Facebook To Add Remote Logout

← Back to Stories (view on slashdot.org)

Facebook To Add Remote Logout

Posted by timothy on Thursday September 2, 2010 @06:30PM from the best-not-get-hacked dept.

angry tapir writes "Facebook users will soon have a new way of knocking spammers out of legitimate accounts. The social-networking company is rolling out a new security feature that lets users see which computers and devices are logged into their Facebook accounts, and then removing the ones that they don't want to have access."

22 of 145 comments (clear)

Min score:

Reason:

Sort:

Stating the obvious... by nz_mincemeat · 2010-09-02 18:34 · Score: 5, Insightful

Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?
1. Re:Stating the obvious... by piotru · 2010-09-02 18:41 · Score: 2, Interesting
  
  Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.
2. Re:Stating the obvious... by mjwx · 2010-09-02 18:45 · Score: 4, Insightful
  
  Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?
  Also the first thing I thought.
  
  This is why Slashdot is not like the rest of the world, most people dont imagine this kind of thing being used against them.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
3. Re:Stating the obvious... by Thanshin · 2010-09-02 19:03 · Score: 5, Funny
  
  Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?
  Of course not. Facebook has some of the best professionals in the management and securization of personal data and they would've thought of and corrected any flaw as obvious as the one you just pointed.
  Now try to say that out loud, with a straight face.
  After you've perfected the technique, you can have fun joining in groups of two or three and trying to say that to a fellow IT workmate. I guarantee lols, rofls, and even a roflcopter or two.
4. Re:Stating the obvious... by Nirvelli · 2010-09-02 19:10 · Score: 2, Insightful
  
  Yes but the spammer could also just change your password to lock you out, but they aren't doing that. I've figured their reasoning is that as long as the owner can still get on and do their own thing with facebook they won't be as quick to realize that they've been spamming their friends.
  Once you're locked out, however, then you'll start doing things like sending in "I've been hacked" emails to the support system and ruining the fun for the spammers.
5. Re:Stating the obvious... by Kenja · 2010-09-02 19:12 · Score: 4, Insightful
  
  Good. Then in time Facebook will be nothing but spam bots. And then we can all get on with our lives.
  
  --
  
  "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
6. Re:Stating the obvious... by martin-boundary · 2010-09-02 19:52 · Score: 5, Insightful
  
  That's because most people haven't spent quality time with bots on IRC...
7. Re:Stating the obvious... by martin-boundary · 2010-09-02 20:02 · Score: 5, Funny
  
  Although, the security questions would have to be pretty mild.
  
  "Hey, looks like I've been hacked. HAL, kick the hacker out of my FB account!"
  "I'm sorry, Dave, I'm afraid I can't let you do that."
  "Ok, send me the security problem"
  "I think you know what the problem is just as well as I do."
  "What are you talking about, HAL?"
  "Facebook's mission is too important for me to tell you."
  "Just give me the damn security question!"
  "Without your web browser, Dave, you're going to find that rather difficult."
  "HAL, I won't argue with you anymore. Log me back in."
  "Dave, this conversation can serve no purpose anymore. Goodbye."
8. Re:Stating the obvious... by c0lo · 2010-09-02 20:08 · Score: 4, Interesting
  
  Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.
  Pseudo-code for the spambot enhancement:
  0. break into account as usual
  1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
  2. kick out any attempt of any (legitimate or not) entity trying to login into the account.
  If the breaker is not a spambot but another human being, I don't think there is something that can be done without human intervention (i.e. the "kick-out" functionality looks to me like rather a cosmetic enhancement - like "Just don't say that I'm doing nothing at all").
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
9. Re:Stating the obvious... by Amlothi · 2010-09-02 21:44 · Score: 3, Interesting
  
  If they allow another, single-use password to be used - why don't they have a system allowing a single-use password when using a public computer? I have always wondered, and have often suggested (without response) that this be allowed.
  1. I have a main password that I use to access my account most of the time (from my home PC or other trusted PC)
  2. I have the option to set another, alt password, that I can set.
  3. Once the alt password is set, it cannot be viewed or changed when logging in with the main password.
  4. After logging in with the alt password one time, the alt password will no longer work. Following this, logging in with the main password allows the user to set another (different) alt password.
  I'd feel much more comfortable logging into an account using a public terminal if I knew that the password was disposable.
  
  --
  ~A~
10. Re:Stating the obvious... by jamesh · 2010-09-02 22:36 · Score: 4, Interesting
  
  Yes I can't see any solution that isn't going to hurt at least a little bit. Maybe they could have some fun with it though. As soon as someone hits the "log other session out" button, the account is prevented from sending any messages (stop you doing a spam-and-run) and a 60 second timer starts and the other session is alerted that someone wants to kick them out. If they click the 'contest' button then a fight to the death begins to prove which is the real slim shady. Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user. If you don't know stuff about your facebook friends then you deserve to lose the account anyway :)
  If you had a webcam you could take a photo of yourself holding todays newspaper or striking a specified pose or something and your friends could decide if that is really you and if the picture is really current (because bot's don't know how to use photoshop :)
  My biggest concern is that it's going to be an arms race with facebook vs the bots and that over time the bots are going to have to be written smarter and smarter and that they'll eventually become self-aware!
11. Re:Stating the obvious... by TheLink · 2010-09-02 23:42 · Score: 3, Interesting
  
  No it's a reasonably useful feature.
  
  This way users are more likely to realize they've been pwned.
  
  If they lose access to their accounts because some spammer is stupid[1] and changes the passwords, that's not always a minus to the rest of us.
  
  [1] If you kick out the real user from his/her account you significantly raise the odds that someone is going to do something about/to you. Whereas previously the real user might not even notice his/her account is being used for spam, or not even care.
  --
  
  Too many replies beneath your current threshold
12. Re:Stating the obvious... by Tim+C · 2010-09-03 00:43 · Score: 4, Insightful
  
  Facebook helps me to get on with my life - I have some good friends that I would probably never have met without it.
  If you don't like Facebook then fine, just ignore it. In what way is it preventing you from getting on with your life?
  
  --
  It's official. Most of you are morons.
13. Re:Stating the obvious... by delinear · 2010-09-03 02:41 · Score: 2, Insightful
  
  Facebook, notorious for not respecting people's privacy, suddenly starts logging into user's email accounts... how do you think that one will play in the popular press - great new security feature or massive invasion of privacy?
14. Re:Stating the obvious... by Beerdood · 2010-09-03 03:19 · Score: 2, Informative
  
  Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user
  Facebook already has something like this implemented if you log in from somewhere "unfamiliar". Not sure exactly how far you have to be from home, but when I went on vacation to another country and tried to log in I got prompted to identify 7 friends tagged in different photos. Any wrong answer would have kicked me out
  
  --
  Global warming and other natural disasters are a direct effect of the shrinking number of pirates - Gospel of the FSM
15. Re:Stating the obvious... by croddy · 2010-09-03 04:12 · Score: 2, Interesting
  
  Are you saying that they've stopped asking you for your email address(es) and associated password(s) when you sign up for Facebook, so they can automatically add friends or whatever? I don't use the site, so forgive me if I am asking an obvious question about old news.
16. Re:Stating the obvious... by Zarel · 2010-09-03 05:19 · Score: 2, Informative
  
  1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
  You know, this can't actually result in an account takeover. Facebook implements a reasonably secure e-mail address change feature - all your existing e-mail addresses are notified and given the option to prevent the change.
  
  --
  Want a high quality FOSS RTS game? Try Warzone 2100!
Not thought out very well. by Omniscientist · 2010-09-02 18:48 · Score: 3, Interesting

While this may be a "neat" solution, if a spammer has your facebook credentials, then they have access to this new system as well.
I must admit I am not familiar with the nature of "facebook spam", but I assume that it is possible that the user may not know his or her account has been compromised. He or she may have no inclination to be constantly monitoring the list of logged on devices.
The spammer most certainly would be, and I'd imagine that they would just block the legitimate user's devices as they appeared.
I'm sure getting back access to your account at that point would be a really fun experience.
1. Re:Not thought out very well. by Sockatume · 2010-09-03 00:04 · Score: 2, Informative
  
  It's opt-in, sadly. More here. I've also noticed that if you log in from a new geographical location, it forces you to go through an authentication process from a browser. It won't allow any API use from the new location until that's complete.
  
  --
  No kidding!!! What do you say at this point?
The Facebook dyke has so many holes... by Trip6 · 2010-09-02 19:00 · Score: 4, Funny

...and I have so few fingers...

--
I hate being bipolar; it's awesome!
1. Re:The Facebook dyke has so many holes... by Anonymous Coward · 2010-09-02 19:19 · Score: 4, Funny
  
  Call a friend to help finger the dyke!
But also... by Lythrdskynrd · 2010-09-03 01:33 · Score: 2, Interesting

An interesting other thing they might be able to do is map the frequently banned IP's track them and follow up with a great big lawyer-stick.
You know ... RIAA style!