Slashdot Mirror

They did.

http://m.facebook.com/ ...not saying the mobile browsers can't have the security, just that "hope" isn't required to render Facebook without js.
And apparently such access is quite popular - there were some news from FB itself about explosive growth; also according to stats of Opera Mini (the #1 mobile web browser worldwide by site hits, despite many of its users being evidently rather frugal with numbers of sites visited / data transferred), Facebook is quite often near the top of popularity.

You have the choice - if you visit https://facebook.com/ it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?

Follow the link you attached. Log into Facebook. Click the Facebook icon on that page to return to your home page, or click on a link to a fan page you have, or click on a link to a friend's page. You just went from SSL to HTTP. They make it hard to STAY on SSL, even if you go through the work of going there manually.

The fact that it is unencrypted is, yes.

Wait, it's Facebooks' fault that you chose to browse their site unencrypted?

You have the choice - if you visit https://facebook.com/ it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?

What I don't understand is why people are talking like Facebook isn't offered over HTTPS. There's no excuse not to be using https-everywhere. If you are using that plug-in, you're automatically using HTTPS on Facebook by default. I guess you could argue it's Facebook's fault for not forcing its users to use HTTPS, but anyone with a hint of a clue is already using it anyway.

Facebook does submit your information over HTTPS; they just load the page over HTTP by default. Passive sniffing won't work on it. Here, take a look at the following code from http://www.facebook.com/:

<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">

The problem with this approach is, while it saves server resources, an attacker could trivially perform a man-in-the-middle attack on an average person connecting to http://www.facebook.com/ rewriting the above code to HTTP or running a squid proxy or something, and they would never notice because their browser says "http" like always.

That said, if you're worried about it you could always install HTTPS Everywhere and it will make Facebook always load using SSL.

Facebook does submit your information over HTTPS; they just load the page over HTTP by default. Passive sniffing won't work on it. Here, take a look at the following code from http://www.facebook.com/:

<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">

The problem with this approach is, while it saves server resources, an attacker could trivially perform a man-in-the-middle attack on an average person connecting to http://www.facebook.com/ rewriting the above code to HTTP or running a squid proxy or something, and they would never notice because their browser says "http" like always.

That said, if you're worried about it you could always install HTTPS Everywhere and it will make Facebook always load using SSL.

Facebook DOES pass personally identifiable information, albeit inadvertently.

As a Facebook Ads user, I have tracked down people who have clicked my ads EASILY.

How?

Your unique Facebook user ID is passed through the refer string each and every time you click on an ad.

Simply copy down this ID and paste it in the USERID variable below.

http://www.facebook.com/profile.php?id=USERID

Tada.

http://touch.facebook.com/ is a nice hidden site. Has most of the functionality, built for multiple resolutions.

> The EFF's HTTPS Everywhere Firefox plugin will SSL-encrypt, among other things, your connection to Facebook.

Even without the plugin you can set your bookmark to https://www.facebook.com/
This will at least encrypt the login page and then go plain-text.

And then your session-cookie can be hijacked.

> The EFF's HTTPS Everywhere Firefox plugin will SSL-encrypt, among other things, your connection to Facebook.

Even without the plugin you can set your bookmark to https://www.facebook.com/
This will at least encrypt the login page and then go plain-text.

SCENE: MOZILLA FIREFOX WINDOW

Firefox title bar: "Access to this site is blocked"
Firefox document body:

Content blocked by your organization

Reason:
This Websense category is filtered: Denied.

URL: http://www.facebook.com/

Options:
Click more_information to learn more about your access policy.
Click Go_Back or use the browser's Back button to return to the previous page.

More_information link leads to this not-so-helpful explanation:
Your Websense policy blocks this page at all times.

/facepalm

I wonder if anyone here remembers who gave good ole FaceBook their legitimacy in 2007 as a multi-million dollar company they have already paid for Zucker mine as well collect.

You'll have to forgive me if this no longer works (can't check right now,) but it was:

https://ssl.facebook.com/help/contact.php?show_form=delete_account

You're attempting to extend property rights such that they provide privacy. I don't think that works, except in cases of Intellectual Property, wherein the idea itself has monetary value and can therefore be "stolen" simply by being seen. But the only way to legally protect your IP is to disclose it via the patent office, so still no.

I own a car. Yes, I am about to make a car-Facebook analogy. I am very sorry.

If you look at my car, you haven't violated my property rights. If you write down my license plate, you haven't violated my property rights. If, from my bumper stickers and whatnot, you determine that I have a kid named Billy who plays football, a daughter named, Billy, who plays cello, that one of my kids is an honor-roll student (Billy, most likely), that I have a wife, that I most likely voted for Ralph Nader in 2004, and from the make and model of the car ascertain with reasonable certainty which socio-economic bracket I fit, you still have not violated any of my Constitutional Rights. Would it be creepy? Yes. The same is true of gathering info on Facebook, message boards, etc.

However, if you set your privacy settings and they circumvent them, that's totally different, and may fall under DMCA protection, since "You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings." [Facebook terms of use: http://www.facebook.com/terms.php ]

We never share your personal information with advertisers. We never sell your personal information to anyone. These protections are yours no matter what privacy settings you use; they apply equally to people who share openly with everyone and to people who share with only select friends.

In what way does that help? It's not like there can be only one John Hasler account on facebook.
In fact, right now there are 40.
http://www.facebook.com/people/John-Hasler/746875314#!/srch.php?nm=john%20hasler

So what are you going to do, deny that this other John Hasler who posts that he likes young girls is you?

Right. But lots of famous people will allow almost anyone to be their 'friend' so that they can hawk their latest book, CD, movie, coffee cup or whatever.

So, for example, you could friend, say Barack Obama, and then start a group called, say 'Friends of Osama Bin Laden' or 'the Al Qaeda United Terror Front' or whatever and hilarity then ensures.

Not that I'm suggesting anyone should do that.

The actual announcement said "To protect your information, this feature is only available after confirming your password and answering appropriate security questions."

I'm not sure what that will involve, but if it's like the security challenge they've been doing when you sign in from abroad, you have to correctly tag 8 of your friends in unlabeled photos.

Nowadays you can download most of it as JSON: http://developers.facebook.com/docs/api. If you're logged in, the links on that page will automatically be populated with authorization keys, so you can just right-click-save-as.

I'll give them a break when they stop reseting options with new privacy policies or ToS that lowers the ability for users to lock down their accounts and defaults all options to the most open setting.

Over the summer, they added a "master control" which you can set to "friends only" (or several other settings). This will make all of your current settings "friends only" and will also make any future setting default to "friends only".

I'll give them a break when their account deletion process no longer requires users themselves to manually go through and delete everything they put on the website.

I don't believe this has been true for a while: https://ssl.facebook.com/help/contact.php?show_form=delete_account

But perhaps good for a laugh; A group that bluntly attempts to address the problem.

Shut up about yourself.

Sherene Aisha, is that you?

http://www.facebook.com/people/Sherene-Aisha/100000786219945

http://apps.facebook.com/sororitylife/?ref_id=100000786219945&send_timestamp=1284219957&track=invite-giftReturn-5003-20100713-0&action=claimGift&from=100000786219945&target=5003&gift_hash=fa3ea8ea2361db9eafe7246117d522fc&gift_timestamp=1284219957000

Whoring!

I don't know what the prize is, but I'm not clicking!

It links to Facebook's "wrong browser" page. The real link may be here: http://www.facebook.com/video/video.php?v=631826881803

LibreOffice? Seriously? What a horrid name. We're not French and the percentage of the population that understands what Libre means is nil.

Hey, that's an opportunity - English lacks a proper word. Also, it's my new license plate.

And seeing how I'll park that car in my garage, the odds aren't too bad.

The Facebook Beta webOS app works nice on my PalmPre.
Wel, it helps that most webOS are basically HTML5/Javascript aplications, so doing a webOS doesn't necessarily require rewriting a new native app in C/C++ or Java.
the FB app for webOS is simply http://x.facebook.com/ re-skinned to use native widgets, and taking advantage of some of the webOS abilities (photo galleries, background/status bar alerts, drop down menus...)
it just lacks some features (more advanced galleries like on http://m.facebook.com/ , or more features on the event page).

and also, i fail to see what's facebook's advantage of rolling their own phone instead of just fixing the current apps :
- are they also trying to jump onto the voice-chat bandwagon ? (like the mentionned skype phones, or like Google Voice / Google Talk)
- are they hoping for lucrative subsidising from service providers (very unlikely if they begin on the european market)
- are they hoping to provide a fully FB-oriented phone (including calendar and contact list, à la webOS' synergy ?) and thus be able to mine even more user data for advertising dollars ?

The Facebook Beta webOS app works nice on my PalmPre.
Wel, it helps that most webOS are basically HTML5/Javascript aplications, so doing a webOS doesn't necessarily require rewriting a new native app in C/C++ or Java.
the FB app for webOS is simply http://x.facebook.com/ re-skinned to use native widgets, and taking advantage of some of the webOS abilities (photo galleries, background/status bar alerts, drop down menus...)
it just lacks some features (more advanced galleries like on http://m.facebook.com/ , or more features on the event page).

and also, i fail to see what's facebook's advantage of rolling their own phone instead of just fixing the current apps :
- are they also trying to jump onto the voice-chat bandwagon ? (like the mentionned skype phones, or like Google Voice / Google Talk)
- are they hoping for lucrative subsidising from service providers (very unlikely if they begin on the european market)
- are they hoping to provide a fully FB-oriented phone (including calendar and contact list, à la webOS' synergy ?) and thus be able to mine even more user data for advertising dollars ?

I think they changed their internal DNS config, screwed it up, and when their front facing webservers tried to lookup their database servers and failed, they tried the backup/rollover db servers, failed... these cascading errors caused their internal DNS servers to melt down.

After they'd been down for a while, because it spun down slowly over about half an hour, somebody in charge asked "WHY ARE WE DOWN" and was told "DNS error" and then changed the front facing webservers to spit up HTML that said "DNS ERROR", a simple web page communicating something is better than dead air.

Pedants will note that when http://facebook.com/ says "DNS error" clearly it isn't a DNS error - it was able to use the DNS to find facebook.com, no? Therefore it had to be an internal DNS error.

Facebook's own explanation of the fault speaks vaguely of cached and persistant data. Classic DNS screwup.

Maybe we should ask her... http://www.facebook.com/people/Rachel-Kristopeit/1231966914#!/profile.php?id=1231966914

The whois records on kristopeit.com look non-anonymized.

So why was DNS blamed?

From http://www.facebook.com/note.php?note_id=431441338919&id=9445547199&ref=mf&_fb_noscript=1

The way to stop the feedback cycle was quite painful - we had to stop all traffic to this database cluster, which meant turning off the site.

I'm, uh, taking a wild guess that simply shutting off port 80 is not going to allow for a controllable ramp up... they could redirect to another site, Orkut or myspace would have been mildly humorous. I am mildly surprised they don't have a simple emergency box with a simple static "undergoing repair" page, but, whatever ...

So, other than zapping the A records and waiting, what are they supposed to do? Bonus points if they were doing DNS based load balancing and simply unplugged their (dns based) load balancer.

I have no dog in the fight, having deleted my facebook account months ago. It is kind of funny that a page of technobabble is described as "technical details" as if folks like us/me would find it to be a complete description rather than pretty vague. Then again we're dealing with farmville addicts and you can't reason with addicts.

Paul Diaz: Will What i Say is get a front page they say facebook down due to server's and we are working hard to fix it get free cash ?:)

Mouhssine Freedom Elmezyani It's very easy to rape facebook !! i know some friends can hack your compt through your electronic adress !& they hacked my compt several time in the pretext of kidding !!

Mauro Guberti I'd like to know what's the necessary qualifications to work like moderator.

And the one that prompted me to close the tab:

Joanne Bozik The following link is the problem.........these people have been sending my name and pic to many stating that I purchased this product and I also in return am receiving the following link in my friends names......Please get after these people

http://www.facebook.com/facebook?v=wall#!/note.php?note_id=431441338919&id=9445547199&ref=mf

(note, the link is the link to the explanation for the outage)

Since the link in the summary is broken, this is the facebook blog post.

Post contents:
Early today Facebook was down or unreachable for many of you for approximately 2.5 hours. This is the worst outage we’ve had in over four years, and we wanted to first of all apologize for it. We also wanted to provide much more technical detail on what happened and share one big lesson learned.

The key flaw that caused this outage to be so severe was an unfortunate handling of an error condition. An automated system for verifying configuration values ended up causing much more damage than it fixed.

The intent of the automated system is to check for configuration values that are invalid in the cache and replace them with updated values from the persistent store. This works well for a transient problem with the cache, but it doesn’t work when the persistent store is invalid.

Today we made a change to the persistent copy of a configuration value that was interpreted as invalid. This meant that every single client saw the invalid value and attempted to fix it. Because the fix involves making a query to a cluster of databases, that cluster was quickly overwhelmed by hundreds of thousands of queries a second.

To make matters worse, every time a client got an error attempting to query one of the databases it interpreted it as an invalid value, and deleted the corresponding cache key. This meant that even after the original problem had been fixed, the stream of queries continued. As long as the databases failed to service some of the requests, they were causing even more requests to themselves. We had entered a feedback loop that didn’t allow the databases to recover.

The way to stop the feedback cycle was quite painful - we had to stop all traffic to this database cluster, which meant turning off the site. Once the databases had recovered and the root cause had been fixed, we slowly allowed more people back onto the site.

This got the site back up and running today, and for now we’ve turned off the system that attempts to correct configuration values. We’re exploring new designs for this configuration system following design patterns of other systems at Facebook that deal more gracefully with feedback loops and transient spikes.

We apologize again for the site outage, and we want you to know that we take the performance and reliability of Facebook very seriously.

Correct link to technical details:

http://www.facebook.com/note.php?note_id=431441338919&id=9445547199&ref=mf

(anon because I'm not a karma whore)

Actually, http://facebook.com/ is still having problems, http://www.facebook.com/ works.

It's unclear when the outage began. PCWorld has not been able to reach Facebook for comment, but Mashable reports the company has confirmed the outage.'"

PCWorld needs to read http://www.facebook.com/facebook Yeah, yeah, I know, posting articles to their own site about an outage on their site, but it says quite clearly what is going on, and that they were expecting futher issues after Wednesday's outage.

Actually, http://facebook.com/ is still having problems, http://www.facebook.com/ works.

It's unclear when the outage began. PCWorld has not been able to reach Facebook for comment, but Mashable reports the company has confirmed the outage.'"

PCWorld needs to read http://www.facebook.com/facebook Yeah, yeah, I know, posting articles to their own site about an outage on their site, but it says quite clearly what is going on, and that they were expecting futher issues after Wednesday's outage.

Actually, http://facebook.com/ is still having problems, http://www.facebook.com/ works.

It's unclear when the outage began. PCWorld has not been able to reach Facebook for comment, but Mashable reports the company has confirmed the outage.'"

PCWorld needs to read http://www.facebook.com/facebook Yeah, yeah, I know, posting articles to their own site about an outage on their site, but it says quite clearly what is going on, and that they were expecting futher issues after Wednesday's outage.

Actually I think facebook has you load their javascript code asynchronously, which would avoid the issue you mention:

http://developers.facebook.com/docs/reference/javascript/

Early today Facebook was down or unreachable for many of you for approximately 2.5 hours. This is the worst outage we've had in over four years, and we wanted to first of all apologize for it. We also wanted to provide much more technical detail on what happened and share one big lesson learned.
The key flaw that caused this outage to be so severe was an unfortunate handling of an error condition. An automated system for verifying configuration values ended up causing much more damage than it fixed.
The intent of the automated system is to check for configuration values that are invalid in the cache and replace them with updated values from the persistent store. This works well for a transient problem with the cache, but it doesn't work when the persistent store is invalid.
Today we made a change to the persistent copy of a configuration value that was interpreted as invalid. This meant that every single client saw the invalid value and attempted to fix it. Because the fix involves making a query to a cluster of databases, that cluster was quickly overwhelmed by hundreds of thousands of queries a second.
To make matters worse, every time a client got an error attempting to query one of the databases it interpreted it as an invalid value, and deleted the corresponding cache key. This meant that even after the original problem had been fixed, the stream of queries continued. As long as the databases failed to service some of the requests, they were causing even more requests to themselves. We had entered a feedback loop that didn't allow the databases to recover. The way to stop the feedback cycle was quite painful - we had to stop all traffic to this database cluster, which meant turning off the site. Once the databases had recovered and the root cause had been fixed, we slowly allowed more people back onto the site.
This got the site back up and running today, and for now we've turned off the system that attempts to correct configuration values. We're exploring new designs for this configuration system following design patterns of other systems at Facebook that deal more gracefully with feedback loops and transient spikes.
We apologize again for the site outage, and we want you to know that we take the performance and reliability of Facebook very seriously.

Nuts, it only works as http://www.v6.facebook.com/. Thanks to webmistressrachel for the correction.

I believe this only affected those of you stuck in the last millennium. http://v6.facebook.com

What's so interesting about it anyway?

A certain citrus celebration themed URL comes to mind

Yeah - I can't stand those a-holes either. F--kin douchebags.

Exactly! Kind of how I have bought more games in the last six months than I had in 2 years thanks to finding out about Good Old Games. Instead of having to worry about draconian DRM bullshit breaking my PC all they have is "We do a loot of work to get these going. Please don't share them, okay?" so I don't. Hell their prices are so low anybody can buy them (none higher than $10) and most importantly unlike the "limited install" bullshit we're seeing more and more I can back up, burn, and reinstall anytime and as many times as I want.

The problem with big media is they have decided their shit don't stink and it's just hunky dory to treat their customers like scum. And sadly thanks to deregulation allowing media cartels to buy up all the radio stations they'll be able to keep getting away with it too. If you were to see a standard record company contract, which I have as I've been playing with some regionally popular bands, it is truly disgusting what they do to the artist. Basically they take ALL the rights and you get jack. I had friends that were stupid enough to sign, the dreams of big tours were too much for them, and they ended up having to break up and never play together again just to get out of the contract. By the time they got done with "Hollywood accounting" the 25k they got to buy decent gear was gonna cost more than half a million to pay back, and they couldn't even play their own songs without permission!

As a musician I can say the quicker the RIAA dies in a fire the better. The bands I play with always share at least part of our albums and all we ask for is credit for non commercial use or a little change if you want to use it in something for sale. You won't live in a Metallica mansion doing it that way, but at least you don't have to suck the corporate penis either. If someone wants to check out the rough drafts of my latest (kind of a blues/funk thing) they are here but be warned that they are live rough mixes with a little digi-corder. We are currently building our own little studio and hope to have it and the album done by spring. If you want to support art, go see a show, buy from your local artists. Don't support the raping of our culture by multinational corps.

It's better to add it as a Jabber account than as a Facebook account - see http://www.facebook.com/sitetour/chat.php for the connection details

It's somewhat different then what the article is talking about, but I am reminded of it. In that Facebook game you gets points which can be used to lower the price of a real item by 1 cent which one has the option of buying, of course. All players of the game can lower the item's cost and it can go down a fair amount in some cases (1 dollar for a 10 dollar gift card for example).

I don't really have a point with this, I just find the strange combination of advertising plus discounting amusing, and somewhat relevant to the equally strange combination of electronic rewards for laudable goals. Speaking of which, I wonder why the Pokéwalker hasn't been mentioned in the article. God knows that evil was all over PAX East and Prime.

You're looking at this from a users perspective. I'm looking at it from a webmasters perspective.

Even webmasters can choose what they use. Not only that but they can even choose to use more than one search engine and provider of advertising. Actually if I were an employer and my webmaster wasn't using more than one provider then I wouldn't want to pay their salary. Sure right now Google has the major market position but that is likely to change. For instance Microsoft handles Facebook's ads as well as other high traffic websites. Until the end of August Google handled News Corp's MySpace ads however in July News Corp was in discussion with Google, Microsoft, and Yahoo for ad placement. Marketing is growing on other social networking websites as well, and Google doesn't do ads on all of them.

How many people install their own OS?

Well, I do. My daughters use Linux.

Did you install Linux for your daughters, or did they install it themselves?

How many buy Macs?

Well, I do. My wife uses a Mac.

So do I, I'm typing this on my MacBook Pro. I also have 2 Linux PCs, both of the tower PCs under my desk have Linux installed. One is a really old one I ordered from Microway with two HDDs, one with NT4 and the other with Redhat Linux, so I can dualboot. The other I bought with Linspire preinstalled. I also plan to install Ubuntu on my Mac. But most people buy and use Windows PCs.

How many buy PCs with Linux preinstalled?

I would say, enough to make it a venture that's profitable enough that manufacturers keep doing it.

But how many people can easily switch to Linux? Without a Linux guru it is difficult for most people to switch. Distros like Linspire attempted but Ubuntu is doing successfully is making it easier but there's still a long way to go before Linux is as easy to use for normal people as Windows, heck even Macs, is to use.

Falcon

It's opt-in, sadly. More here. I've also noticed that if you log in from a new geographical location, it forces you to go through an authentication process from a browser. It won't allow any API use from the new location until that's complete.

Slashdot isn't like the rest of the world because they are misled by the people who write the summaries, or by the sites the articles they are linked to.

The purpose of the new facility is to combat the more common problem of Facebook rape.
http://www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the-way/425136200765

The posts about the potential harm bots could do with this facility miss the obvious. If a bot has got into your account, it's already won. It can change your password and email address and there's nothing you can do to regain control.

First, who the heck uses "www" any more? That is so last century. If you have any brains, you've configured your server to answer to http://domainname.tld./ Why redirect to http://www.domain.tld? Especially since www.com is a valid domain. Oh wait - facebook redirects to http://www.facebook.com/ - they're infringing on the www.com trademark!

It's a stupid lawsuit.

And the judge isn't going to hear evidence about possible confusion in other countries - that is TOTALLY outside his jurisdiction. Thats why countries have their own courts - it's part and parcel of being a sovereign nation, duh!