Why you aren't wrong to hate new Facebook
Oct. 26th, 2009 02:59 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
terrikoEvery time Facebook makes a major change, you can hear outrage spread across the globe. Polls spring up with "Do you hate the new Facebook?" and yes is always in the lead. Your friends whine about it incessantly in their status messages. Petitions start asking Facebook to change things back.
It's easy to dismiss the fuss as a bunch of people who need to learn to move on. But it turns out, people are not wrong to hate every change in Facebook. They just might not be right for the reasons that they think.
As a web security researcher, I spend a lot of time thinking about what makes sites more secure, or more insecure. Every major change is likely to introduce new bugs, even as it may fix others. And the way the security model of the web works, any "minor" bug might result in major damage to you, as an individual. People store their whole lives on Facebook, and that means that a minor bug might let anyone in on their own, private stuff.
So every time the interface changes, you should probably be afraid that Facebook may be accidentally or intentionally allowing the entire world access to your stuff.
Does that mean "I hate the new Facebook!" is the new "GIRLS ONLY, NO BROTHERS ALLOWED!!!!" taped to the door? As in, you're worried Dad will leave the door open after vacuuming and you'll find your brother has played with your toys? Uncool, but really, no one who's over the age of 14 will care?
Turns out the security reality says the stakes are a lot higher. Many people keep a lot of private stuff in Facebook. It's more like Facebook said they were coming in to paint your apartment walls, but they rearranged all the furniture too and you have this feeling that they left the door unlocked and thus let strangers traipse through your apartment, maybe installing a wiretap and stealing your panties while they're there. Facebook makes a lousy landlord. Or at least a creepy one.
I don't know how to end this post. As long as Facebook is your landlord, you're subject to their whims, and you might as well get used to it. But if changes in Facebook leave you feeling maybe a little violated, that's probably exactly how you should feel.
It's easy to dismiss the fuss as a bunch of people who need to learn to move on. But it turns out, people are not wrong to hate every change in Facebook. They just might not be right for the reasons that they think.
As a web security researcher, I spend a lot of time thinking about what makes sites more secure, or more insecure. Every major change is likely to introduce new bugs, even as it may fix others. And the way the security model of the web works, any "minor" bug might result in major damage to you, as an individual. People store their whole lives on Facebook, and that means that a minor bug might let anyone in on their own, private stuff.
So every time the interface changes, you should probably be afraid that Facebook may be accidentally or intentionally allowing the entire world access to your stuff.
Does that mean "I hate the new Facebook!" is the new "GIRLS ONLY, NO BROTHERS ALLOWED!!!!" taped to the door? As in, you're worried Dad will leave the door open after vacuuming and you'll find your brother has played with your toys? Uncool, but really, no one who's over the age of 14 will care?
Turns out the security reality says the stakes are a lot higher. Many people keep a lot of private stuff in Facebook. It's more like Facebook said they were coming in to paint your apartment walls, but they rearranged all the furniture too and you have this feeling that they left the door unlocked and thus let strangers traipse through your apartment, maybe installing a wiretap and stealing your panties while they're there. Facebook makes a lousy landlord. Or at least a creepy one.
I don't know how to end this post. As long as Facebook is your landlord, you're subject to their whims, and you might as well get used to it. But if changes in Facebook leave you feeling maybe a little violated, that's probably exactly how you should feel.
Aaaaand...
Date: October 26th, 2009 09:35 pm (UTC)Speaking of the Devil, here's some phish I just received, like clockwork:
Attached is a zip file...
Well, at least it's not MySpace.
Asad
no subject
Date: October 26th, 2009 11:53 pm (UTC)That's the reality of anything on the Internet, regardless of "privacy controls". If anyone can see it, anyone can copy-forward it.
To think otherwise is to be denying the reality of security.
no subject
Date: October 27th, 2009 12:02 am (UTC)no subject
Date: October 27th, 2009 02:44 am (UTC)Plus I'm pretty sure if you happen to have snooped an image URL, there's no cookie protection...
And since Chrome and Opera and no doubt some other things submit all visited URLs to Google...
Whee. Flickr links to "private" albums are the same thing, etc.
If it's on the web and doesn't have https: and secure cookie with expiry login and preferably two-factor login required, it's not private... and even then, it's not really all that private.
And the fun with "but it's excluded in robots.txt that means it's secure!"... *twitch*
no subject
Date: October 27th, 2009 03:41 am (UTC)no subject
Date: October 27th, 2009 03:46 am (UTC)