Image via CrunchBase
There’s a story on this issue on GigaOm, which is worth reading for context.
I don’t think Facebook owns my friends. Do you think they own yours? If you think Facebook should re-enable the “Facebook Friends Exporter” extension, or—better still—simply allow people to use their own contacts as they please, “Like” this posting. Send Facebook a message.
I’m not talking about the policies here, I’m talking about the implementation. A Canadian newspaper, the Examiner, is using Facebook’s much-touted commenting system on their site. When someone likes a comment you made there, or adds a comment to a thread in which you participated, you get a notification of it, right on Facebook. Innit cool?
Except that when you go to see what you’re being notified about, here’s what you get:
Facebook fails to trust itself. Should you?
You know, if you’re planning on hitting people with a nice “ARE YOU REALLY, REALLY SURE YOU KNOW WHAT THE HELL YOU’RE DOING!?” warning every time they go to see what’s happened on a site you sold your commenting system to in response to a notification YOU generated, that’s not actually going to prove to be a terribly effective sales tool.
Just sayin’.
[UPDATE: I posted something about this on my Facebook wall before I wrote this posting. When I went back to look, they'd fixed it. I'm starting to suspect them of following my account in order to see what's busted. If this keeps up, I may have to bill them.]
Facebook seems to revel in making the things you want to do as difficult as possible, either by hiding the things you’re interested in at remote and undiscoverable locations, or by moving them around and changing them regularly.
I just caught a message from a friend who couldn’t work out how to remove a “rogue” app she’d managed to pick up. Since I’m certainly expecting to see more and more (and more!) “rogue” apps in the future, I thought it’s be good to lay out how to manage your Facebook apps, since it seems that a lot of people are actually unaware.
Pull down the “Account” menu in the upper-right-hand corner of the screen. Choose “Privacy Settings”.
At the bottom of the “Privacy Settings” screen, toward the left, there’s an “Apps and Websites” heading, with a link to “edit your settings”. Click on that.
Next, you’ll be taken to the page where you can remove and configure apps.
To remove apps, or configure the information they can get at, click the “Remove unwanted or spammy apps”. This will take you to a page where you can remove apps (by clicking on the “X” to the right of the app’s name) or configure them (by clicking on the “edit settings” link).
If you click on “Edit settings” for a particular app—I’ve used Posterous here—you’ll see the information that it can get to, and—for apps which can be configured, anyway—be able to turn on and off specific kinds of access. In the case of Posterous, all the accesses are required by the app, so if there’s anything in there that makes you uncomfortable, you have no choice but to remove it.
I’d strongly consider removing any app, except those which you knew were from trustworthy sources and which you really needed to use.
Did you know how to do this already? Did this help you?
Boy, the malware links are thick as the thieves who promote them on Facebook this morning. Many of my friends are tagged in them by credulous members of their friends lists, but they haven’t gotten me much so far. However, at the rate things appear to be going, the site is going to look like this in a month:
The Future of Facebook. Coming very soon.
Are you seeing more and more of this as well? Remember what I said several months ago about Facebook becoming a “bad part of town“? It’s all coming true before my eyes.
Are you seeing this, too? Are your friends falling for these scams, or are their friends?
Some Useful Guidelines:
Facebook does nothing to protect its users from this sort of thing. One of the best ways of keeping up to date on the various threats and scams which seem to be appearing more and more regularly on Facebook is to join the Sophos Security page on Facebook.
I’ve got an interesting situation going on vis a vis Facebook this week, above and beyond the fun and games with click-jacking and like-jacking, and I learned some things about Facebook this morning as a result. None of them make me feel terribly good about the whole situation.
I, among some others, have an obsessive lunatic stalker by whom I’m harassed online from time to time. Mostly, he’s kept it to anonymous commentary in blogs and the comment sections of news articles, but it seems he discovered Facebook recently.
My Stalker, "Indrid Kuld", on Facebook...
He began by harassing a friend of mine, the “Rachel” mentioned here, and proceeded to drag me into this. Here’s the fun part: “Indrid Kuld” has/had me blocked on Facebook—he regularly deletes and reinstates the ID, something Facebook facilitates—so I can’t even see any of his postings. Being unable to see them, I’m unable to flag them as abusive.
I had some of these brought to my attention, and documented by screenshots, by some of my friends. I started up a Facebook group called “Who is ‘Indrid Kuld’?” to bring some attention to this fellow and his use of sockpuppets on the site. As of this morning, that group was closed down by Facebook as being “abusive of a person or group”, as I was notified by the cheery “Warning!” with which I was greeted this morning.
“Indrid Kuld”, by the way, is a version of “Indrid Cold”, who called author John Keel up on the phone during the events which Keel wrote up in the book The Mothman Prophecies. Keel believed that “Cold”, who predicted the collapse of the Silver Bridge on December 15, 1967 was “a[n]…alien with telepathic powers“, more-or-less, anyway. Clearly not a bona fide Facebook user.
So, either being abusive to aliens is a problem, or being abusive to obviously fraudulent Facebook IDs is a problem. Seems unreasonable to me. So, I go and look at Facebook’s “Help Center” pages to see how one contests or appeals the closing of a group. The closest I found was this:
I was warned for creating content that attacked another individual/group.
We remove content that harasses an individual or group. Facebook also must honor requests to remove content that draws unwanted attention to specific people. To prevent this from happening in the future, please be careful to review the content of any group you administer.
Below it, we’re asked, “Was this answer helpful?” If you click “No”, you simply get the reply, “Thank you.”
Hm.
Okay, let’s try contacting a human being. Searching the site for a contact email, or a feedback form, or a phone number produces nothing. Wow. Wow twice.
This is the point at which the average “Facebook user” gives up in disgust, I suspect. I have other resources at my disposal. A search for the WHOIS information for facebook.com is pretty easy to find…
Administrative Contact:Domain AdministratorFacebook, Inc.1601 S. California AvePalo Alto CA 94304USdomain@facebook.com +1.6505434800
The Register reports that the pandemic of “like-jacking” on Facebook is still going on, and I can validate that. Here’s a screen-capture from my Facebook wall, taken only moments ago:
The authentic “Like” is the one on top; the fake is the one below it. As you can see, the real “like” is virtually indistinguishable from the bogus “like”: the only actual way to tell the difference is by visual inspection of the link. When you hover over “House of 1,000 Corpses” or “Thinking”, the browser shows a link beginning (as expected) with “http://www.facebook.com”. Hovering over “Sorry, I’m allergic to bullshit” shows, instead, a link to “http:/likeylikey.net”.
It’s reported to me that it’s possible to become “infected” with this simply by clicking on the “like” link, visiting the actual site is not necessary. So far, four folks on my friends list on Facebook have picked up (and are propagating) this one.
Be very wary! Facebook is not giving us the information we need to be able to avoid these things. According to an article on the Sophos blog, this attack is accomplished by “clickjacking” via an invisible iFrame on the screen. The Register story suggests “there are no reports that the Facebook attacks amount to much more than pranks that cause users to click a ‘Like’ button that recommends a link to their friends. But it’s not inconceivable that the ‘likejacking’ exploits could be used in much the way black-hat search engine optimization is used to lure people to websites that try to install malware on their machines.”
Oh, Facebook: Why Are You Putting Potential Malware On My Wall?
I found something novel on my Facebook wall this morning, but I didn’t realize that it was novel until I clicked on it.
"WTF", indeed!
Now, this looks just exactly like the sort of link that would take you to an internal page in the Facebook.com domain, but it’s not. It takes you to an external site, likeylikey.net, which I have never heard of and certainly have no reason to trust. While I’m probably at relatively low risk for browser-based exploits (I use either Chromium or Firefox, up-to-date versions, not Safari on an up-to-date OS X system or an up-to-date Linux system), someone who runs IE6 on an unmaintained XP box might well run into some serious malware problems here.
Facebook, what the hell do you think you’re doing? Shouldn’t you be making it clearer when links lead off-site, and using some different presentation for them than you do for the pages which are internal to Facebook?
Executive summary: WTF? Anyone else out there seen this?
But Wait! There’s More. [A Saturday Morning Update]
Having posted this just yesterday morning, as of yesterday evening, I’ve got another instance of a friend’s account being hijacked to evidently provide a link to a site I don’t think I want to visit. But this time, it’s in Facebook chat! Check this out:
Now, this isn’t some random person who wandered onto my friend’s list. This is actually a co-worker of mine, not someone I’ve ever chatted with on Facebook, however, and definitely not someone who is prone to using expressions like “awesome ass” as adjectives.
The link is interesting, too. Look at the Facebook preview for that URL (I’ve underlined the more interesting portion in red):
Okay, so not only do I get my “puzzle IQ results” (which, in my opinion should definitely not reach beyond double-digits), but I also get a “mobile content subscription“? Like, “charges that will be added to the bill of the cell phone number which I provided them in order to find out how smart I am”…? I bet it’s going to be more than the “five bucks” Jason was made to appear to offer me.
Wow. Wow twice.
Here’s the Big Problem
Facebook is about sharing. If we find ourselves placed in a position where what’s being ostensibly “shared” with us by our friends is going to cost us money, cripple our computer, or steal our information, then what’s the point of Facebook anymore? It’s increasingly becoming a Bad Part of Town, you can’t distinguish mates from malware any more, it seems.
If I “like” something, or send someone a message in chat with a link, how can they trust that it’s actually me doing the liking or the chatting any more? There’s no indication (other than the dopiness of the chat message) to distinguish it from a legitimate message. If it had been from a friend I chat with, and had been something simpler, like, “Hey! Take a look at this:” with a link, I might well have clicked on it.
From that point, depending on your system and browser all manner of mischief can happen.
This is completely aside from the privacy concerns that are plaguing the site more and more, lately. This is about Facebook’s ability to ensure the security of its users from Facebook itself. I hadn’t really thought seriously about quitting Facebook, it seemed like an overreaction, but that was because I feel like I’m pretty well on top of what I share and with whom.
This is different. This is bad.
There’s been some meta-discussion around yesterday’s phishing attack on Twitter (of which I, and many others, were victims) regarding the unwisdom of clicking on an unsolicited password reset link in an email, but there are way to assure yourselves that such things are genuine.
Every email package I’ve encountered has a function to allow you to see the full headers of an email message; in Entourage on OS X, it’s the “View Headers” command in the “Message” menu. Taking a look at the message (which is identical, from all appearances, to the one Andrew Girdwood recieved) shows us the following; note the “Received” headers in particular:
Once upon a time, before the Internet was the Web, there was USENET. And on USENET, there was Kibo. Kibo’s chief claim to fame was that, anytime anyone anywhere on USENET made a posting which contained the string “kibo” (whether in actual reference to him, or in random unrelated words like “skiboot”), he would post a message, usually of a somewhat surrealistic nature in response.
Anyone can pretty much do that now.
I posted a message on Twitter this morning, commenting that I was going to watch a new DVD I’d gotten, Pandorum, by Christian Alvart. I’d noticed, but missed, it in the theaters, and I didn’t realize until I looked at the case that he’d directed it—I like one of his earlier films, Antibodies, quite a bit.
I go and look an hour or two later, and I’ve got a new “follower”: Christian Alvart.
Remarkable. Pandorum‘s a good film. If you liked Dark City, I think you’d enjoy it.
PS: I am, as it happens, Christian Alvart 666th follower. Neither of us seems entirely certain what to make of this.
