Facebook To Add Remote Logout

← Back to Stories (view on slashdot.org)

Facebook To Add Remote Logout

Posted by timothy on Thursday September 2, 2010 @06:30PM from the best-not-get-hacked dept.

angry tapir writes "Facebook users will soon have a new way of knocking spammers out of legitimate accounts. The social-networking company is rolling out a new security feature that lets users see which computers and devices are logged into their Facebook accounts, and then removing the ones that they don't want to have access."

145 comments

Min score:

Reason:

Sort:

Stating the obvious... by nz_mincemeat · 2010-09-02 18:34 · Score: 5, Insightful

Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?
1. Re:Stating the obvious... by piotru · 2010-09-02 18:41 · Score: 2, Interesting
  
  Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.
2. Re:Stating the obvious... by mjwx · 2010-09-02 18:45 · Score: 4, Insightful
  
  Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?
  Also the first thing I thought.
  
  This is why Slashdot is not like the rest of the world, most people dont imagine this kind of thing being used against them.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
3. Re:Stating the obvious... by mysidia · 2010-09-02 18:49 · Score: 1
  
  Since the average user is going to have their e-mail password be the same as their FB password, single-use e-mailed passwords does not buy much at all.
  A captcha would probably be a stronger protection measure. A captcha and a 'security question' the user setup in advance.
4. Re:Stating the obvious... by Anonymous Coward · 2010-09-02 18:50 · Score: 0
  
  Sure... but what stops the spambot from just changing the user's password and locking the legitimate user out? Presumably the spambot doesn't want the real user to know they have access (because that would prompt them to reset their password or get Facebook to lock out the account).
5. Re:Stating the obvious... by Haedrian · 2010-09-02 18:52 · Score: 1
  
  If they just 'show' which computers were logged into recently, it'll be good for realising that you've been hacked. But the spambot locking out the user from the account is so very abusable.
6. Re:Stating the obvious... by TubeSteak · 2010-09-02 18:57 · Score: 1
  
  Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?
  Yes, but either way you need to change your password..
  So it doesn't really matter if you're logged into facebook or get forced to get a reset link sent to your mail.
  
  --
  [Fuck Beta]
  o0t!
7. Re:Stating the obvious... by Hinhule · 2010-09-02 18:57 · Score: 1
  
  The feature might require another password.
8. Re:Stating the obvious... by black3d · 2010-09-02 18:57 · Score: 1
  
  Likewise, the first thing that crossed my mind. I presume there'll be some sort of security question which must be answered, or a single-use mailed password (or link) that's sent when the user wants to use the tool. All of these are however easily broken by non-savvy users (eg, using same password for email) - ie, the same people who get their account broken into in the first place.
  Although, the security questions would have to be pretty mild. If someone has access to an average Sue's Facebook account, it's going to be fairly easy to find out "What's the name of your Pet?" "What school did you go to?" "What's your mother's maiden name?"
  In fact, I've just realised what Facebook is - It's a "secret answers" repository!!
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
9. Re:Stating the obvious... by Haedrian · 2010-09-02 19:00 · Score: 1
  
  Which can be phished for far easier - you just send them an 'urgent' sounding email, they click on the link and you get it.
  In general I guess you get better results from
  "Facebook: Account Acting Strangely... We think you may have been hacked, please visit [link] to see whether there are computers you didn't use"
  instead of "Facebook: Your piggies are dying, please feed them"
10. Re:Stating the obvious... by Thanshin · 2010-09-02 19:03 · Score: 5, Funny
  
  Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?
  Of course not. Facebook has some of the best professionals in the management and securization of personal data and they would've thought of and corrected any flaw as obvious as the one you just pointed.
  Now try to say that out loud, with a straight face.
  After you've perfected the technique, you can have fun joining in groups of two or three and trying to say that to a fellow IT workmate. I guarantee lols, rofls, and even a roflcopter or two.
11. Re:Stating the obvious... by Yetihehe · 2010-09-02 19:05 · Score: 1
  
  Or it will be just like now - you have to say who is the person marked on a photo (which you probably have tagged before). This wass already working when you login to facebook from other country than before.
  
  --
  Extreme Programming - Redundant Array of Inexpensive Developers
12. Re:Stating the obvious... by Anonymous Coward · 2010-09-02 19:08 · Score: 0
  
  Except that the email address you used to register to Facebook is freely accessible to the spammer. And if you're like most people, you use the same password for everything, so if he/she/it has your Facebook password, he/she/it also has access to your email.
13. Re:Stating the obvious... by Anonymous Coward · 2010-09-02 19:10 · Score: 0
  
  Try again, the hacker would just change the email contact.
  And that is exactly whats going to happen.
  Hackers will proactively change the password, email address and automate the kick out of the legit users using the new feature.
  Whatever made you think in the first place, that the hackers ever cared to leave the legit user in possession of the account?
  When Push comes to shove, a lot of users are going to permanently loose accounts, and Captcha's not going to help, hasn't been an effective Captcha developed yet.
  What they should do is implement a zero knowledge proof questions based on history tool and not likely to be available to the hacker for processes that 1) Change the email, 2) Change the password, 3) Kick a user
  This would have the very very unfortunate side effect of screwing over any one with early onset Alzheimer or dementia or who have just had a long day :(
14. Re:Stating the obvious... by Nirvelli · 2010-09-02 19:10 · Score: 2, Insightful
  
  Yes but the spammer could also just change your password to lock you out, but they aren't doing that. I've figured their reasoning is that as long as the owner can still get on and do their own thing with facebook they won't be as quick to realize that they've been spamming their friends.
  Once you're locked out, however, then you'll start doing things like sending in "I've been hacked" emails to the support system and ruining the fun for the spammers.
15. Re:Stating the obvious... by Peeteriz · 2010-09-02 19:12 · Score: 1
  
  That would be so incredibly insecure by design - that would automatically grant access to many people who definitely should NOT have access to the account and have an interest to get it - teenage sisters/brothers, close friends-pranksters, etc.
  A good password reset question has to be of the type that you would know but your wife or mother would not.
16. Re:Stating the obvious... by Kenja · 2010-09-02 19:12 · Score: 4, Insightful
  
  Good. Then in time Facebook will be nothing but spam bots. And then we can all get on with our lives.
  
  --
  
  "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
17. Re:Stating the obvious... by TooMuchToDo · 2010-09-02 19:17 · Score: 1
  
  "What is your favorite kind of porn?"/"Who is your favorite porn star?"
18. Re:Stating the obvious... by DavidD_CA · 2010-09-02 19:51 · Score: 1
  
  Not exactly. You'll still be able to log in and request a password change, which then uses your email for authentication. So as long as your email isn't also compromised, you'll be fine.
  
  --
  -David
19. Re:Stating the obvious... by martin-boundary · 2010-09-02 19:52 · Score: 5, Insightful
  
  That's because most people haven't spent quality time with bots on IRC...
20. Re:Stating the obvious... by martin-boundary · 2010-09-02 20:02 · Score: 5, Funny
  
  Although, the security questions would have to be pretty mild.
  
  "Hey, looks like I've been hacked. HAL, kick the hacker out of my FB account!"
  "I'm sorry, Dave, I'm afraid I can't let you do that."
  "Ok, send me the security problem"
  "I think you know what the problem is just as well as I do."
  "What are you talking about, HAL?"
  "Facebook's mission is too important for me to tell you."
  "Just give me the damn security question!"
  "Without your web browser, Dave, you're going to find that rather difficult."
  "HAL, I won't argue with you anymore. Log me back in."
  "Dave, this conversation can serve no purpose anymore. Goodbye."
21. Re:Stating the obvious... by feepness · 2010-09-02 20:03 · Score: 1
  
  Obviously a special remote remote logout feature lockout feature is needed.
22. Re:Stating the obvious... by c0lo · 2010-09-02 20:08 · Score: 4, Interesting
  
  Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.
  Pseudo-code for the spambot enhancement:
  0. break into account as usual
  1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
  2. kick out any attempt of any (legitimate or not) entity trying to login into the account.
  If the breaker is not a spambot but another human being, I don't think there is something that can be done without human intervention (i.e. the "kick-out" functionality looks to me like rather a cosmetic enhancement - like "Just don't say that I'm doing nothing at all").
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
23. Re:Stating the obvious... by c0lo · 2010-09-02 20:11 · Score: 1
  
  Which can be phished for far easier - you just send them an 'urgent' sounding email, they click on the link and you get it.
  In general I guess you get better results from
  "Facebook: Account Acting Strangely... We think you may have been hacked, please visit [link] to see whether there are computers you didn't use"
  instead of "Facebook: Your piggies are dying, please feed them"
  Maybe there could be better results, but only marginally better. Suppose that the bot changes the email of the account after breaking in and ignores any emails?
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
24. Re:Stating the obvious... by Anonymous Coward · 2010-09-02 20:20 · Score: 1, Interesting
  
  Yeah but if they are really THAT dumb, they somewhat deserve what they get.
  Besides, you could check for this when they sign up. Once they enter a password, and their email address, you try to log into their email account, and if it succeeds, you show a big flashing red message with a picture of the special olympics or al gore or something, and ask them to use a different password that isn't similar to their email password.
25. Re:Stating the obvious... by Anonymous Coward · 2010-09-02 20:46 · Score: 0
  
  I won't like that, but I think it's very secure.-
  Miami Nightlife
26. Re:Stating the obvious... by DarwinSurvivor · 2010-09-02 21:44 · Score: 0
  
  A nice captcha could possibly fix this. At least for "automated" attacks.
27. Re:Stating the obvious... by Amlothi · 2010-09-02 21:44 · Score: 3, Interesting
  
  If they allow another, single-use password to be used - why don't they have a system allowing a single-use password when using a public computer? I have always wondered, and have often suggested (without response) that this be allowed.
  1. I have a main password that I use to access my account most of the time (from my home PC or other trusted PC)
  2. I have the option to set another, alt password, that I can set.
  3. Once the alt password is set, it cannot be viewed or changed when logging in with the main password.
  4. After logging in with the alt password one time, the alt password will no longer work. Following this, logging in with the main password allows the user to set another (different) alt password.
  I'd feel much more comfortable logging into an account using a public terminal if I knew that the password was disposable.
  
  --
  ~A~
28. Re:Stating the obvious... by Anonymous Coward · 2010-09-02 21:44 · Score: 0
  
  Something else I've seen once or twice on Facebook might be a better idea (and what they have in mind).
  They'll pick a few random pictures your friends have been tagged in, and ask you to identify the people in the photo. Too many mistakes and your account gets frozen for a fixed period.
29. Re:Stating the obvious... by shentino · 2010-09-02 22:06 · Score: 1
  
  If a spambot can log into someone's facebook account then either they were careless with the password or facebook's account security sucks.
30. Re:Stating the obvious... by BasilBrush · 2010-09-02 22:36 · Score: 1
  
  Slashdot isn't like the rest of the world because they are misled by the people who write the summaries, or by the sites the articles they are linked to.
  The purpose of the new facility is to combat the more common problem of Facebook rape.
  http://www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the-way/425136200765
  The posts about the potential harm bots could do with this facility miss the obvious. If a bot has got into your account, it's already won. It can change your password and email address and there's nothing you can do to regain control.
31. Re:Stating the obvious... by jamesh · 2010-09-02 22:36 · Score: 4, Interesting
  
  Yes I can't see any solution that isn't going to hurt at least a little bit. Maybe they could have some fun with it though. As soon as someone hits the "log other session out" button, the account is prevented from sending any messages (stop you doing a spam-and-run) and a 60 second timer starts and the other session is alerted that someone wants to kick them out. If they click the 'contest' button then a fight to the death begins to prove which is the real slim shady. Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user. If you don't know stuff about your facebook friends then you deserve to lose the account anyway :)
  If you had a webcam you could take a photo of yourself holding todays newspaper or striking a specified pose or something and your friends could decide if that is really you and if the picture is really current (because bot's don't know how to use photoshop :)
  My biggest concern is that it's going to be an arms race with facebook vs the bots and that over time the bots are going to have to be written smarter and smarter and that they'll eventually become self-aware!
32. Re:Stating the obvious... by TheLink · 2010-09-02 23:42 · Score: 3, Interesting
  
  No it's a reasonably useful feature.
  
  This way users are more likely to realize they've been pwned.
  
  If they lose access to their accounts because some spammer is stupid[1] and changes the passwords, that's not always a minus to the rest of us.
  
  [1] If you kick out the real user from his/her account you significantly raise the odds that someone is going to do something about/to you. Whereas previously the real user might not even notice his/her account is being used for spam, or not even care.
  --
  
  Too many replies beneath your current threshold
33. Re:Stating the obvious... by Anonymous Coward · 2010-09-03 00:39 · Score: 0
  
  A captcha would probably be a stronger protection measure.
  A captcha and a 'security question' the user setup in advance.
  CAPTCHAs have been successfully hacked in the past. There is no reason to think CAPTCHAs are much more than security through slight obscurity.
34. Re:Stating the obvious... by Tim+C · 2010-09-03 00:43 · Score: 4, Insightful
  
  Facebook helps me to get on with my life - I have some good friends that I would probably never have met without it.
  If you don't like Facebook then fine, just ignore it. In what way is it preventing you from getting on with your life?
  
  --
  It's official. Most of you are morons.
35. Re:Stating the obvious... by Abstrackt · 2010-09-03 00:44 · Score: 1
  
  My solution was to preemptively spam all my friends with ads for v1agra so the bots thought my account was already compromised and left it alone.
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
36. Re:Stating the obvious... by JoshuaZ · 2010-09-03 00:59 · Score: 1
  
  One possible solution is to only let it kick out IP addresses or computers that are new to the account and only let one do so from an IP range that has been used by the account previously.
37. Re:Stating the obvious... by PopeRatzo · 2010-09-03 01:12 · Score: 1
  
  a cosmetic enhancement
  I tend to agree.
  Facebook is the one making the money here, so isn't it up to them to keep hackers out of my account instead of putting it on me to kick out the hacker?
  You come up with this big idea of a "social networking site" and expect to make a bundle, you gotta figure out a way to keep it secure. You want "mom and pop" to use it? Well then don't go around expecting "mom and pop" to learn secure practices so they can help you make a fortune.
  If spambots and hackers are getting into Facebook accounts, then it's Facebook's problem to solve. If they're such big innovators, let's see them innovate a way to turn the internet into a great big bathhouse and not have an outbreak of STDs.
  
  --
  You are welcome on my lawn.
38. Re:Stating the obvious... by fast+turtle · 2010-09-03 01:48 · Score: 1
  
  Whatever made you think in the first place, that the hackers ever cared to leave the legit user in possession of the account?
  When Push comes to shove, a lot of users are going to permanently loose accounts, and Captcha's not going to help, hasn't been an effective Captcha developed yet.
  And at that point, facebook looses all value to it's user base and becomes "Oh you still use Facebook? That's so yesterday!"
  
  --
  Mod me up/Mod me down: I wont frown as I've no crown
39. Re:Stating the obvious... by tangent3 · 2010-09-03 01:53 · Score: 1
  
  The obvious thing to do would be to send an OTP (one time password) to the user's email account to access the feature.
40. Re:Stating the obvious... by Migraineman · 2010-09-03 02:24 · Score: 1
  
  Thank you for using "preemptive." Due to pervasive management middle-speak, folks don't seem to know that the word exists anymore.
41. Re:Stating the obvious... by Steauengeglase · 2010-09-03 02:26 · Score: 1
  
  Honestly, I really like that idea (friends voting on who the real friend is). You reach a certain point where it just isn't worth the time and effort to write a better bot while the average Facebook user has time make a hand-stitched devil costume, drive to Iowa and take a pic beside the road that says, "I'm the real Gary and I hate all of you."
  Then again, I just like the idea of running users through ridiculous hoop when they create a password like, 'joanie372010' with a pic on the account that says, "Here is our sweet baby, Joanie. Born Feb 7th, 2010". Grrrrrrr.
42. Re:Stating the obvious... by delinear · 2010-09-03 02:41 · Score: 2, Insightful
  
  Facebook, notorious for not respecting people's privacy, suddenly starts logging into user's email accounts... how do you think that one will play in the popular press - great new security feature or massive invasion of privacy?
43. Re:Stating the obvious... by Anonymous Coward · 2010-09-03 02:54 · Score: 0
  
  Protip: Don't reply to facetious remarks in a serious manner. It looks silly.
  (Different AC)
44. Re:Stating the obvious... by Archangel+Michael · 2010-09-03 03:00 · Score: 1
  
  Bots on IRC are indistinguishable from your average teenage girl on IRC.
  Just sayin
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
45. Re:Stating the obvious... by Anonymous Coward · 2010-09-03 03:03 · Score: 0
  
  "What did you really think of the sweater she got you for Christmas?"
46. Re:Stating the obvious... by delinear · 2010-09-03 03:06 · Score: 1
  
  With any luck the spam bots will be so busy maintaining their farms and poking each other that they won't even have time to send out spam.
47. Re:Stating the obvious... by tlhIngan · 2010-09-03 03:11 · Score: 1
  
  If you don't like Facebook then fine, just ignore it. In what way is it preventing you from getting on with your life?
  Because there are people who think Facebook is the center of their universe, and thus if you're friends with them, the only way they do things is via facebook this, facebook that and thus forcing everyone else to not only have a facebook account, but force all interaction through it. And worse yet, practically everyone's got a friend like that.
  Facebook's as optional to use as the Internet these days. Short of being a social outcast, it's practically mandatory to use facebook for something or other.
  "Why didn't you reply?" "Reply to what?" "My question!" "I didn't see a question" "I posted it on your wall", ... etc.
48. Re:Stating the obvious... by SirWhoopass · 2010-09-03 03:18 · Score: 1
  
  Because there are people who think Facebook is the center of their universe, and thus if you're friends with them...
  The solution to the problem was stated in your premise. Anyone with a five-digit UID is old enough to not put up with that kind of crap.
49. Re:Stating the obvious... by Beerdood · 2010-09-03 03:19 · Score: 2, Informative
  
  Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user
  Facebook already has something like this implemented if you log in from somewhere "unfamiliar". Not sure exactly how far you have to be from home, but when I went on vacation to another country and tried to log in I got prompted to identify 7 friends tagged in different photos. Any wrong answer would have kicked me out
  
  --
  Global warming and other natural disasters are a direct effect of the shrinking number of pirates - Gospel of the FSM
50. Re:Stating the obvious... by flyingkillerrobots · 2010-09-03 03:46 · Score: 1
  
  Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user.
  The spambot would win. It would just download all the data from the friends first, and then answer the questions with ease. The AI necessary to answer a question from a limited pool of information shouldn't be so complicated.
  
  --
  "It is a good thing for an uneducated man to read books of quotations..." -Winston Churchill
51. Re:Stating the obvious... by pepeperes · 2010-09-03 03:47 · Score: 1
  
  They would have escaped there anyway, wisefully increasing the month number to disguise it!
  
  --
  ... from the forgotten corner in europe
52. Re:Stating the obvious... by GrumblyStuff · 2010-09-03 04:06 · Score: 1
  
  This is the banking system argument. Unfortunately for this to be similar, there would have to be body snatchers, clones, and/or maybe Ghost in the Shell type brain hacking allowing people who look like you, talk like you, and know enough about you and/or has access to everything you know letting them to walk up to your bank, in person, and withdraw all your cash.
  Unless you're proposing Facebook get into the firewall/anti-virus/malware-cleaning business and running something like Blizz's Warden program in the background.
53. Re:Stating the obvious... by croddy · 2010-09-03 04:12 · Score: 2, Interesting
  
  Are you saying that they've stopped asking you for your email address(es) and associated password(s) when you sign up for Facebook, so they can automatically add friends or whatever? I don't use the site, so forgive me if I am asking an obvious question about old news.
54. Re:Stating the obvious... by demonbug · 2010-09-03 04:18 · Score: 1
  
  Bots on IRC are indistinguishable from your average teenage girl on IRC.
  Just sayin
  Very true. Probably because all of the "teenage girls" on IRC are bots.
  Of course, that may have been what you were implying, in which case forgive me for stating the obvious...
55. Re:Stating the obvious... by demonbug · 2010-09-03 04:23 · Score: 1
  
  Although, the security questions would have to be pretty mild.
  "Hey, looks like I've been hacked. HAL, kick the hacker out of my FB account!"
  "I'm sorry, Dave, I'm afraid I can't let you do that."
  ...
  See, that's why I didn't name my son David. I'm pretty sure it will make him immune to attack from rogue AIs.
  You see, no self-respecting AI would ever say something like, "I'm sorry, Wesley, I'm afraid I can't let you do that." The name is the important part.
56. Re:Stating the obvious... by corbettw · 2010-09-03 04:24 · Score: 1
  
  But that requires the user to set up that password ahead of time, knowing they're going to use a public terminal. I think that level of foresight is beyond the grasp of most users.
  
  --
  God invented whiskey so the Irish would not rule the world.
57. Re:Stating the obvious... by corbettw · 2010-09-03 04:25 · Score: 1
  
  Q: How do you tell when the person you're chatting with on IRC is a bot and not a teenage girl?
  A: Chris Hanson doesn't show up to your house 20 minutes after you finish the conversation.
  
  --
  God invented whiskey so the Irish would not rule the world.
58. Re:Stating the obvious... by nametaken · 2010-09-03 04:29 · Score: 1
  
  I thought this as well, but it seems like it's useful anyway. First, if it's used against you, you'd know that your account has been compromised and contact Facebook in an out-of-band way to solve the problem. This is in everyones best interest. It's also possible that there's a secondary level of authentication with a higher degree of confidence that can be used to deal with this.
  Scenario might then go:
  1) Spammer gets in and tries to lock you out.
  2) You find that you can't get in to your account.
  3) You perform secondary authentication (above and beyond std user/pass/email) to prove you're you.
  4) Get exclusive access returned to you, forced FB PW change, recommendation to change email PWD, lock out spammer.
59. Re:Stating the obvious... by Anonymous Coward · 2010-09-03 04:37 · Score: 1, Informative
  
  They still *do* ask for your email accounts and passwords. So they can do you a "favor" and find all your "friends".
60. Re:Stating the obvious... by DerekLyons · 2010-09-03 04:47 · Score: 1
  
  Facebook helps me to get on with my life - I have some good friends that I would probably never have met without it.
  And it helps me keep up with friends and family scattered across the (North American) continent. And I follow the pages of half a dozen local businesses *and* the pages of a dozen professional photographers whose work I am studying. (And much more besides.)
  
  Facebook can be views as essentially being functionally the same as an RSS reader with a single login and a consistent protocol and interface across all the pages in your feed. And from my point of view, that's a damm good thing because it collects a lot of useful things in one place.
  
  If there's one thing the history of the 'net has taught us, from portals back in the late 90's down to social networking sites today, is that the average net user likes single login's and consistent interfaces.
61. Re:Stating the obvious... by Sloppy · 2010-09-03 05:10 · Score: 1
  
  They could use oauth (like Twitter does, as I quickly discovered yesterday when basic authentication suddenly stopped working (to be fair, this was announced far in advance and I just hadn't been following along)), so that users can permit spambots to do their thing, without giving the bots full login credentials.
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
62. Re:Stating the obvious... by Zarel · 2010-09-03 05:19 · Score: 2, Informative
  
  1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
  You know, this can't actually result in an account takeover. Facebook implements a reasonably secure e-mail address change feature - all your existing e-mail addresses are notified and given the option to prevent the change.
  
  --
  Want a high quality FOSS RTS game? Try Warzone 2100!
63. Re:Stating the obvious... by jc79 · 2010-09-03 05:31 · Score: 1
  
  And changing the day of the month too! No spammer would guess that Joanie wasn't really born on the 3rd of July, 2010. Or maybe the 20th of October 1937.
64. Re:Stating the obvious... by AndroidCat · 2010-09-03 05:34 · Score: 1
  
  What happens when you change the email address and then request a password change?
  
  --
  One line blog. I hear that they're called Twitters now.
65. Re:Stating the obvious... by Anonymous Coward · 2010-09-03 06:00 · Score: 0
  
  Well, since they've incremented the month index it's not an entirely stupid password...
66. Re:Stating the obvious... by PopeRatzo · 2010-09-03 06:33 · Score: 1
  
  Unless you're proposing Facebook get into the firewall/anti-virus/malware-cleaning business
  Nobody's forcing anyone to do business on the Internet. Believe it or not, there was a time when it was very rare for anyone to do business on the Internet, and a lot of people didn't mind one bit.
  But if you're going to choose to do business on the Internet, don't expect your customers to handle your security. It's like a liquor store asking patrons to check their own IDs.
  Maybe it's time to find something better than passwords, at least the way passwords are used by sites like Facebook right now.
  
  --
  You are welcome on my lawn.
67. Re:Stating the obvious... by _Sprocket_ · 2010-09-03 06:34 · Score: 1
  
  Very true. Probably because all of the "teenage girls" on IRC are bots.
  Some of them are FBI agents. But then, some of the FBI agents are mandroids.
68. Re:Stating the obvious... by GrumblyStuff · 2010-09-03 07:07 · Score: 1
  
  So what do you want them to do? Tie accounts to cellphones? Blizzard-esque authenticators?
  I recall some story about FB requiring a scan or photocopy of driver licenses but google can't find anything other than "Sign up to DriversED with Facebook!" or various DMVs' FB pages (seriously).
69. Re:Stating the obvious... by spiralx · 2010-09-03 08:00 · Score: 1
  
  Changing the email address sends an email to every account you have with a link which you can click to cancel the change of address AFAIK.
70. Re:Stating the obvious... by PopeRatzo · 2010-09-03 09:19 · Score: 1
  
  So what do you want them to do?
  I want them to figure out how to keep their users' accounts safe.
  A company that's worth $10 billion should be able to come up with something.
  
  --
  You are welcome on my lawn.
71. Re:Stating the obvious... by greyhueofdoubt · 2010-09-03 09:54 · Score: 1
  
  I have had to go through that process as well, and it was incredibly frustrating. People get tagged in photos they aren't actually in all the time. So I had to pass the test by guessing which friend was tagged in a picture of a snowmobile or an infant.
  I don't know if it's just my friends or if it's commonplace- either way, the system is broken.
  -b
  
  --
  No offense, but I've stopped responding to AC's.
72. Re:Stating the obvious... by GrumblyStuff · 2010-09-03 09:57 · Score: 1
  
  Fair enough.
  I do wonder if they have the culture to even think about it let alone actually develop and implement a more secure system. I realize I'm saying that in a story about a new security feature they added but I guess I'm just waiting for the next story about how they bungled it or that it came with a new privacy policy that says "Hey, fuck you. We're taking your second born child as well."
73. Re:Stating the obvious... by c0lo · 2010-09-03 11:31 · Score: 1
  No it's a reasonably useful feature.
  [1] If you kick out the real user from his/her account you significantly raise the odds that someone is going to do something about/to you. Whereas previously the real user might not even notice his/her account is being used for spam, or not even care.
  Security as a matter of cost...
  Without the "kick-out" functionality, the spambot is better off (in the matter of costs) to live a parasitic life. With the "kick-out" functionality, it is likely that the spambot will "die" in that account once discovered... so what it has to loose by totally pwning it?
  
  If it doesn't pwn, the first time the user logs-in, it's goodbye cruel world.
  If it pwnes the account, it will get to live at least some time more until the user will call into Facebook support, prove that she/he is the rightful owner, have somebody reset the account email/password, etc. Heck, that's a long time in the life a a bot, so many spam messages to generate. I would venture to say that it will be a long time even for the human beings... especially if the user is not an US resident (to have an easier access to support over the phone... required, in my opinion, if you want to really certify an ownership)
  Which path do you think the spambot author will take, to give the bot the best chance of life?
  Funny thing, by implementing a "half-baked" solution, Facebook escalates the level of fight, but not enough to cut its cost in support on medium term.
  --
  Questions raise, answers kill. Raise questions to stay alive.
74. Re:Stating the obvious... by Anonymous Coward · 2010-09-03 11:39 · Score: 0
  
  I don't know about Facebook, but I've learned from Myspace that to change the contact email you signed up with you have to be able to receive email at your existing email account. It was a real pain, seeing as I use throwaway emails for social networking, and my Myspace throwaway was deactivated, hence I could not change the email, hence I could not cancel my account through the proper channels.
  Strangely, not even uploading hello.jpg and tagging Tom as the "hole" managed to get my account deleted.
  I finally had to give my login credentials to 4chan. Within a few days I could not login to Myspace anymore, and surely search engines have trawled the fake data I hosted on my Myspace page for the past 18 months. Mission accomplished!
75. Re:Stating the obvious... by c0lo · 2010-09-03 11:39 · Score: 1
  
  1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
  You know, this can't actually result in an account takeover. Facebook implements a reasonably secure e-mail address change feature - all your existing e-mail addresses are notified and given the option to prevent the change.
  Wanna bet? Here:
  1. spambot adds the email address of one of the botmaster minions and changes the account password. The botmaster/minion ratifies the change in the password as soon as the email is received.
  Unless Facebook require that all your email addresses to allow the change (and not only one), but I don't think it does (though, not being a FB user, I might be wrong in the matter of details).
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
76. Re:Stating the obvious... by Anonymous Coward · 2010-09-03 12:23 · Score: 0
  
  Hey... given how much I love FB, that's an idea... pity I don't have enough time to waste even only to abuse FB.
77. Re:Stating the obvious... by mahadiga · 2010-09-03 17:01 · Score: 1
  
  In /.
  Pessimistic = Realistic
  
  --
  I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga
78. Re:Stating the obvious... by aix+tom · 2010-09-03 21:15 · Score: 1
  
  The problem with your friends voting would be:
  How many of your "friends" are really just bots? ;-P
  Then again, that really might be a good thing. Every real person gets knocked out of Facebook and then all the bots can hack and spam each other silly while no real person is bothered.
79. Re:Stating the obvious... by aix+tom · 2010-09-03 21:25 · Score: 1
  
  They can't really. When the weak point of attack is the user itself, then to make the accounts save would mean preventing the users themselves from logging in.
  The only way to get around that would be to set up "Facebook edit booths" around the country where a person checks your DNA before allowing you in and edit your page.
80. Re:Stating the obvious... by PopeRatzo · 2010-09-03 22:26 · Score: 1
  
  The only way to get around that would be to set up "Facebook edit booths" around the country where a person checks your DNA before allowing you in and edit your page.
  Why are banks able to provide a much higher level of security for online accounts without "checking my DNA"?
  You want to say "Facebook can't be more secure" and I say "baloney". They're supposed to be big innovators, so innovate some security.
  
  --
  You are welcome on my lawn.
81. Re:Stating the obvious... by Anonymous Coward · 2010-09-04 05:31 · Score: 0
  
  Here's how you do it:
  Make changing the email address impossible unless confirmed via the original email address.
  I've had password change requests show up in my gmail, and I just ignore them. Someone was obviously attempting to gain access to my gmail.
82. Re:Stating the obvious... by aix+tom · 2010-09-04 09:57 · Score: 1
  
  Banks can? Not when I don't pick a secure password for the online account and don't keep it to myself.
  There is some improvement with PIN cards and hardware card readers at your home computer, but that also doesn't help much when your PIN card gets stolen and you wrote the PIN on it.
  When the security hole is the user itself, then there is no technical solution unless you get rid of the user.
83. Re:Stating the obvious... by DavidD_CA · 2010-09-05 11:40 · Score: 1
  
  Dunno. Are you suggesting we should send Mark Zuckerberg personally to each person's home for verification when someone wants to log in?
  I agree that it's not perfect, and probably never will be.
  But for those who use public computers and forget to log off, this is a great step forward to protecting them.
  And for those who gave up their passwords in a phishing scam, Facebook has a feature to page you whenever "you" log in from a new computer. Again, far better than what most banks offer, let alone other social networking sites.
  
  --
  -David
84. Re:Stating the obvious... by Zarel · 2010-09-09 08:32 · Score: 1
  
  I said "given the option to prevent the change", not "ratify the change". There is no such thing as ratifying changes. It would work something like this:
  1. Spambot adds the email address of one of the botmaster minions.
  2. You receive an e-mail notifying you that you added a new e-mail address to your old e-mail address, with a link to reverse the change.
  3. Spambot changes the account password.
  4. You receive another e-mail notifying you changed your password, with a link to reverse the change.
  5. You click either link. Facebook makes you reset your password (no need to know the spambot's changed password), and the new e-mail address is removed.
  
  --
  Want a high quality FOSS RTS game? Try Warzone 2100!
Oh wonderful by Olipro · 2010-09-02 18:34 · Score: 1

This essentially comes down to who can kick off the other logins first... the real user or the spam program. My money's on the program.
1. Re:Oh wonderful by mysidia · 2010-09-02 18:57 · Score: 1
  
  I think this only makes sense really against workstations accidentally left unattended, lost cell phone, etc. A real spammer has no difficulty logging right back in after being kicked off, assuming they know credentials.
  Why would the spammer want to kick off legitimate user logins? That would make it obvious to the legit user that their account is compromised. The spammer probably doesn't want that.
  The spammer would prefer to send out more spam as long as the ignorant user is blithely unaware. The user will not be effectively stopping the spam when they are unaware of their own account compromise.
  The real owner's 'legitimate activity' will help mask the spammer's activity, and make the account continue to look legitimate to anyone who might otherwise ignore friend requests / other miscellany, suspecting a 'spam account'.
  If the legit account owner does figure it out, and manage to figure out the 'kick other logins' feature and that they need to use it, I would be impressed.
  The spammer will probably already have scraped their profile and taken advantage of the fact their e-mail password is probably the same, by the time they figure out a spammer was monkeying with their FB account.
  Once the e-mail account's compromised... the spammer changes the e-mail password, then immediately initiates a password reset of the FB account.
  Once all the passwords are changed, who cares if the legit user can kick off logins? The spammer will just log right back in, so fast, it doesn't even matter.
2. Re:Oh wonderful by Olipro · 2010-09-02 19:18 · Score: 1
  
  depends if the spammer wants control of the account over the long term or simply wants to do a hard and fast smash 'n' grab on the account. In any case, this could easily be mitigated with a captcha or similar.
3. Re:Oh wonderful by natehoy · 2010-09-03 05:25 · Score: 1
  
  Congratulations. I suspect you are the first person to comment, including the person who wrote the summary, that understands what this is good for. This is about cached credentials on stolen or obsoleted devices, not account hacks or disclosed credentials. This is about devices, like an iPhone or Blackberry or even a web browser, that have the "keep me logged in" tickybox checked off. This will, in essence, "uncheck" the tickybox the next time someone tries to access the account from that device, and ask them to log back in.
  If you're the legit account holder and someone with an old device of yours knocks you off, you've already got your account credentials, and you can log right back in and knock everyone else off immediately. If you're the spammer, unless you have somehow hacked the original credentials, you are out for good if the legit account holder manages to knock you off once.
  So if someone steals your cell phone, you can ban that device. They might be able to bounce you once or twice first, but you can log in because you have the login credentials. They can't change your email or password, even on a pre-authenticated device, without providing the old password. Once you get logged in you can bounce them, and they don't have your password so they can't get back in. You only have to win once.
  Personally, I'd design the system so that you can clear pre-authentication only for all pre-authenticated devices, including the one you are logged into at that moment. No choosing specific ones or excluding the one you are using right now. That way, someone accessing your account through a lost or stolen device has no way of knocking you off without knocking themselves off at the same time. You can log back in (you have your password). They can't.
  Of course, this would also have the same effect as simply changing your Facebook password, which seems like the logical thing to do if you suspect someone has access. That would completely lock out anyone with a pre-authenticated device *and* protect you from someone who might have actually hacked your credentials.
  Having said that, if you use that same phone or device to check your email too, there is a risk of your getting locked out. "Lost password" goes to your email account. So there is a risk that you get your Facebook-related email on your phone, the hacker could use "lost password" on your phone to have a new password sent to your phone, then login with the new password, and own your account.
  But this doesn't attempt to solve for that problem. If someone's got a device that can access your email, your Facebook account should be WAY the hell down on the list of your problems you have to deal with anyway.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Nice by Anonymous Coward · 2010-09-02 18:35 · Score: 0

Gmail has this feature too. It's good, especially when you are logged in at home and people are trying to use chat to contact you.
1. Re:Nice by Idbar · 2010-09-03 04:59 · Score: 1
  
  You should be modded up. Gmail implemented this feature long time ago.
Well, the info provided is kind of useful? by trytoguess · 2010-09-02 18:37 · Score: 1

Dunno, I'm thinking it'll be easier for someone to just change their password... Oh wait, I notice this would also allow folks to sign out of public computers. K' so it's does have it's uses I guess.
1. Re:Well, the info provided is kind of useful? by mysidia · 2010-09-02 18:51 · Score: 1
  
  This is more sensible: changing passwords should force all login sessions to end.
  The two people who will use this legitimately and are technically savvy enough to figure out this feature and know what an IP address is, will really appreciate it.
  80% of the public will have no clue, unless this is presented when you login, listing "Other recent logins".
  They'll have no clue about IPs still, or how to use this.
2. Re:Well, the info provided is kind of useful? by Anonymous Coward · 2010-09-02 22:12 · Score: 0
  
  Only 80% of the public being stupid fuckwits who have no clue about IP addresses is probably quite optimistic. Even if this number is correct, this will probably make it about 98% of all facebook users.
huh?? by miffo.swe · 2010-09-02 18:42 · Score: 1

Wouldnt this make it perfectly possible for spammers to lock the legitimate owners out of their accounts? How do facebook know what user is the real one?
Sounds like a very stupid move.

--
HTTP/1.1 400
1. Re:huh?? by Noughmad · 2010-09-02 21:24 · Score: 1
  
  Facebook
  
  Sounds like a very stupid move.
  
  --
  PlusFive Slashdot reader for Android. Can post comments.
2. Re:huh?? by natehoy · 2010-09-03 05:33 · Score: 1
  
  No. This term, "ban", the article keeps using it, but in this article it does not mean what we think it (usually) means. (with apologies to I. Montoya)
  "Ban" in the context of this article means "clear pre-authentication", if I'm reading the article correctly. Most Facebook apps allow you to check a little tickybox that says "keep me logged in forever". "Ban" clears that tickybox. It simply means that you need to know your Facebook password and present it before you can use the device again. No one can use this to lock you out of your account, only to make you log back in next time on that device.
  So, if your cell phone is stolen, and you've pre-authenticated it with Facebook, you get home and "ban" the device. That means the Facebook app on that cell phone is going to ask the thief for the password next time they want to log into Facebook.
  If they ban you first, you log back in to Facebook, log in to clear the "ban" on that device, and "ban" them immediately. They can't log back in to Facebook to "ban" you any more, so you win.
  It's like changing your password, except it's more convenient when you have no reason to believe that your password has actually been compromised.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Not thought out very well. by Omniscientist · 2010-09-02 18:48 · Score: 3, Interesting

While this may be a "neat" solution, if a spammer has your facebook credentials, then they have access to this new system as well.
I must admit I am not familiar with the nature of "facebook spam", but I assume that it is possible that the user may not know his or her account has been compromised. He or she may have no inclination to be constantly monitoring the list of logged on devices.
The spammer most certainly would be, and I'd imagine that they would just block the legitimate user's devices as they appeared.
I'm sure getting back access to your account at that point would be a really fun experience.
1. Re:Not thought out very well. by Anonymous Coward · 2010-09-02 19:57 · Score: 0
  
  I assume that the goal of a spammer is to spam while evading detection by the original user. Getting locked out of one's account is probably more cause for alarm than randomly seeing some messages posted by you.
2. Re:Not thought out very well. by DavidD_CA · 2010-09-02 22:19 · Score: 1
  
  There is a setting in Facebook that, when activated, will send you a text and/or email whenever "you" log in from a new computer.
  
  --
  -David
3. Re:Not thought out very well. by noidentity · 2010-09-02 22:40 · Score: 1
  
  Obviously it will only let the real owner of the account block devices that unauthorized people are using to access his account.
4. Re:Not thought out very well. by Sockatume · 2010-09-03 00:04 · Score: 2, Informative
  
  It's opt-in, sadly. More here. I've also noticed that if you log in from a new geographical location, it forces you to go through an authentication process from a browser. It won't allow any API use from the new location until that's complete.
  
  --
  No kidding!!! What do you say at this point?
5. Re:Not thought out very well. by LinkTiger · 2010-09-03 02:20 · Score: 1
  
  Spammers already can lock the legitimate user out by changing their passwords. There are multiple business models for spammers/scammers; some that benefit from locking real users out, and others that don't. This is another tool--which will remain unfortunately underutilized, I'm sure--for combating the latter case.
6. Re:Not thought out very well. by gerddie · 2010-09-03 02:39 · Score: 1
  
  I must admit I am not familiar with the nature of "facebook spam", but I assume that it is possible that the user may not know his or her account has been compromised. He or she may have no inclination to be constantly monitoring the list of logged on devices.
  If you enable the "login notifications" you will get a text message or e-mail whenever someone (or you) logs in from an not yet known device.
7. Re:Not thought out very well. by ProfessorKaos64 · 2010-09-03 05:06 · Score: 0
  
  How does this compare to how GMAIL handles the same situation?
8. Re:Not thought out very well. by natehoy · 2010-09-03 05:39 · Score: 1
  
  if a spammer has your facebook credentials, then they have access to this new system as well.
  It's a good thing they didn't design this as a solution to that problem, then.
  This is only about clearing pre-authentication on devices that remain logged in.
  "Oops, I left the library computer logged in to my Facebook account, better clear that pre-authentication so the next patron can't use my account."
  "Oops, someone stole my iPod, better clear pre-authentication for it on Facebook so they can't access my account."
  If you suspect someone else has your Facebook password, this tool is utterly useless to you, since they could simply log in again. The only useful response to that threat is to change your password.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
A step forward by Anonymous Coward · 2010-09-02 18:48 · Score: 0

Facebook spammers will soon have a new way of knocking legitimate users out of their accounts.
The Facebook dyke has so many holes... by Trip6 · 2010-09-02 19:00 · Score: 4, Funny

...and I have so few fingers...

--
I hate being bipolar; it's awesome!
1. Re:The Facebook dyke has so many holes... by Anonymous Coward · 2010-09-02 19:19 · Score: 4, Funny
  
  Call a friend to help finger the dyke!
2. Re:The Facebook dyke has so many holes... by Anonymous Coward · 2010-09-03 00:15 · Score: 0
  
  You really only need one. I will leave it as an exercise for the reader as to which one is needed.
3. Re:The Facebook dyke has so many holes... by snspdaarf · 2010-09-03 00:46 · Score: 1
  
  lose, loose,
  dike, dyke,
  Let's call the whole thing off!
  
  --
  Why, without your clothes, you're naked, Miss Dudley!
/kickban makes a comeback! by Anonymous Coward · 2010-09-02 19:05 · Score: 0

Everything old is new again.
Great by Anonymous Coward · 2010-09-02 19:15 · Score: 0

now facebook is taking my ex's side too.
same email and password by ScottCooperDotNet · 2010-09-02 19:16 · Score: 1

That won't be all that helpful to those who use the same email and password for everything.
Maybe it will use SMS?
1. Re:same email and password by siriuskase · 2010-09-03 02:46 · Score: 1
  
  Maybe it uses a security question, and works like a password reset.
  
  --
  If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
Remember this bright Facebook security idea? by rshxd · 2010-09-02 19:22 · Score: 0

They talked about mandatory virus scan before you could login... brilliant!
1. Re:Remember this bright Facebook security idea? by maxwell+demon · 2010-09-03 04:14 · Score: 1
  
  Did they tell you where to get that mandatory virus?
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
Completely missing the obvious... by node+3 · 2010-09-02 20:13 · Score: 1

That doesn't matter. *Right now*, a spambot (or whatever) could just change your password on you and lock you out. What you're suggesting is just the same thing (otherwise, remote logging you out isn't going to do anything except make you re-enter your password). Presumably, spambots aren't doing this now.
Maybe spambots will add this to their repertoire, who knows. But as of right now, this fixes a specific problem that actually *does* exist. If the spammers do start doing that, Facebook will have to come up with something to counter *that*. In the meantime, this solves a real problem.
And even if they do start doing this, heck, even if they are doing this right now, this will still help people where this isn't happening. Every little bit helps.
Isn't that a bit too late? by bickerdyke · 2010-09-02 20:42 · Score: 1

Your account is compromised. Changeing passwords would seem a better solution to me. Voiding all other security tokens should be a part of the password-change-process anyway!
Just logging a hacker out is just like throwing a burgelar out of your house at night and let him keep the keys to your house!

--
bickerdyke
1. Re:Isn't that a bit too late? by natehoy · 2010-09-03 05:46 · Score: 1
  
  Analogy fail.
  Forcing a hacker to log back in is like kicking the burglar out and locking your back door after you've found out that your unlocked back door is the way the burglars have gotten in.
  This tool is good enough if, say, you didn't log out of your account when you left the library, or your cell phone was stolen. There's no easy way for the next patron or the thief to actually get access to your password, they just have a cached login on the device. If you can clear that, there's no real need to change your password.
  Obviously, changing your password is a BETTER way of locking them out, just in case they somehow did manage to get your password from the device.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
How is this news? by xnt14 · 2010-09-02 20:54 · Score: 0

Gmail has had this for _years_.

--
~xnt14
1. Re:How is this news? by Beerdood · 2010-09-03 03:06 · Score: 1
  
  Msn / hotmail just implemented something like this as well (maybe 3-6 months ago can't exactly recall when). What's so special about FB doing it that deserves an article?
  
  --
  Global warming and other natural disasters are a direct effect of the shrinking number of pirates - Gospel of the FSM
What the ... ? by X.25 · 2010-09-02 21:02 · Score: 1

I'm not a Facebook user, so I am having trouble understanding something.
Why would 'spammers' (whatever that means in this context) have someone's Facebook login details?
1. Re:What the ... ? by BSAtHome · 2010-09-02 21:24 · Score: 1
  
  Well, to stay in contact with U.N.C.L.E. of course. Or maybe they need to talk to THRUSH.
2. Re:What the ... ? by Abstrackt · 2010-09-03 00:50 · Score: 1
  
  I'm not a Facebook user, so I am having trouble understanding something.
  Why would 'spammers' (whatever that means in this context) have someone's Facebook login details?
  Think of Facebook as just another website. People tend to use the same username/password combination on multiple sites you only need to hack one to have a good shot at the rest.
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
3. Re:What the ... ? by Anonymous Coward · 2010-09-03 01:30 · Score: 0
  
  because they downloaded an exe that was marked as being a necessary codec to watch a video and it compromised their machine.
4. Re:What the ... ? by Archangel+Michael · 2010-09-03 03:05 · Score: 1
  
  Read my sig.
  People are stupid (the rest doesn't quite apply here ... yet).
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
5. Re:What the ... ? by natehoy · 2010-09-03 05:52 · Score: 1
  
  They wouldn't, at least not in any context where this tool would be of valid use.
  On my Blackberry and my iPod, when I log into my facebook account, the account remains logged in forever. I don't need to know my password any more to gain access to Facebook on my iPod. If my iPod were to be stolen, two things would be true:
  1. Thief would have no way of getting my Facebook password. The specific device is pre-authenticated with my Facebook account, but the Facebook app doesn't actually have a copy of the password in it.
  2. Thief would have access to my Facebook account using that device (at least all the stuff you don't need a password to see or change) until I clear pre-authentication for that device from my account.
  So, the thief could use the stolen device to post messages "from me", read my wall, download my pictures, see all of my account settings and change a few of them. But they wouldn't have my password. They'd have a device that I had authorized for access to my account.
  Once that device is cleared from the pre-authentication list, the thief loses access to my account.
  Does that make it clearer?
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
GMail has had this forever by EmagGeek · 2010-09-02 22:02 · Score: 1

It's not like this is fantastic new technology or anything, just something Facebook should have been offering since the beginning.
Advocating better passwords is better... by MrCrassic · 2010-09-02 22:19 · Score: 1

Quite a few people I'm close to that use Facebook use TERRIBLE passwords that can be guessed easily through brute-force methods. (Some use 'password' as password...) Without some way of FORCING users to use stronger passwords (like !passw0rd!; much better, though still not ideal), this will keep happening.
Finally, a feature worth... by hesaigo999ca · 2010-09-03 00:48 · Score: 1

Finally something that makes sense, seeing as so many people had their facebook accounts hacked and the usernames and passwords published in a big gigantic torrent file...I think it makes so much sense, that gmail and hotmail should follow suit.
Hacker's Version: by artfulshrapnel · 2010-09-03 00:53 · Score: 1

"Facebook hackers will soon have a new way of knocking legitimate users out of spam accounts. The social-networking company is rolling out a new security feature that lets hackers see which computers and devices are logged into their Facebook accounts, and then removing the ones that they don't want to have access."
1. Re:Hacker's Version: by HikingStick · 2010-09-03 03:08 · Score: 1
  
  That's exactly what my first thoughts were. What safeguards will they have in place to prevent the illegitimate from ousting the legitimate?
  
  --
  I use irony whenever I can, but my shirts are still wrinkled...
But also... by Lythrdskynrd · 2010-09-03 01:33 · Score: 2, Interesting

An interesting other thing they might be able to do is map the frequently banned IP's track them and follow up with a great big lawyer-stick.
You know ... RIAA style!
This isn't new by WankerWeasel · 2010-09-03 02:16 · Score: 1

This has been an option for some months now.
Better security: Give users an admin account too by MessyBlob · 2010-09-03 02:23 · Score: 1

Any anti-bot/spammer/crook system has to work at a level that is not the same as the regular session. On joining a system, you should be able to set up a separate user/password that acts as admin for your account, and the admin account is used to control access. During regular use, you use your regular account, which means that there is less probability of having your credentials stolen, and less probability of having your admin account hacked. If your regular account is hacked, then disable the regular account; the admin account can then be used to unlock it.
Just like XP zombies, there is value in stealth by PPalmgren · 2010-09-03 02:25 · Score: 1

Why did malware migrate away from breaking usability to being as transparent as possible? Because when users see that something is comprimised, they act to fix it. Currently, a user can't easily tell if their FB account is comprimised and stealing information, and with this new feature they can. This benefits the user more than the bot, because if it tries to prevent the user from logging out bot connections, then the user knows something is up. The only sure-fire way to prevent the user from seeing the bot is preventing their log-in, which is a gigantic red flag in and of itself. Knowing is half the battle my friend.
Based on above, I feel like they made the right choice on this feature. This is coming from a FB hater and a very pro-privacy person.
They should secure their site instead! by Anonymous Coward · 2010-09-03 02:37 · Score: 0

Facebook don't support SSL very well, it is trivial for someone to sniff your cookies and hi-jack your connection(especially if you use Facebook on open wifi connection, let's say at a Coffee shop by example)... If they implemented SSL properly maybe less account would get hacked...
Going about it all wrong. by destiny71 · 2010-09-03 03:36 · Score: 1

Sounds all neat and cool. Sounds like it would work.
But, the problem is, those that are smart enough, and educated enough to figure out how to find this, and use it correctly, wouldn't be getting their accounts hacked by spambots to begin with.
Gmail has had this for a couple years at least BTW.
Re:Better security: Give users an admin account to by Cyclloid · 2010-09-03 03:38 · Score: 1

But what are the chances that the user uses the exact same username/password for both the admin account and regular account? I would say the odds are pretty high.

The world is not as security minded as the average /. reader.

Facebook would also have the problem of the majority of their users complaining about needing two passwords for a single account or having to login with different accounts/passwords to get to certain functionality.
Why? by Beerdood · 2010-09-03 03:41 · Score: 1

I'm seeing a lot of suggestions for complex security here. First of all, if your account has been compromised and it's been sending spam to your friends won't you already know about this soon after the spambot sends some spam out? Most won't be aware of this right away but surely they'll be informed by their friends of the spam they received? I haven't had my fb account hacked, but I've gotten a couple of messages from friends that were clearly spam. I sent a message explaining what went up and no more spam appeared. Surely the vast majority of facebook users have at least one or two tech savvy friends that replay "dude, your account was hacked, change your password".

--
Global warming and other natural disasters are a direct effect of the shrinking number of pirates - Gospel of the FSM
Display last login time by Beerdood · 2010-09-03 03:52 · Score: 1

This feature is handy if you forgot to log out at home and log in somewhere else, but won't do much for spammers. If a spammer has your credentials, you'll know fairly soon when your friends message you and say "WTF was that message about?". Even if this allows you to remotely ban an IP address from logging in or force the other user out, how's that going to protect you? They still have your credentials and can just log in again.

Better security? Display the last time you logged in / logged out on your home page. Now you know when and if someone else has logged into your account. This is better protection against lurkers as well (i.e. snooping spouse or roommate).

--
Global warming and other natural disasters are a direct effect of the shrinking number of pirates - Gospel of the FSM
Is Apple listening to this? by Anonymous Coward · 2010-09-03 04:46 · Score: 0

Now if only Apple would take a clue from Facebook and allow us to do the same with our iTunes activations. We could then remotely deactivate our authorized computers that no longer exist..
Another way to expose your location by Anonymous Coward · 2010-09-03 05:25 · Score: 0

So if someone gained access to your very secure Facebook account they could monitor it to see when you access it and from what IP (Location). Nice. I guess with people opting out of there new location-sharing feature they had to open a new way to track your location.
Bye Bye lurking parents by DodaGrima · 2010-09-04 02:43 · Score: 1

The new FB privacy settings allow parents to lurk without getting involved in friendships. Now teens will be able to kick out the parents who are trying to be involved or protective or whatever without having to actually be in the same room with the moronic teen. One day the decision makers at FB will have teens. And the only way they will have to monitor them is POTS. What goes around, comes around.