Slashdot Mirror

I don't think you are really disagreeing with what I said, though highlighting that there is a subtle issue with 'encryption wrapped inside an http login page'. I.e, whether the real issue is exactly as you described (https utilzed after redirection from http), or an alternate scenario that seems plausible- some custom encryption implemented with javascript within an http page, the problem is the same, and the solution is still just as I described- disallow any login via an http page. If you had carried your description of things through to a proposed solution, I don't see any other alternative than only having https login pages.

Note, when you go to facebook.com (i.e. www.facebook.com, i.e. http://www.facebook.com/ you are presented with a login page with user and password text entry. There is no redirection to an https login page involved.)

Sadly, https://www.facebook.com/ [facebook.com] does work, but you have to force it... and continue to force it because each request sent over https generates a response as http.

Which is basically another way of saying "it doesn't work", no?

That's why FB's response was to respond to all requests from Tunisia using https.

That would still leave those users out in the cold that don't know that they're now supposed to enter https://www.facebook.com/ [facebook.com] . Unfortunately, that would be 99% of the users...

I assume that Facbook sends back a a re-direct in response to a connection attempt to their http site from Tunisia. However, if the code that intercepts and re-writes the webpage is updated, it could intercept the re-direct and proxy the connection, with an https connection to facebook and an http connection to the poor Tunisian's client PC. So, facebook's response won't be very effective.

And nothing stops you from using https://facebook.com/ [facebook.com] does it?

If you go to https://facebook.com/ you do view an encrypted home page. But all of the links to everything are just non-encrypted http. Unless you copy each link, paste it into the address bar, and prepend 'https://' to it (or write a browser script to do the same) then most of your facebook session will not be secured.

And nothing stops you from using https://facebook.com/ [facebook.com] does it?

If you go to https://facebook.com/ you do view an encrypted home page. But all of the links to everything are just non-encrypted http. Unless you copy each link, paste it into the address bar, and prepend 'https://' to it (or write a browser script to do the same) then most of your facebook session will not be secured.

That's why FB's response was to respond to all requests from Tunisia using https.

That would still leave those users out in the cold that don't know that they're now supposed to enter https://www.facebook.com/ . Unfortunately, that would be 99% of the users...

Meaning the calls to always use https actually make sense.

Indeed. Most (all?) those online services, whether it be yahoo, facebook or myspace have their login box accessible from their main (non https) page. Even though login itself may be encrypted, the user is not supposed to enter the https himself, but he is instead redirected to a https page once he clicks login.

... which makes it easy to hijack this first step, and unless the user doublechecks the URL just before login for https, he will fall for it.

It's scary how easy this is (I once did it for a friend who wanted to spy on his estranged wife), and you don't even need any funny javascript. Just have a proxy that substitutes https://login.service.com/ with http://login.service.com/ and you're set.

This also makes those obnoxiously scary "bad certificate" warnings so pointless: the smart man-in-the-middle will avoid the certificate issue entirely, and just redirect everything to non-encrypted http.

The only solution to this is to make the user aware of the process. Make it explicit that in order to login, you need to go to https://www.facebook.com/ or https://yahoo.com/ . That way, the user is forced to "do the right thing" if he wants to log in, and an interloper will have much more trouble intercepting. Instead of just hacking up a quick proxy perl script, he'll actually have to ask TunisCert to issue a fake certificate...

Log out of facebook and go here:
http://www.facebook.com/index.php The login page is not secure by default (though you can manually type https if you want). Unless you explicitly tell facebook to be HTTPS, it won't be. How many users do you know who would do that? I can't think of a single one....

An ISP could easily inject a javascript keylogger into this page. It would be downright trivial.

Want to have HTTPS on Facebook as default? Show your support in favor of HTTPS. Join the Facebook page. :p

https://www.facebook.com/ would disagree with you. As would TFA.

Sadly, https://www.facebook.com/ does work, but you have to force it... and continue to force it because each request sent over https generates a response as http.

Wow $20 a year? You and five other people. They rake in more than that in ad revenue from each "prime" user. Also most people just don't care enough to pay for this service.

What I find amazing is not that Facebook isn't secure but people expect it to be. This is a place where you "publish" information on the internet. It is not now and never should have been considered a secure communication channel.
Why doesn't facebook default to https:? My guess is cost. It takes resources to encrypt data and for face book moving everything to https probably would cost a few million dollars in resources.
And nothing stops you from using https://facebook.com/ does it?

The OP has the wrong idea about how the internet works. It is not a peer to peer network, there are so called peer-2-peer networks that you will use (gnutella like things) but these are overlays in IP and the packets in them are moved around by the various tiers of providers in the internet architecture. Although there are schemes for peer-2-peer architectures they are not used in any territory that I am familiar with or in any scheme past an IP-X.

So, this is how the internet works.

ISP's are the last link in one of two chains.

1. Large private AS (autonomous system) network (Google, Facebook, Amazon, Akamai). Content is placed onto this neIPtwork and carried either at a low rate (for a cloudfront or Akamai customer) or at the providers own expense (Facebook,Google)
2. IP-X peering facility. There are many of these round the world these are where ISP's build thier backhauls too and where the AS networks connect to. They then "peer" at this point with a selection of the networks at that IP-X using the BGP protocol.
3. A backhaul is used to transport bits from the IP-X to the access network. This may be the ISP's or, in some territories like the UK it can be provided by a wholesale provider.
4. The backhaul is connected to the access network - fibre or copper at an exchange. This is now ISP territory for sure.

The other chain is where IP transit is used to provide commercial or barter agreements between large networks, in this case a company might agree with another to carry IP traffic over a link on their behalf, normally on the condition that either money is paid, or that they agree to take traffic from them and pass it over another link. Some network providers (put Tier-1 into wikipedia) do this as their primary form of (sort of) business. This is how your packets get carried from your home connection to where ever else, and this is why the ISP's don't like it if you do run a successful service from your basement.. it buggers up their agreements no end - and why running servers at home is expensive and you will find that moving to Cloudfront or a big remote hosting provider (who will be peered cheaply) is so much cheaper.

Now, the big content providers will normally peer with anyone, have a look at http://www.facebook.com/peering/ for an example policy; that's because they want to get their content to anyone as fast as possible, but even so it is a pain in the arse for them to do peering with everyone, and some other types of content providers may find managing peering with all ISPs hard - for example rapidly created and dissolved providers like a rock tour or a sports event. To manage that kind of need they peer with Akamai or Cloudfront and pay them, and hope that all the ISP's they need to peer with are peered with those organisations already. This creates a level playing field for content providers of all sorts; everyone pays cents per mb, and so long as you can wire up an ad platform to your site you should get close to breaking even at least. This is how the internet works and has worked for the last 15 years since NSF stopped running the backbone.

The problem that ISP's have is that building backhaul and peering capability that is able to cope with hd video is expensive - not unobtainably expensive, but expensive and small ISP's will need to get (perfectly commercially viable) loans to do it. Unfortunately this is easy to say, and hard to do in the environment that we live in today. Therefore it is rather attractive for a small ISP to be able to get wholesale backhaul and allow the wholesaler to sort that kind of stuff out while operating a "pay as you go model" and using their subscribers fees to pay for it. The provision of network capacity requires funds, and a functional market (which means well regulated - as any one who has observed what has gone on in the world economy for the last five years surely will understand by now) can provide those funds efficiently to where they are needed, with one exception.

The thing about a sharp knife, it looks like a sharp knife...

The thing about a trojan running on a phone, it looks like whatever the app maker wants it to look like, probably fluffy and cute and not at all like something that's going to hurt.

--

Possessed - my first Facebook game. Come play!

But... this type of hack will never get into the wild on the iPhone.... ..or, if it was ever missed by their app vetting procedure, Apple could remotely shut it down anyhow.

Remind me not to get an Android phone, if this is the type of stuff hackers are going to be distributing soon.

--
Possessed - my first Facebook game. Come play!.

Seems that sentiment was pretty quickly retracted. http://www.facebook.com/note.php?note_id=495971028278

A lot of the current hoopla among PHBs is over social networking.

I have a little trouble understanding how being able to integrate the ubiquitous Facebook "Like" button (an simple IFRAME or Javascript call) or being able to set up Add to Any for social bookmarks means you're trained in an entirely new kind of "technology" which more experienced devs have no chance of even understanding.

This feat is even more amazing than we first thought considering
all
Chinese
people
look
alike.

Looking at the reviews of the top two results from your search above, they seem to be 100% full of spammers and people who hate the app. Zoosk and Speed dating

I suspect one reason it hasn't worked all that well is that people want to control the persona the present on a dating site. Hide the bits they don't like, embellish the bits they do like.

A Facebook app also sticks around after you have a girlfriend in a much more obvious way than having a profile on a dating site does.

Apps seem to have a habit of announcing to all your friends that you are using them. I'm sure you've seen it in your profile: "Joe Blogs started using Useless Dating App." I imaging plenty of people would not like that but have no idea whether it will happen or not.

I can see many pitfalls in Facebook dating apps and the few that exist seem to have failed utterly. It's probably not such a good idea as it seems at first.

Looking at the reviews of the top two results from your search above, they seem to be 100% full of spammers and people who hate the app. Zoosk and Speed dating

I suspect one reason it hasn't worked all that well is that people want to control the persona the present on a dating site. Hide the bits they don't like, embellish the bits they do like.

A Facebook app also sticks around after you have a girlfriend in a much more obvious way than having a profile on a dating site does.

Apps seem to have a habit of announcing to all your friends that you are using them. I'm sure you've seen it in your profile: "Joe Blogs started using Useless Dating App." I imaging plenty of people would not like that but have no idea whether it will happen or not.

I can see many pitfalls in Facebook dating apps and the few that exist seem to have failed utterly. It's probably not such a good idea as it seems at first.

Which leads to the question: why not just use Facebook directly? (And the alternate question: why hasn't someone tied together Facebook and a dating service yet? Seems like an obvious connection.)

http://www.google.com/search?q=facebook+dating
http://www.facebook.com/zooskdating

They may be selling information out-of-band to someone, but generally this information is not available to facebook advertisers. You can target groups of people based on some criteria.

As far as 3rd party co's accessing your info when authorized, this stuff is not secret and is worth keeping an eye on. As many have said before me, it is not in FB's interest to notify all their users when there's a change in what devs can and can't access.

http://developers.facebook.com/blog/post/446

Wouldn't it be ironic if Iron Neelie were to slam facebook for privacy abuses when she herself has a facebook page?

If she were to delete her profile in response to this it might be a good gesture. She has been pushing online privacy strongly, and facebook almost certainly doesn't comply to EU-US safe harbour privacy principles.

I submitted a story about Crimestoppers having a Facebook page! I can't believe the Eds didn't run it!

They also didn't run my story about Block Parents having a FB page, or Neighbourhood Watch, or Big Sisters!

And over in Telco-Update-Brisbane-Flood is where all the telecommunication engineers are discussing the floods; specifically why their fibre is dark, who's fault it is, and which data centers are running on gens.

https://m.facebook.com/

Bonus: No javascript, flash, ads, or stupid app requests.

Ha! They had to. The opt-in early warning site (http://brisbane.gov.au/earlywarning) broke sometime yesterday. All trace has since been removed that it was ever there.

Yes indeed, Facebook has actually served quite well under the strain, for both the Brisbane City Council and the Queensland Police, who grew surprisingly popular overnight, with many many new 'friends' and many many new 'likes'. Conversations are continuing in both:

http://www.facebook.com/BrisbaneCityCouncil
http://www.facebook.com/QueenslandPolice

Ha! They had to. The opt-in early warning site (http://brisbane.gov.au/earlywarning) broke sometime yesterday. All trace has since been removed that it was ever there.

Yes indeed, Facebook has actually served quite well under the strain, for both the Brisbane City Council and the Queensland Police, who grew surprisingly popular overnight, with many many new 'friends' and many many new 'likes'. Conversations are continuing in both:

http://www.facebook.com/BrisbaneCityCouncil
http://www.facebook.com/QueenslandPolice

i state only the truth...

clone53421 is STEPHEN ALONGI

stephen alongi has stolen my personal property and redistributed it with attached calls for my murderous execution.

stephen alongi is a multiple criminal felon.

JUSTICE IS COMING.

clone53421 is STEPHEN ALONGI

stephen alongi has stolen my personal property and redistributed it with attached calls for my murderous execution.

stephen alongi is a multiple criminal felon.

stephen alongi claims he is "waiting" for me with a ".40" behind a closed door.

why do you cower? what are you afraid of?

you're completely pathetic.

JUSTICE IS COMING.

Whatever you do, avoid buying anything Android related from Motorola. I bought a Milestone (UK version), which had "flash ready" advertised on the box. Flash requires Froyo, and Moto have repeatedly pushed back the release date (most recently from Q4 2010 to Early Q1 2011).
Phones by other manufactures can avoid this issue by using unofficial roms. We dont expect company support forever, and the open source community picks up the slack and continues to support older devices (example - early HTC android devices can run froyo).

Motorola however have locked their boot loader, so only the stock kernel can boot. They use strong on-chip encryption for this (think Playstation style public/private key stuff, except Moto used a proper random number generator...). This means that the unoffical roms are half arsed, as they cannot fix issues in the stock kernel. The device has been rooted however (by way of an exploit, not help from Motorola).

So, if you buy a motorola tablet, expect to a) be unable to put software of your choosing on their and b) no upgrades from Motorola after about 12 months. Also if my experience with the milestone is anything to go by, it will have unfixed bugs remaining after support has stopped.

See http://www.facebook.com/motorolaeurope for motorolas "marketing" facebook page - its hilarious - every post is commented on hundreds of times with people complaining about the lack of updates and locked boot loader. That page must be harming moto, yet they keep it up. Its funny...

If the Xoom was made by anyone else, id buy it in a shot, but once bitten...

we still see that there are tons of people who keep spewing shit out of their mouth that they expect the whole world to be interested in [...] Like that guy on the bus or subway that wants to talk about every damn word he reads in the paper. Or the girl waiting in line at the fast food counter talking on the top of her lungs into the phone while ordering.

Erm.. you just made a broad generalisation, then tried to support it by mentioning things that are exceptions to the rule. The babbling guy on the bus or girl in the queue are the extreme minority.

There's just a small demographic (mostly on /.) that really doesn't, in fact, want to broadcast everything we know.

Perhaps you don't realise that posting on a popular message board is, in fact, more effective in getting your words out than babbling to your neighbour on a bus. :)

Facebook is different. It's something people actually want, and it's something that makes their lives easier and more enjoyable.

You have no data to back that up - or contract it for that matter ;). Now, if you could tell me how many of your 130 friends are actually still *subscribed* (haven't blocked your posts) or are regular users (log on often enough to check the majority of their posts) - things like that - then I'd take notice.

I think Facebook will eventually "normalise", once this phenomenon of "speaking to the world" fades away and people realise what the more relevant uses of FB are: Sharing photos, organising outings, listing your company/group, and making the occasional big announcement.

I'm pretty sure FB will have to address the noise level eventually. Perhaps introduce a new type of "update", call it "announcements", which are more meaningful than status posts. Or perhaps subject tags, like "family", "events", and a few others. All so friends can be selective of what they subscribe to instead of being spammed.

Or, another network will emerge which has all the features many FB users are screaming for.

All very true. The closer someone is to you, the more dialogue you want to have with them, and the rest is mostly a bunch of irrelevant posts you skim over. Usually contact with closer people happens over email because: a) you don't always want to say the same thing to everyone you know, and b)the number of people you want to say it to is quite small.

This phenomenon of "speaking to a large audience" is a novelty. A very attractive one, but it will wear off for this reason: No-one will be interested in everything their list of 130 friends have to say and they will, as a result, realise what they have to say is also not relevant to most people they know. If everyone could see who is no longer "subscribed" to them (ie. friends who have blocked their status posts) we'd see a lot of insulted friends. Anyway, people will eventually realise most of what happens on FB is irrelevant to them.

So, what is FB's real role, as a platform, once the excitement dies down?

1. Sharing photos.
2. Holiday / special event updates ("it's a girl!"), that sort of thing.
3. Being "in the loop" with local venues, events and groups.
4. Like forums, and how the web has always been used, connecting to groups of interest.

Unless I've missed something, that's the core value of FB, and it will eventually normalise to that. That may be a problem for FB advertisers and investors. But FB will survive, they will just normalise to "a very useful site for xyz" like many other sites. They will have to rearrange their business model.

FB is certainly the first site I know of which has ever been able to attract all these small businesses, venues, performers, etc. in one place - that's been tried time and again by other sites with very limited penetration. All because FB has *ubiquity*, like Google. That ubiquity is itself of inestimable value.

So is your network suppose to be a recognizable pattern that would indicate the trend throughout Facebook? My network is increasing in activity.. see how it goes? Unless you are a certain type of individual ( http://www.facebook.com/pages/Dali-Lama/112056098820934?ref=ts ) You can expect you are going to basically stabilize after a while.

Sarah Palin just took down her USA Map with targets drawn over democratic leaders, one of them was for Gabrielle Giffords.

It's still on her Facebook page as of 8:57pm PST:
http://www.facebook.com/notes/sarah-palin/dont-get-demoralized-get-organized-take-back-the-20/373854973434

You left off the part where other people tell groups of potential crazies WHO TO KILL.

http://www.facebook.com/notes/sarah-palin/dont-get-demoralized-get-organized-take-back-the-20/373854973434

Scroll to the bottom.

The read up on her rhetoric about reloading.
http://www.businessweek.com/news/2010-04-10/-don-t-retreat-reload-palin-tells-republicans-in-new-orleans.html

Ha ha! Sarah got one! Way to go Tea Partiers take your country back!

http://www.facebook.com/notes/sarah-palin/dont-get-demoralized-get-organized-take-back-the-20/373854973434

You fucking shit-cocks.

stephen alongi is a multiple criminal felon who has stolen my property and redistributed it with attached calls for my murderous execution.

stephen alongi claims he is waiting for me with his ".40" behind a closed door.

JUSTICE IS COMING.

stephen alongi has made public inciting calls for my murderous execution.

JUSTICE IS COMING

tinypic.com, however, was also used by clone53421 (STEPHEN ALONGI), but tinypic did honor the take down request.

omploader is operating outside of the bounds of united states law. omploader freely redistributes items that infringe upon copyrights, even after they have been notified of such activity and are given ample time to put a stop to it, while those very items have attached to them inciting demands of murder from anyone who is given access to them.

omploader is a criminal enterprise.

stephen alongi is a multiple criminal felon who has called for my murderous execution.

JUSTICE IS COMING

My biggest issue is, penetration is so high already, how much bigger can it grow?

I've been wondering about that too, but just had a look at their timeline and other stats and it seems they are getting over 25 million new active users a month, and it does not look like there is a huge it's slowing down very badly (500 million is the amount of active users, and half of those active users logged in during the last 24 hours).

http://www.facebook.com/press/info.php?timeline
http://www.facebook.com/press/info.php?statistics

Sure that number can't go on forever, but considering we are talking about the whole world, it's very hard to say how long that will go on for.

My biggest issue is, penetration is so high already, how much bigger can it grow?

I've been wondering about that too, but just had a look at their timeline and other stats and it seems they are getting over 25 million new active users a month, and it does not look like there is a huge it's slowing down very badly (500 million is the amount of active users, and half of those active users logged in during the last 24 hours).

http://www.facebook.com/press/info.php?timeline
http://www.facebook.com/press/info.php?statistics

Sure that number can't go on forever, but considering we are talking about the whole world, it's very hard to say how long that will go on for.

you're an ignorant hypocrite.

clone53421 is STEPHEN ALONG. stephen alongi has attempted to justify criminal copyright theft and conspiracy to commit murder, out of any context, as "parody".

being given a blowjob is not a crime. inciting others to commit murder is.

JUSTICE IS COMING.

why do you cower? what are you afraid of?

you're completely pathetic.

cower behind your chosen pseudonym some more, feeb.

reload your ".40" and "wait" behind your closed door.

you're completely pathetic.

clone53421 is STEPHEN ALONGI

stephen alongi is a multiple criminal felon.

stephen alongi has conspired to commit my murder.

stephen alongi has stolen my possessions and redistributed them with calls for my murderous execution.

JUSTICE IS COMING.

clone53421 is STEPHEN ALONGI

stephen alongi is a multiple criminal felon.

stephen alongi has conspired to commit my murder.

stephen alongi has stolen my possessions and redistributed them with calls for my murderous execution.

JUSTICE IS COMING.

stephen alongi is a multiple criminal felon.

stephen alongi has conspired to commit my murder.

stephen alongi has stolen my possessions and redistributed them with calls for my murderous execution.

JUSTICE IS COMING.

stephen alongi is a multiple criminal felon.

stephen alongi has conspired to commit my murder.

stephen alongi has stolen my possessions and redistributed them with calls for my murderous execution.

JUSTICE IS COMING.

clone53421 is STEPHEN ALONGI... he is a multiple criminal felon. criminal copyright infringement. conspiracy to commit murder.

JUSICE IS COMING.

cower behind your chosen pseudonym some more, feeb.

you're completely pathetic.

Facebook has five hundred million users. Is each user really worth a hundred dollars?

I'm not a businessman but I'm not so sure this is the correct way to think about this.

Everything depends on how much the market is penetrated for social in two ways: users and advertisers. Can they grow that revenue/profit? And if so, to what point? If Zuckerberg sneaks it into China then I think you're looking at a potential to increase that significantly. Facebook hosts its statistics so you can guess if it's got a half billion in revenue yearly at half a billion users and it scales perfectly, that's a dollar per year per user. Can it get up to a billion users? It's probably clear that in the long run as the younger generation matures, that penetration will slowly expand ... but there's no guarantee that Facebook remains the de facto standard that far out. You need to consider future growth.

The other factor, advertisers and game publishers, could also be troublesome. Is this a "Honeymoon Period" for advertisers where they're paying an unsustainable amount to Facebook for the time being just to gain exposure? Could the above assumptions about scaling with userbase actually be false if advertisers aren't willing to spend more than they are now once more users join?

Consider that these numbers put Facebook's Net Profit Margin at almost 30%. That's very high for the industry. They're in the same region as Google and Microsoft but as I stated above can it scale?

One last thing, you seem to think that Facebook's worth is only its users. They are also a large company with almost two thousand employees and are building infrastructure. Include that on your assets sheet.

Facebook is going public soon. What are the chances that this 'leaked' report is designed to pump up the stock, and therefore Goldman's profit?

I think the SEC would come down pretty hard on GS if they did that -- they have before for less. Misleading investors is very serious.

a pathetic, cowering criminal who has stolen photographs of myself and my family and redistributed them with a call for our murderous execution.

he claims he is cowering behind his front door with his ".40".

JUSTICE IS COMING