Posted February 28, 2012 at 2:57pm in Facebook
The brilliant "Don't Be Evil" bookmarklet
MG Seigler (parislemon):
Kudos to Facebook (with some help from Twitter and MySpace) for having the balls to do this. It’s a bookmarklet that replaces Google’s new “People and Pages” area, the hardcoded social search area, and the search completion drop-down, with organic results.
In other words, it makes the new Google behave more like the old Google.
Though as Watts Martin put it in his response to the story:
Facebook chiding Google for being evil is kinda like Voldemort telling Sauron he needs to lighten up about the hobbits.
Social media propaganda posters by Aaron Wood. Available on Etsy.com.
(via design milk)
Yesterday, Facebook announced some new measures intended to improve account security. You can now turn on SSL, and you can be notified when a previously unseen device accesses your account, and these are good first steps.
But this “social authentication” idea confuses me. The above image is supposedly an example of a social authentication challenge. You’re given three photos in which one of your friends is tagged and six names to choose from. Pick the right name, and you’re authenticated.
Now suppose I’m a hacker trying to break into your account, and I’m presented with this challenge. How hard would it be to look up those six people in your (public by default) friend list, and use their (required to be public) profile pictures to solve the puzzle? Actually I just did it, and the answer is Alok Menghrajani.
Clearly, then, all this approach is good for is telling humans apart from machines. Like a traditional captcha but more fun, right? But that’s not how Facebook is presenting it. Note that the following was written by a security engineer:
Traditional captchas have a number of limitations including being (at times) incredibly hard to decipher and, since they are only meant to defend against attacks by computers, vulnerable to human hackers. Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication.
(My emphasis.) Captchas don’t verify identity. “Social authentication” challenges based on public information — especially information that the service itself provides, for free, to anyone who asks — don’t do that either.
We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don’t know who your friends are.
Right, hackers don’t know who your friends are. Unless Facebook tells them who your friends are, like for example by making the social graph public.
Someone once said something smart about not mistaking stupidity for malice. But if Facebook’s engineers actually believe this idea will protect anyone’s identity, then their understanding of their own product is shockingly, unimaginably poor.
I have to agree. I recently re-opened my Facebook account with the explicit purpose of keeping in touch with those friends oversees who use Facebook as their primary tool of communication. However, the first thing I did was lock up all the public-by-default settings, including friend lists. If you haven’t done this already, do it now, as Facebook has just made it way easier to abuse.
Posted January 28, 2011 at 1:38pm in Facebook
