to tagged friends and their friends

My wife is quite a bit smarter than I am. She is also more educated that I am. Frankly, I'm happy she talks to me at all.

She put a photo on Facebook last week of she and a friend and was careful to double-check that the photo was set to "Friends only."

A few days later she rushed in and told me that she thought the photo was public even though it was set as Friends only.


"Because random people that I don't know are commented on this photo! Like, who is this guy? I don't want him to see this - I don't know him! Why did they let non-friends see it?"

I looked for a minute and noticed that she had "tagged" her other friend in the photo as in this example photo below:

A photo in Facebook with 4 people "tagged"

In this photo there are four people tagged. When you tag someone they are notified that they've been tagged and they can remove the tag which removes it from their "photos of me" list. The photo above is totally public but let's say it was posted by me and I tagged my three friends and marked as "friends only."

Who can see the photo of me and my 3 friends? Who can see the photo of my wife and her friend when the photo is marked Friends?

Who sees the photo? The union of all our friends!

Answer: The union of all the friends of everyone tagged in the photo. If someone else sees the photo and tags some more people, the circle of visibility for that photo or post expands.

This may seem obvious to a software engineer or someone with a background in set theory but it's not obvious even to smart regular folks. It certainly surprised my wife although she gets it now. Here's the thing, though. Now she says she really is less likely to put photos on Facebook and certainly less likely to tag folks in photos.

Confused a little? There's more. Recently my programmer man crush and favorite Canadian Reginald Braithwaite wrote a post called When you share personal data with Facebook friends, you're sharing your personal data with every app your friends use. Read that title again.

Remember that when you aren't paying for something (like Facebook), someone is paying. The advertisers are paying and you, your friends and all your info are the product.

Reginald points out that when you grant an application (Farmville, etc) in Facebook access to your profile you are often granting that application access to your friends personal information. That means that your annoying friend who is always pushing the Mob Wars invites has likely granted an application access to your information by proxy.

UPDATE: When you are sharing something note that you can pull down the privacy dropdown, select custom and make changes then hover your mouse over the gear to get a plain English tooltip showing the resulting visibility of this update:

The Tooltip will show the resulting visiblity of the post

Your Homework - and pass it on

Go log into Facebook and in the upper right corner click Privacy Settings:

Privacy settings in Facebook is in the upper right corner

Then, spend some time in these two areas of Settings. Timeline and Tagging and Apps and Websites.

Update your facebook privacy settings

Under tagging you can choose what happens when someone tags you and tags that friends add to your own posts or photos. You can also control tag suggestions. You can lock this down as much as you want.

Check your Timeline and Tagging settings in Facebook

Next, click on Apps and Websites and freak out when you see how many you (or your teen) has added. You can remove them as you like. Most importantly, click on "How people bring your info into apps they use."

Review the "Apps you use" at Facebook

How much of this info to you want your friends sharing with their applications? Turn this stuff off.

Uncheck all the checkboxes at "How people bring your info info apps they use."

And finally, check out the Public Search option. Do you want Facebook and your public timeline to show up when someone Googles for you  or your child? If not, turn this OFF.

Turn off your Facebook public search settings

You can also go back in time and "limit old posts." This will take posts from years ago when you didn't know this information and make them visible to friends only.

Limit the visiblity of old posts

Facebook will likely try to talk you out of it. Use your judgment.


Now, for a fun over-dinner exercise try explaining this to your 14 year old and why everyone should be careful about information leakage. Seriously. At least try.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Technical Analysis: The Abercrombie and Fitch Brown Pants Fiasco, "Splogs," and you

March 22, '12 Comments [25] Posted in Blogging
Sponsored By

Offensive Abercrombie and Fitch Pants on a Chinese Knockoff SiteWARNING - This post will ultimately lead you to sites using offensive racial terms.

My Twitter friend Wesley pointed me this apparent Abercrombie and Fitch website advertising a pair of N***** Brown Pants. Here's a screenshot if that link dies. After the shock and frustration wears off, you ask yourself "How could this happen?" This link is spreading all over Twitter and the social web right now, and I'm sure that the Abercrombie PR machine will jump on it when their Twitter person wakes up.

Let me walk you through a few things.

  • First, what a technical-type person does (or should do) in this situation.
  • Second, why the internet is WAY WAY more screwed up than you ever thought
  • Third, why no one should really be buying anything on the web.

The Technical Details

While it's possible that an idiot at Abercombie entered the N-word text, my eye immediately went to the domain:

Note the dashes and the "and?" No internationally-known and copyrighted brand would have such a lousy domain. I'd expect, full stop. In fact, it is.

I loaded up Domain Tools to see who owns this obvious knockoff. Like actual physical knockoffs of pants, there's no good way to tell what's real and what's not. I hit:

Registrant Contact:
   su ye
   ye su 
   +86.095156230147 fax: +86.095156230147
   NO.217 North Street, Yinchuan Qinghe
   yinchuanshi ningxia 750000

The domain is registered in China. OK, this is NOT Abercrombie's site. It can also be confirmed by the poor English on the site's about page as well as the throwaway reference to Chinese piracy:

A&F is the favorite brand of American college students, a lovely deer printed on the front of the youth fashion. Its fashion and personalized style always the certain reason some youngsters follow. Nowadays, Abercrombie and Fitch piracy in China has spread to unimaginable proportions. Soft cotton is comfortable in the apparel.

OK, so how much of a problem is this and these pants? The combination of the N-word along with a unique brand-name like Abercrombie makes for a good hash. That means these words together, especially if you add "pants," makes for a search term that is unlikely to happen in the wild.

It's worse than you think

If we then Google for the four words together (forgive me) you can see hundreds if not thousands of fake domains. For Example:


You get the idea. There are at least hundreds. All with the same pants, all registered in China. I can't imagine, sadly, that there's ANYTHING that Abercrombie could do about this except try to get the domains shut down - one by one.

How could your Mom possibly know this?

These are automatically generated sites, like "splogs." Splogs are spam blogs. They aren't real stores, there aren't real people behind them. They are almost like computer viruses, except they make stores. In this case, it appears that someone in China at some point designed a system that could churn out fake stores from a single database. That's why these pants keep appearing on hundreds of other sites.

Imagine if you just wanted a regular pair of pants and didn't see this pair? How could you possibly tell if this the site you want? There's no good way. Here's what you CAN do.

  1. Make sure the URL starts with https:// when you are checking out.
  2. Click the lock in your URL and see if the company name looks legit. Sadly, these can be faked also, but it's a start. HTTPS (SSL) doesn't mean "I can trust this site," it means "this conversation is private." You still might be having a private conversation with Satan.
    Check the lock
  3. Even better, if your Address Bar is green, click on it! This is a special "high trust" certificate that says you are really talking to who you think you are. This screenshot means "I am having a private conversation with a company that is KNOWN to be Twitter." Banks and big companies often use these special certs.
    Green Address Bar is good

Ultimately, you, me, Mom and the Web need to develop a better "Internet Sense of Smell." The bad guys want our credit card numbers and will do everything they can to get them, even make ten-thousand fake Abercrombie and Fitch sites.

UPDATE: Thanks for the comments! If you (or Mom) had the Web of Trust installed, this is what you would have seen when visiting an evil site like this. I'm installing this free tool on Mom's machine today.

web of trust

Good luck out there. It's a messed up web.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Why You Should Never Argue in 140 Characters or Less - Geeklist

March 22, '12 Comments [39] Posted in Blogging | Musings
Sponsored By

There is a fascinating "storify" (a list of tweets with commentary that make up a story of what happened on Twitter) by Charles Arthur about an uncomfortable back and forth on Twitter between Shanley Kane, an engineer at Basho, and Christian Sanz and Reuben Katz, the founders of

UPDATE: Here is a link to's apology.

The nutshell is that Shanley came upon this ridiculous video (photos here) of a girl in her underwear dancing around with a Geeklist T-Shirt. According to the Geeklist site, it is an "achievement-based social portfolio builder" for developers. Programming is an intellectual pursuit and any kind of "-ism" is totally inappropriate. In this case, immature sexism is a huge turn off. It's been a week of sexism in technology on the Internets.

But this post is less about that, as we can all agree that girls dancing in their underwear is a poor way to promote programming. I want to talk about Twitter, your Customers, your Brand, and Bile.

Shanley tweeted to the founders of Geeklist a totally reasonable question.

At this point, Geeklist should have recognized what Shanley was really saying. This was a chance for them to re-notice the video in context and be reminded it should probably not exist. Instead, they replied with a non-answer answer with no recognition of the underlying question.

OK, a little dense, but here's where it goes south. Shanley, who is clearly and rightfully upset, asks that they take it down but she drops an F-bomb. Fine, she's pissed, not the point.

Boom. Stop there. You've got a customer who is upset, rightfully so, about an -ism, also a hot button. She's reaching out to you to validate her frustration AND most importantly handle your business. Every time a person reaches out to you on Twitter, it's a chance for you to put your best foot forward. This is the first impression. Get it right. You have only 140 characters.

At this point there's no turning back. It doesn't matter at this point that the video in question was made by a friend of Geeklist. It doesn't matter that Geeklist is/was a good product. What matters is that the founders were thoughtless in their response on Twitter.

Twitter is not chat, it's not IRC. And even it it was, the thing that I see companies forget over and over and over again is this. Companies need to know: You're on the Internet. Things that you say here matter and will be archived forever and repeated.

Shanley then nails it with this tweet:

This is Geeklist's last opportunity to fix this. They should watch their tone, fall on their swords and handle their business. Surprisingly (or not) they go on for two dozen more tweets. It's really hard to read. Good on Shanley for not backing down. Note Charles Arthur's commentary:

[Shanley] Kane complained about a video. [Geeklist's Christian] Sanz took offence because of how he was addressed, rather than treating it as a legitimate complaint about content. Now both he and his co-founder are subtly signaling that they will make life difficult for her and her company

Stop here. Note. You will never win an argument on Twitter. You think arguments on the Internet are hard? Counting the characters until someone invokes Hitler? Pardon me while I quote myself, via Twitter.

Acknowledge your mistakes, be kind, stay positive, respond with respect and thoughtfulness. You are in public  and you are teaching people how to treat you. You likely cannot win an argument on online, and you can never win one on Twitter.

This story is a great example about how not to manage your brand on Twitter. Of course, in this case they were also totally wrong, but trying to argue their point in 140 characters just dug the hole deeper.

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Supporting high-dpi pixel-dense "Retina" Displays like iPhones or the iPad 3 with CSS or IMG

February 21, '12 Comments [14] Posted in Blogging | HTML5
Sponsored By

I'm loving responsive design and am slowly updating all my websites to support mobile browsers as well as tablets. Currently (this site), (my weekly podcast), (a video I sell on how to be a better presenter) as well as (where I sell my Windows Phone 7 application.)

All of this "mobilization" has stemmed from my frustration with other folks' sites that look lousy on my phone. It's SO frustrating to reach a site that could take 10 minutes and make its mobile experience 100% better.

Now that I've updated my main sites I'm tidying up a few things that continue to bug me. On my iPhone 4S with a DPI of 326 dpi, the logo on my site and a few other graphics look lousy. Why?

Well, for example, the image for the logo is a PNG that is literally 100px by 100px. This is a foreground image (not a CSS background image on an elements, yes, people still use those) and it has its height and width both set to 100px. The size of the image and the img tag are both really 100x100.

A blurry image on a Retina Display

You can see that not only is the logo blurry but the search magnifying glass and social icons are as well. That's because the browser has scaled up the images to manage the super high-res display of this device. Better that they scale it up than make it too tiny. The overall size of all the other elements on the page are scaled up as well so the fonts and form elements like the dropdown are crystal clear.

There's a few ways to fix this.

Support (High DPI) Retina Display with CSS Background Images

Since I am already using CSS Media Queries to change my site's CSS for smaller screens like this already:

@media screen and (max-width:720px)


I can certainly do the same and detect high resolution displays. It's not just the iPhone. A lot of the newer Nokias and HTCs have displays over 200dpi.

I could create a media query like this:

@media screen and (min-device-pixel-ratio: 2) {


Or do conditional inclusion like this (or -webkit-min-device-pixel-ratio):

Do your testing and be aware you likely need to use both the webkit prefix and one without:

only screen and (-webkit-min-device-pixel-ratio : 2),
only screen and (min-device-pixel-ratio : 2) {

You may decide that 1.5 is a better ratio for you.

The WebKit folks are thinking about this and I could use background-size like this:

div {
background: url(logo-low.png);
background: url(logo-high.png) 0px 0px / 100px 100px;

Handling Foreground Images (with the IMG tag)

Ideally I should be using SVG (Scalable Vector Graphics) for my images like the magnifying glass and they'll scale everywhere. Until that day (and until I'm willing to redo all my images), I can take advantage of the way the IMG tag has always worked. We know that nothing is sadder than a small image that has been scaled up by incorrect width= and height= tags.

Since my image is only 4k, I decided to make a high-res 200x200 image and mark the width and height attributes to 100px. Stated differently, I'm sending more pixels than needed and scaling them down. The result is that it looks clear on high res displays and the same as it did before on regular displays. Here is a screenshot with the retina Logo file.

A super clear image on a Retina Display

It is true that I'm sending more data than I need to here. I am sending a 4kb image when the 100x100 original is 2kb. I can solve this by  swichign to a background image and using the conditional CSS options outlined above.

In this case it's a reasonable tradeoff and I'm happy with the result. It's a good solution for small images like this. For the social images I will likely want to sprite them and create both regular and "@2x.png" versions of the sprite.

Small, Medium, Large, FullSized

The problem isn't just with high-res images, it's also that we want to send the minimum number of bytes across the 3G wire while still offering the mobile user the chance to download the full sized images if they want.

I really wish that LowSrc still worked. I was talking to Jeremy Keith about this last week and he mentioned he just blogged the same thing! This was how we did things when we were all still on dialup. (And as Jeremy points out, we also often used ALL CAPS and omitted quotes! ;) )

my logo

It seems that LOWSRC just died, however. Ironically LOWSRC only works in OLD browsers. This is a shame as it was/is useful.

Mat at AListApart mentions another side of this idea using a fullsrc attribute, except with data- for HTML5 compliance with an idea from Scott Jehl.

It's unfortunate that there isn't a clear and comprehensive technique yet to handle both the low-res, fullsrc and highdpi solution. Today you can achieve them all with some CSS3 and some jQuery/JavaScript.

A correct image tag should take into consideration:

  • Connection speed (detected as well as user-overridden)
  • Screen DPI (pixel density)
  • Responsive design image resizing

I think a solution clearly needs to be baked into HTML5 with a solution like the ones that Mat Marquis outlines. The question before us is do we update the IMG tag or are we talking about a new tag?

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Your Blog is The Engine of Community

January 5, '12 Comments [66] Posted in Blogging | Musings
Sponsored By

Photo by Steven Warburnton - Creative CommonsIn a time where there is much gnashing of teeth around the meaning of community, what being on the "inside" vs. the "outside" means, I want to take a moment to remind my fellow blog writers, blog readers, blog commenters what makes it all work.


Not a secret society or old boy's network, not a select few or someone knighted by The Queen. It's the nameless, faceless web search result that makes community work.

I search all the time for help on the internet. I find blogs, tweets, Stack Overflow, MSDN and more. More often than not when I find the answer I seek it's on YOUR blog, not mine. Often it's not on a big company employee's blog or that of the chosen few. The answer was put out on a blog, without ask of payment or recognition, by a 25-year old Persian student, or a 60-year old exploring .NET, or a high school student with a passion for open source.

I, and this blog, was that random search result for at least 5 of the last 10 years. Someone searches for help and finds my little corner of the internet. Write a few blog posts a week, with useful content, consistently, for ten years. Then write some more. All free, all because you feel good putting it out there.

I would encourage you all to blog more. Tweet less. Blogs are owned by you. They are easily found, easily linked to, and great conversations happen with great blog posts. The river of social media rushes on and those conversations are long forgotten. A great blog post is forever. Today's real-time social media is quickly forgotten.

Don't be a meme, but a movement.

Blog your opinions. Blog your cool project, or your latest useful function or library. Don't blog if it feels like work. Blog and get excited when someone comments. Often the comments are more fun and more useful than the post itself. Be passionate, but not rude. Point out failings, but suggest solutions. Organize. Invent.

Be constructive, be helpful, be kind. Make your blog posts not too long, not too short, not too stream-of-consciousness and not too terse. Remember your elementary writing classes. Have a thesis, make your argument, restate your thesis.

Share because you want to. Share because you want to help, but also because you want to help yourself. Share not for the recognition but for the love of teaching.

It takes a village, dear reader, to be a community. It's you, and me and no one in between. Now, go write, create, commit.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Previous Page Page 2 of 5 in the Blogging category Next Page

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.