Pic of the Week: Assange vs Zuckerberg
Stumbled across this picture this week, and although it’s quoting Bill Hader playing as Julian Assange in the Saturday Night Live skit below, I feel the message still makes a point. It’s probably worth reminding people that Assange was voted for Person of the Year by the readers of TIME magazine. In that same vote Zuckerberg came in at a lagging 10th place. I know… how Zuckerberg got it confused me too.
[Update] Here’s an Assange/Zuckerberg mashup picture of the quote above:
Facebook Hackers from the Future!
I got this email from Facebook today, and apparently my account was accessed on an iPhone by someone in the future! OMG HAX.
Either today is the day I successfully complete my time machine (made exclusively from broken pieces of the Large Hadron Collider) – or hackers in the future are wreaking havoc in my account, and there’s nothing I can do about it! At least Facebook were kind enough to notify me…
In reality this is happening because I’m in GMT+11 and Facebook’s servers in San Francisco are in GMT-8, making for an awesome 19-hour time difference. Unfortunately this makes my story far more mundane, so I’m sticking with hax0rs from the future. I think the guys at Facebook may want to disambiguate this email somewhat by putting in the date/time in UTC.
If you too want to be notified when there are unexpected logins to your Facebook account, check out my post on Facebook’s Suspicious Login Tracking.
Plugin to Disconnect: Regain Browsing and Search Privacy
Ex-Google employee Brian Kennish has been developing a web browser plugin dubbed ‘Disconnect‘, which aims to restore users’ web browsing and searching privacy on a number of major sites. The plugin, which current supports Google, Facebook, Digg, Twitter and Yahoo, blocks uniquely-identifying cookies which are used to track individual users’ browsing activity and searches. Brian also created ‘Facebook Disconnect‘ which prevents Facebook from tracking you on any website that uses the Facebook Connect functionality.
Both of these plugins de-personalize your normal browsing and searching, whilst allowing you to continue using services like Google and Facebook normally. You can see which cookies are being blocked in real-time, and unblock any that you may want. Note that the search de-personalization currently only works on the google.com domain (not local country domains).
At the moment these plugins are only available for Chrome and RockMelt (a new social media-embedded browser I just heard of), but a Safari extension and Firefox add-on are on the way!
Facebook Announces Centralized Messaging
I was tempted to title this post “How Mark Zuckerberg Reads Your Email”, but never mind…
Facebook today announced that they have developed centralized messaging functionality, which will allow people to communicate over a variety of different mediums ‘seamlessly’. Soon you’ll be able to send your friend a text message, who will receive it as an email (or chat, or message, etc). Facebook have basically created a mechanism where any text-based communication media to or from an individual will be organized into a single thread.
In theory I find this to be a great idea. Seamless messaging is something that would solve many problems, and make life a bit easier. Unfortunately there are a few issues that I can see:
- Centralized Messaging: By virtue of this service’s actual design, I’m concerned about storing absolutely all of one’s communication in one place. Currently if someone can get into your email, they can read your mails; if they can get into your Facebook, they can read your messages and chats; if they can steal your phone, they can read your SMS. If someone adopts Facebook’s approach to centralized messaging, all of their correspondence is in one place. This means that if your account, or Facebook itself, is compromised, the entirety of your correspondence is compromised.
- Non-synchronous Communication: Let’s face it… if I want to chat to someone, I will knowingly use a chat client. Why? Because I’m prepared for that style of short and quick communication. Email, on the other hand, is not as agile. Although it’s not uncommon to rapidly exchange several emails in the space of five or ten minutes, you wouldn’t want to have a full conversation using that medium. The issue here is that people who prefer chat or SMS, will attempt to communicate with people who prefer email or messages. Each medium invokes a different behaviour and expectation. As a result, an email user will receive tons of really short chat-style one-liners filling up their inbox (with subjects as “(No Subject)”), and SMS users will (somehow) be receiving long-ass messages from email or message users.
- Perpetual Storage: At the moment if I send someone an SMS, I know that message will probably get deleted eventually when they choose to prune their texts. I also have a tiny bit more faith that SMS isn’t as easy to intercept, and generally only the person with access to the corresponding phone will be able to read it (as opposed to email where anyone with the username/password or able to intercept the network traffic can read them). If I send someone a message on AIM or some other IM, that message will usually only be logged on their local machine (if at all). In this new model, Facebook users, as well as non-Facebook users corresponding with Facebook users, would be delivering their conversations to Facebook for perpetual storage (they advertise this as a feature). Note that it’s not yet possible to delete an individual message from a conversation – you’d have to delete the entire conversation.
I want to like this feature, and to be honest centralized messaging in some form (not necessarily Facebook’s) is the future. Unfortunately that will mean entrusting much of our correspondence to some entity, and that entity (be it Google, Facebook, or someone else) will undoubtedly come under fire for having such a dangerous amount of insight and monopoly over the way we communicate.
Facebook Game Producer Sued for Privacy Infringements
Zynga, developers of many popular Facebook games including Farmville, Mafia Wars and Texas HoldEm, are being sued (class-action style) in Federal Court for supposedly transmitting sensitive personally identifiable information about their users. Zynga users are forced to provide information such as name, gender and address when registering. Passing this personal information onto a third party is a violation of Facebook’s own ‘privacy policy’, as well as certain state and federal laws. The Wall Street Journal recently carried out an investigation into Facebook’s privacy practices, and found that many Facebook apps transmit personally-identifying information.
If the lawsuit is successful, Farmville users will be compensated with three cows and a donkey each. *snicker*
Facebook Introduces One-time Passwords and Remote Log-out
Hot on the heels of my last post about Facebook’s Suspicious Login Tracking,the social networking site has just introduced two additional authentication/session security mechanisms. The first news item is the introduction of one-time passwords, with the aim of increasing account security for those who log into Facebook on public or shared computers.
The proposed one-time password mechanism would require you to register your mobile phone number with Facebook. You would then be able to text “otp” to 32665 (currently U.S. only), and Facebook would send back a single-use password for your account that expires after 20 minutes. This feature will become available in the coming weeks.
Although it’s a good idea in theory, and helps mitigate against malware or key loggers, it also makes targeted attacks more easy to perform. It is easy to lose one’s phone, or even leave it unattended. If an attacker can get to your phone for a minute, they may be able to get a one-time password for your account. How Facebook actually implements this remains to be seen.
The second feature they introduced, available now, is the ability to remotely sign-out a session. Remember that time you logged in to Facebook at your friend’s house, and forgot to log out, resulting in a slew of embarrassing posts and images being posted on your behalf? With this feature you may have been able to prevent that by logging in to Facebook and then killing that session. I think this is a great feature, and would be useful in other long-session-based services such as Gmail.
You can find this by going to Account -> Account Settings ->Account Security. Your current session will be showed under ‘Most Recent Activity’. If you see anything under ‘Also Active’ that you don’t recognise, just click ‘end activity’ and Facebook will delete the server-side session ID for that session.
Facebook’s Suspicious Login Tracking
This is kind of old news, but I’ve only recently become acquainted with Facebook’s tracking of suspicious logins. If you only use a couple of devices, or haven’t traveled around much, you may not have seen come across these recent security additions to the authentication mechanism.
When logging in to Facebook, the site looks up the last location you logged in from (by geolocating the IP address), and compares it to a list of ‘known’ locations. If the location the user is logging in from is beyond a certain ‘distance threshold’ from the known locations, the user will be challenged. There are two types of challenges that can be chosen; the first is to recognise friends based on their picture (a solution I find both elegant and effective); the second is to answer a pre-set security question. If the user fails both of these challenges (I did… go figure), they have to wait an hour before trying again.
The next time you successfully log in, you will be alerted to any recent suspicious login attempts, complete with a geolocated map of that attempt’s location (see screenshot).
This feature has been added to Facebook’s authentication mechanism, and is thus on by default for all accounts. There is another feature however, that is not on by default, but is also interesting. You can set Facebook to notify you whenever a new computer or mobile device is used to log in to your account. This setting is found under Account Settings -> Account Security -> Login Notifications.
Thought this would be of interest to anyone looking to further secure their use of Facebook. Check out their full blog post about these features.
Related:
Disable Facebook Places – or – Location-Stalking for Fun and Profit
In a direct strategic offensive on Foursquare’s service and a long-term plan for world domination, Facebook recently introduced their own service dubbed Places. These two services allow users to ‘check-in’ to virtually any venue/event, thus sharing their location with friends (or the world). This introduced an awesome new sport known as Foursquare stalking where one could follow the check-ins of known or random people (eg. by searching for 4sq.com on Twitter Search), call up the venue they are currently at, and ask to speak to the person… and then doing this for every location they check-in to. Tremendous fun. The guys at PLA Radio had fun prank-calling people using this, with amusing results.
Apparently the bald fat guy below just got home. Since he is kind enough to post the actual location of his domicile, all a thief has to do is wait until he checks-in somewhere far away, and then proceed to leisurely rob him of all his stuff. Sorry baldfatguy… didn’t mean to pick on you but you were at the top of the list.
Surely Facebook’s entry into this domain will allow for more stalking goodness. Another interesting perspective is using Places to create an alibi by spoofing one’s GeoLocation. Anyway, onto the essentials. At least most of us can just avoid using services like Foursquare… but if you have a Facebook account, it’s yet another privacy setting you will have to set yourself.
To Disable Places: Log in to Facebook and go to the Privacy Settings. Click on Customize Settings at the bottom, and then modify the Things I Share settings (you will need to select Custom from the dropdown menu in order to choose Only Me). These settings are only important if you do actually use Places.
Next go down to Things Others Share, and uncheck Friends can check me in to Places.
Facebook (finally) adds ability to delete accounts
Facebook has finally added the ability to actually delete – not just deactivate – Mark Zuckerberg one’s account. Until now, the only (easy) option has been to ‘deactivate’ your account which simply removes you from searches and prevents you from logging in (although you can very quickly re-activate). I say ‘easy’, as there did exist a very convoluted delete process. That said, however, they still don’t seem to have made the delete option available to everyone – or they’ve made it particularly hard to find – as I still seem to be stuck with ‘deactivate’.
Even if you can’t find the option in your Facebook settings, you can delete your account by visiting this page (confirmation required) which states:
If you do not think you will use Facebook again and would like your account deleted, we can take care of this for you. Keep in mind that you will not be able to reactivate your account or retrieve any of the content or information you have added. If you would like your account deleted, then click “Submit.”
After submitting an account deletion request you will receive an email informing you that your account will be deleted in 14 days (unless you log back in). Note that if you have your Twitter or YouTube accounts linked to Facebook, then an update from either of these within the 14-day period will also abort the deletion process.
This is in contrast to just deactivating which, as described on Facebook’s deactivation page:
Even after you deactivate, your friends can still invite you to events, tag you in photos, or ask you to join groups.
… so much for ‘deactivation’.
It should probably be noted that although deleting your account will probably automatically remove any content you’ve posted on Facebook, they still reserve the right to retain your information, and you can also be certain that everything you’ve ever posted or done on the site will remain in the slews of hourly backups that are performed and undoubtedly retained for a couple years. There’s no way they are going to go to the effort of clearing their backups of deleted accounts (also, that information is worth far too much them to delete).
The following extract from Facebook’s Privacy Policy outlines the limitations of such account removals:
Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users. However, your name will no longer be associated with that information on Facebook. (For example, if you post something to another user’s profile and then you delete your account, that post may remain, but be attributed to an “Anonymous Facebook User.”) Additionally, we may retain certain information to prevent identity theft and other misconduct even if deletion has been requested. If you have given third party applications or websites access to your information, they may retain your information to the extent permitted under their terms of service or privacy policies. But they will no longer be able to access the information through our Platform after you disconnect from them.
Despite my strong views towards privacy, I’m not a complete Facebook hater; it does have its uses and I do have a (very spartan) account there. I just want to help highlight the potential risks and issues associated with the rapid increase in recent online information disclosure and unfortunately the only way to win this particular privacy game… is to avoid playing in the first place.