terriko: Evil Soup (evil soup)
2012-02-08 01:00 pm
Entry tags:

"Active" Facebook users

There's an interesting article up on NYT regarding Facebook's definition of "active users" for the purpose of its IPO. Here's the boing-boing link to the story for those who are sick of NYT's paywall nonsense interacting badly with privacy settings. But really, the interesting part is this:

In other words, every time you press the “Like” button on NFL.com, for example, you’re an “active user” of Facebook. Perhaps you share a Twitter message on your Facebook account? That would make you an active Facebook user, too. Have you ever shared music on Spotify with a friend? You’re an active Facebook user. If you’ve logged into Huffington Post using your Facebook account and left a comment on the site — and your comment was automatically shared on Facebook — you, too, are an “active user” even though you’ve never actually spent any time on facebook.com.

“Think of what this means in terms of monetizing their ‘daily users,’ ” Barry Ritholtz, the chief executive and director for equity research for Fusion IQ, wrote on his blog. “If they click a ‘like’ button but do not go to Facebook that day, they cannot be marketed to, they do not see any advertising, they cannot be sold any goods or services. All they did was take advantage of FB’s extensive infrastructure to tell their FB friends (who may or may not see what they did) that they liked something online. Period.”

The article goes on to point out that at least Facebook tries to count engaged users, unlike the way Twitter or Google have been criticized for counting users. So don't be too hard on them for that.

But here's the real kicker, and the first thing I thought of when I saw the paragraphs above:

The big question is how Facebook can put all of its “active,” er, engaged users in front of advertising?

So... will we see small ads with every like button? Am I going to get ads stuck on the end of the text messages I get with my friends' status updates? Having had this "flaw" in their numbers pointed out, it may behoove Facebook to demonstrate how this is an untapped resource on the advertising front... It's actually tempting to brainstorm about this as a creativity exercise, no matter how obnoxious excessive monetizing seems to me as a user.
terriko: (Default)
2011-01-27 01:48 pm

Web Insecurity:Will Facebook's choice of social authentication lead to gains in facial recognition?

New post up at Web Insecurity: Will Facebook's choice of social authentication (face CAPTCHAs) lead to huge gains in facial recognition software?

For many people with public profiles, flickr accounts, etc. it's pretty easy for a hacker to identify your friends. (Even easier if your would-be hacker is a jilted lover or angry sibling, but presumably those folk could also pass a regular CAPTCHA.) The key here isn't that this social authentication isn't hackable, though, it's that the hack has to be more carefully crafted to your account, and may well require a human to do the facial recognition necessary, thus slowing down the attack and doing exactly what CAPTCHAs were intended to do.
So the interesting question to me is "Will Facebook's choice of Face CAPTCHAs lead to huge gains in facial recognition software?" -- we're well overdue for gains in that area, actually, given that law enforcement is hoping to use facial recognition to stop crime and even terrorism, but the technology is so poor right now that if they used it now they'd likely be arresting a lot of innocent folk.

Read the rest here
terriko: (Default)
2011-01-17 11:11 pm
Entry tags:

Web Insecurity: Facebook now enabling annoying phone calls and paper junk mail?

New post up over on Web Insecurity. Here's a preview:

Facebook now enabling annoying phone calls and paper junk mail?

Sophos points out that Facebook has made yet another change to the way it handles your information: this time, allowing third-party developers access to contact information on Facebook.

Now, part of me wants to just shrug: it's always been technically possible for third party developers to get access to this information because of the current state of web security.

Read the rest here.

(But the short version is that you might just want to take your phone number and address out of your facebook profile.)
terriko: (Default)
2010-10-29 01:25 am

WebInsecurity:Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws

Originally posted on Web Insecurity, but it's short so this is a full cross-post.

Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws

This maybe shouldn't surprise anyone, but Mashable is reporting that Facebook Lobbied to Kill Social Networking Privacy Act in the USA.

It's one thing to believe that privacy isn't important, or to make mistakes that expose users, but paying people to lobby against privacy legislation that might protect your users seems like a big step further. It makes me concerned as a user of the service.

Incidentally, Facebook has already broken Canadian privacy law (they're not the only ones), and likely the laws of several other countries, so I guess it makes sense that they wouldn't want to run afoul of further laws... but I really wish they'd do this by handling privacy issues better rather than paying people to make sure the laws don't come into effect. Maybe the law was simply ill-conceived (I haven't read it) but this really doesn't sound like the actions of a socially-responsible company. Very disappointing.
terriko: (Default)
2010-08-19 03:22 pm

Webinsecurity: Privacy: Not just for people who are doing bad things

This is a cross-post from my web security blog.

I'm happy to see that Gizmodo is already recommending that people disable Facebook Places in as much as you really can. And the article has a nice step-by-step on how to limit the amount your friends can (accidentally or intentionally) violate your privacy.

But I take issue with the fact that their examples were "you're lying to your girlfriend" and "you're cheating on your wife." Seriously? I know they were trying to be funny, but the implication you get from the article is that privacy should only matter in this way if you've got something to hide. But that's not the case:

What about a parent who doesn't want to advertise to strangers the exact geo-location of the parks his kids play in every day?

What about a woman who has received threats from unpleasant people who feel that women should not be involved in open source software?  (I wish I were kidding, but this happened to me, and other people receive threats from disturbed individuals online.)

What about someone shopping for an engagement ring who meets a friend at the mall?

There's plenty of reasons one might prefer privacy. I think maybe we would do well to include this sort of example in articles, so that even those living utterly honest lives will realize that privacy is important to them and people they care about.
terriko: (Default)
2010-05-12 02:29 pm

Web Insecurity: Will privacy issues herald the end for Facebook?

New post up at Web Insecurity: Will privacy issues herald the end for Facebook?

We're starting to see suggestions that the facebook ecosystem actually could collapse, not just that some tech people wish it would.


The question for Facebook is "at what point will enough people leave?" and the answer right now may be, "when they have somewhere else to go." And that next big thing may have to provide some pretty strong privacy guarantees to woo over enough audience.

As usual, Facebook fascinates me as a social statement, as much as it horrifies me as a security person. But seriously, when the facebook games are talking jumping ship and students are saying that facebook is uncool, we might have to accept that this boat isn't going to float much longer. And for those who haven't heard, the new pretender to the throne is Diaspora although I admit I haven't looked at it seriously.
terriko: (Default)
2010-05-08 12:18 pm

Web Insecurity: Why Facebook is like your psycho ex

Wrote a Web Insecurity post last night: Why Facebook is like your psycho ex.

But websites are about as trustworthy as the worst psycho ex: you never know when policies will change, the website will get bought out by someone who has different policies and now controls your data, or someone will exploit a security hole in the website. At least ex-friends aren't usually bought by megacorps who profit from selling all their mementos of your relationship. And probably, unlike websites, 64% of your friends don't have a security flaw.

Been a while since I wrote for that blog, but I'm going back into research mode since paper writing season is over for me, and I'm over my flu, so I'm hoping I'll be able to write more. But what really inspired me was an entertaining if spammy email from $security_company's social networking delegate claiming that I'm a "leading blogger" within the web security industry. Some "leading blogger" when I hadn't posted since February!
terriko: (Default)
2010-01-16 11:58 am
Entry tags:

Facebook is stalking you, Programmers need to learn statistics, and Laywer kicks butt legal-style

Three links of interest from this week:

Conversations About the Internet #5: Anonymous Facebook Employee: What makes this story so entertaining isn't so much the content (which is pretty unsurprising, IMO) but the way in which it's presented. The drama! The intrigue! My personal favourite is describing eye-tracking, a fairly common technique used to analyze designs, as scary scary "psychological analysis." Seriously fun way of presenting what otherwise would be rather pedestrian information (OMG, Facebook keeps track of your relationships and behaviours! Like, oh, every other company that has any data about you...)

Programmers need to learn statistics or I will kill them all: You'd think there's no way that the essay could top the title, but it's actually a fantastic explanation of the problems many programmers have with statistics, as well as a reasonable rant about how little they care when they're told they're wrong. I've seen these mistakes in high-level peer-reviewed "scientific" papers in my field, and it kind of drives me (and many others) crazy. So if you're a computer scientist, go click that link and make sure you're not making those mistakes. You don't have to be stupider than slime mould, mathematically speaking.

An interesting side-note in that paper, for the women:

"Oh, and you wonder why I say, “he”? I never have this problem with female programmers. Maybe it’s because I’m tall (6’2”), or nicer to them, but they always speak rationally and are really keen to learn. If they disagree, they do so rationally and back up what they say. I think women are better programmers because they have less ego and are typically more interested in the gear rather than the pissing contest."

I leave interpretation of these remarks up to you. *grin* They don't have statistical significance anyhow. But either way, read the essay: it's a snarky but awesome and clear explanation of common statistical errors.

ProtectMarriage.com issues Cease and Desist for Prop 8 Trial Tracker logo depicting family of two mothers with two kids: ProtectMarriage.com threatens what seems to be a spurious lawsuit regarding a logo that is quite covered under parody laws. Prop8trialtracker.com hires the best lawyer ever, who responds with a rather impressive letter. I find it awesome that you can cite case history regarding entertaining stories like the slogan "Open up a Can of Woof-A**" -- I guess it's not entirely surprising that trademark case history will include a lot of funny/embarrassing examples, now that I think about it. Still, kudos to the lawyer who put together something so funny and clear on such short notice.
terriko: (Default)
2009-11-30 12:01 am

Facebook/Twitter PSA: what to do if your friends claim you're sending spam

A couple of my friends have gotten hit with stuff that's hijacking their accounts as a way to send spam to Facebook. The latest one sent something about www,ArticleBooks,cn which looks like a standard scam (although if I were you, I wouldn't load that -- I'm just putting it here in case someone searches for it).

As a web security researcher, I'd like to offer some advice. The safest advice would probably be either "don't use any Facebook apps" or "don't use Facebook" but we all know you're not going to do that just because someone sent spam in your name.

So here's a few more reasonable tips that might keep you and your friends spam-free:

1. The problem probably won't be caught by your virus scanner. Do a scan -- it won't hurt -- but if it comes up negative don't assume you're safe.

2. My personal bet is that the Facebook stuff is caused by a rogue app. Uninstall ALL applications you are not using to be more safe. This may be a legitimate application which was hijacked, so you're safest uninstalling as much as possible.

3. Do NOT install any applications used by friends who have sent spam messages. Especially if you get a message like "$infected_friend has send you a gift!" or something: these are common ways for Facebook "viruses" to spread.

4. Consider installing an ad-blocker. Advertisements could also have been used to hijack your Facebook. I highly recommend you use AdBlock Plus on Mozilla Firefox, as some other ad blocking software is sketchy.

5. They may not have stolen your password, but it can't hurt to change your password after you have uninstalled all your apps.

6. If you were hit on twitter, or even Facebook, it could also be some site you visited that hijacked your browser. Check your history and try to warn others if you figure out which site it was!
terriko: (Default)
2009-10-26 02:59 am
Entry tags:

Why you aren't wrong to hate new Facebook

Every time Facebook makes a major change, you can hear outrage spread across the globe. Polls spring up with "Do you hate the new Facebook?" and yes is always in the lead. Your friends whine about it incessantly in their status messages. Petitions start asking Facebook to change things back.

It's easy to dismiss the fuss as a bunch of people who need to learn to move on. But it turns out, people are not wrong to hate every change in Facebook. They just might not be right for the reasons that they think.

As a web security researcher, I spend a lot of time thinking about what makes sites more secure, or more insecure. Every major change is likely to introduce new bugs, even as it may fix others. And the way the security model of the web works, any "minor" bug might result in major damage to you, as an individual. People store their whole lives on Facebook, and that means that a minor bug might let anyone in on their own, private stuff.

So every time the interface changes, you should probably be afraid that Facebook may be accidentally or intentionally allowing the entire world access to your stuff.

Does that mean "I hate the new Facebook!" is the new "GIRLS ONLY, NO BROTHERS ALLOWED!!!!" taped to the door? As in, you're worried Dad will leave the door open after vacuuming and you'll find your brother has played with your toys? Uncool, but really, no one who's over the age of 14 will care?

Turns out the security reality says the stakes are a lot higher. Many people keep a lot of private stuff in Facebook. It's more like Facebook said they were coming in to paint your apartment walls, but they rearranged all the furniture too and you have this feeling that they left the door unlocked and thus let strangers traipse through your apartment, maybe installing a wiretap and stealing your panties while they're there. Facebook makes a lousy landlord. Or at least a creepy one.

I don't know how to end this post. As long as Facebook is your landlord, you're subject to their whims, and you might as well get used to it. But if changes in Facebook leave you feeling maybe a little violated, that's probably exactly how you should feel.