Slashdot Mirror
Facebook Launches Social Login and HTTPS
dkd903 writes "Facebook has introduced two new features. First is a really innovative way to verify real users rather than using CAPTCHAS. Using the Social Login feature (or Social Authentication as Facebook calls it), users will be shown a few pictures of their friends and then they will be asked to name the person in those photos. They've also launched HTTPS. The company says: 'Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.'"
News at 11.
Because someone close to you who knows your friends may never seek revenge on you and try to get into your Facebook.
I'm able to change the protocol to https for any page, successfully. But all the links on that page point back to http. So... That's pretty limited https support.
Problem: A lot of what people tag as me is to get my attention, not because it IS me. I got locked out of my account for about a week because of this mis-feature, and when I did get back in, I had to spend about three hours removing tags of things like trees, the sun, burgers, and lots of other stuff.... now it works. But the solution fails because it makes an assumption that isn't always true.
#fuckbeta #iamslashdot #dicemustdie
Facebook increasing security? Wouldn't have anything to do with Zuckerburg's page getting hacked, would it?
Today, history has been made. A social networking site actually listened to its users and implemented a bit of security. *astonished*
It is pitch black. You are likely to be eaten by a grue.
All web sites that allow logins should REQUIRE or at least STRONGLY ENCOURGE HTTPS from unencrypted WiFi hotspots such as those "found at coffee shops, airports, libraries or schools."
I may trust McStarCoffeeInn not to snoop my traffic but I do NOT trust the guy in the next booth or room much less the guy in the parking lot.
The traveling public needs to pressure these companies - especially those that charge for it like some hotels - to switch to encrypted WiFi.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The "social login" is going to cause issues for people who have no idea what their "friends" look like. Or with friends with other subjects in their pictures.
The photo thing has been around for a long time and it sucks. I travel and have wanted to connect to facebook when in a different country, and it decides I need to prove who I am. So I have to match a certain number of pictures with the right person. The summary makes it sound clever and good, it is anything but.
It's been a few months since last time I did it, so I don't remember exact numbers but I had to get something like 4 out of 5 right. Then they start showing photos, and there is a list of 4 or 5 friend names below. It is up to you to pick the right friend to go with the photo.
What's the biggest problem? Well, you don't get pictures of the persons face as the summary says. What you get are pictures tagged with that persons name. The first one I did was their face, and I thought, "o.k. - no problem.".
The next one was some kid. A relative of one of my friends? A neigbor of one of my friends? Shoot could have even be one of my friends as a kid, I have no idea. All I know is I've got a 1 in 4 chance of guessing who this belongs to and if I'm wrong I've just used up my one wrong answer.
Next photo is an inanimate object. I don't know remember what it was any more. A pie or some food of some kind I think. Which friend is this?! I don't know. Best guess it is something one of my friends ate once. Who does it belong to? Once again, I haven't the slightest, but as you can guess, I wasn't allowed to log in.
A smaller problem is that I am not super close friends with every one of my friends on facebook. My barrier to entry on the friendship front is pretty low. I'm friends with people I knew in jr. high, highschool, worked with once, went to church with them years ago, etc. I know them but am not intimately close with them. Facebook is a good way to keep in touch while maintaining a comfortable distance. But will I be able to identify them in every pic of themselves they've uploaded to facebook? I doubt it. Not to mention the fad a bit back to change your profile pic to a cartoon character. I'll bet dollars to donuts those go into the rotation. Which of your friends was underdog and which was optimus prime? I don't remember.
It's a horrid system. A co-worker of mine on the same trip ran into it too. He mocked me for not knowing my friends well enough and then almost put his laptop through a window when he couldn't log into facebook. He had almost an identical experience, a picture of some 6 or 7 year old kid he didn't know and a bike or something.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Also, the chat-function breaks when on https. Not very surprising though.
Well, there's Stinky, "Horse", Knocks, Poker-Face, and Weed. How does that help me log in?
Why, without your clothes, you're naked, Miss Dudley!
This social login is supposed to increase security? What about privacy. It seems like this feature can be leveraged to harvest pics from facebook, not that they weren't already available to the highest bidder anyway. Hopefully they have something in place to prevent harvesting...
As a coincidental bonus of this new CAPTCHA, Facebook has nearly every photo stored in their library face-tagged for them, using the most powerful and accurate computers in existence - us.
I'm curious about how the "Social Authentication" feature will play out, especially for the facebook users eighter view the friendslist as a sort of competition or who play games that reward users who have many friends playing the game and therefore add friends by the truckload without having any real idea of who they are. There's probably a lot of people playing the latest Zynga game or whatever is popular these days, with an extremely large list of "friend" who they don't know and don't want to know, other that they share the same game interest and it's a win-win in relation to that game. If facebook starts asking questions about these 'friends' then I fear many users will fail the social authentication and then what?
More than half my friend list consists of people that I don't really know. Some are gamers who help me with social games that offer benefits to players that have a lot of friends who play the same game. Also, it seems to have become a fad to use weird aliases instead of real names.
I thought it was just a clever way for us to do work training their facial recognition algorithm ... Maybe a huge conspiracy to create a government identification database!
Mathematician, n.:
Someone who believes imaginary things appear right before your i's.
jackass
stoned
douchebag
bitch
slut
dick
asshole
drunk
party
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Facebook and the Social Login feature make the mistake of assuming your friends will post portrait photos of themselves. I have run into this little test, and most of the random images Facebook selected for me to identify were of internet memes, lolcats, a guy on a horse in the distance whose face I could not make out, and comics/animation/tv characters my friends like. I failed the test and had to wait a couple hours and retake it twice before I could finally get a random set of images I recognized.
HTTPS has been an option with Facebook for a while, but Facebook chat (still) doesn't work while viewing over HTTPS. And the wife needs Facebook chat...
It took a hacker, to force facebook into being more secure yet. Maybe someone sniffed the ports earlier today and that is how they got into Zuckerboy's account or fansite or whatever...
Nom de dieu de putain de bordel de merde de saloperie de connard d encule de ta mere.
i cant share my wife's account anymore. i gotta make my own now.
well, i needed to make one for myself just to untag my name from my ugly mug anyways. either way the machine is going to eat me. *splat* i give up. there's no way to avoid them. people i see can take photos of me and label me. i cant undo it without logging in. if i log in, it is still stored.
it's a new world i guess.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
First of all this is using your friends pics without their consent. I'm sure there will be someone smart enough to use the social login to harvest someone's friends and constructing a friends list of a user.
I had to name friends one time for some stupid facebook game that I installed. I couldn't name more than half of them from photos. Probably 1/3rd were people I didn't know that well who friended me ("sure, whatever -- click") and 1/3rd were people I knew but whom I couldn't identify based on their profile photos. => All in all, a novel but (in practice) rather stupid idea.
Does anyone else think this is just another way to have you give them more info. Before they knew who your friends were through links and addresses. Now the are able to start putting a face to a name. Further stripping of privacy here. There are other ways to make things more secure, but to rat out your friends is really manipulative.
I set up a fake facebook site, when you go to login, I forward the request to face book so I get your pictures and answers, then when your done, I get your password anyway.
So anything local can steal your password and any phishing site can do it as well if they put 2 seconds of effort into it, they can also use an existing botnet to proxy the requests to the real facebook site so it doesn't all come from one phishing site host.
If this is a replacement for captchas just stop. Require a valid credit card and a sign up fee of some tiny amount one time and freaking be done with it. Requiring a credit card is less of a hassle and more reliable even for people who don't currently own a card. Effective captchas are practically unreadable to most humans and the new 'throw random friends pictures at you' is worse since it will end up throwing you pictures like the back of someones head or some random person that happens to be in one of your photos but you really have no clue who they are.
This doesn't solve any problems and makes use more annoying. Sounds like a win-win as long as it only applies to facebook.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Someone had the 'brilliant' idea of everyone replacing their face with cartoon images from their childhood?
They pull that sort of thing now, and most people won't be able to log in...
The good news is that this will provide an incentive for producing low-cost high-quality face recognition software. There will also be face recognition outsourcing services.
And, if the Facebook account is entirely fake (created, perhaps, by Facebook Demon), this won't slow down login, since the program has already seen its own pictures.
Does this mean that those of us who refuse to go anywhere near Facebook will no longer be allowed to post things? There ain't no way I'm ever going to have an account with something like that, I value my privacy (what little I have left) too much.
And anyway, I don't really *like* people and have no friends, so what would I be shown if I *did* have a Facebook account, but zero friends?
PS: apparently, one can no longer use the <i> tags to italicize words ("like" and "did" are wrapped in 'em above.) What else have we lost?
http://blog.facebook.com/blog.php?post=486790652130&ref=mf
erm.. dancers? Do you need to know their real name or their stage name? Plz clarify.
> asked to name the person in those photos
It's also a good way to entice people to put names on the faces in their photos.
Other security suggestions include verification via mobile phone.... which just so happens to be a good way to entice people to put their mobile phone number into their profile.
Why does every feature sold as a security enhancement involve increasing the amount of personal info you hand over?
Expert in software patents or patent law? Contribute to the ESP wiki!
My congratulations to the Facebook developers. They've made a website that faceblind people like me cannot use -- I didn't think that was possible.
I wonder if I can sue them under the Americans with Disabilities act...
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
I was traveling recently and it had me do the social login thing because I was outside the usual range of IPs. I actually liked it. It was a no-brainer for me to do, and very few people that weren't me could have done it correctly, since the pictures of people were from all over my social map. +1 to Facebook for this one.
You are not the customer.
Which kind? Close ones? The old schoolmates that look totally different now? Some people that you only know thru internet, never saw in real life? The anonymous faces that some collect as "friends" just to make numbers? Any of the variations of the word used in the South Park episode about facebook?
The problem with facebook is that everyone of them are just friends, not a lot of deepness there, basically all in the same bag no matter what they are, And add to that that their identifying picture could be anything.
Probably will be far less troublesome to actually pick a decent password than remembering names of random friends.
My 15 year old daughter, and probably all other other teens/tweens out there, likes to "collect" friends, whether she really knows them or not. having tons of contacts on FB affords her bragging rights in her circle of real friends. So, if she has to name some of them before being allowed to access her home page, then I guess I can remove the time restriction to that domain from my firewall, cause she'll never get in again.
Loading...
This is a terrible idea for a number of reasons. First of all, how many people's friends actually simply tag themselves in photos of themselves. People tag themselves in all sorts of things, many of which are not themselves. Someone might tag themselves as George Washington, or the Mona Lisa or even just random things like a corner of a photo of a concert they attended. Secondly even if that was 100% perfect the fact still remains that the greatest threat to the average person's privacy isn't the guy who promises to 3nlarg3 y0ur p3n1s, though, that is a valid threat, but is more often it is someone with a grudge against you. While it is rather easy to laugh off the 3nlarg3 y0ur p3n1s guy and just say "sorry if you got any spam from me" but someone with a grudge against you might ruin your life, especially if you aren't on Facebook 24/7 and have added people like your boss, your parents, your in-laws, etc.
Taxation is legalized theft, no more, no less.
like, you know, all the little teeny boppers that hack their 'friends' facebook pages?
what if the hacker is known to me/knows the same people I do?
Ya, real good solution-- Since before the internet was widely in use~ with my very first bank account where I could call in and ID myself to the bank for account changes, ~ my 'mothers maiden name' has ALWAYS been something my irresponsible brother does not happen to know.
every day http://en.wikipedia.org/wiki/Special:Random
All web sites that allow logins should REQUIRE or at least STRONGLY ENCOURGE HTTPS from unencrypted WiFi hotspots such as those "found at coffee shops, airports, libraries or schools."
No, all websites that allow logins should require at least HTTPS (and preferably HTTPS with certificate verification in both directions rather than just one, though getting to the point where that is practical is still a ways off) from any logon not on the servers local network. Otherwise, credentials are travelling unencrypted over the public internet -- which means a bunch of computers that aren't controlled by either the owner of the account or the owner of the system they are logging in to, any of whom can capture that information and misuse it.
It's like adding a lock on a door that leads to a house with only one wall.
What do I know, I'm just an idiot, right?
The Social Login is old, I first had to use it when in America last July (it didnt like the fact i normally log on in the UK). The only problem with this is thoose "tagging" photos, where it asks you do identfy someone who has been tagged and they are just a word etc, doesnt really work.
I'm curious: does turning on "do everything over https" end up breaking third-party clients, like some of the iPad clients or like the Facebook upload plugins for some photo software?
Also, how does it interact with the ajaxy "like" buttons on third-party web sites?
(The option hasn't been rolled out to me yet, so I can't check on the answers myself yet.)
I've no idea how they plan to use this, I don't watch TV and most of my friends on face book either don't use real names or real pictures or both and often tag each other in the most bizarre pictures and change lots of things from time to time.
Maybe some people do use real identities, who knows?
thank God the internet isn't a human right.
I've been using HTTPS for Facebook for quite a while (when accessing over wireless, or from work,) and they've slowly been making it less obnoxious. The certificate errors disappeared a few weeks ago, but there is still no IM via HTTPS. And if you are logged out and visit their site via HTTPS, if punts you back to the regular HTTP when you log in, so you have to go manually re-S the connection.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Now I really like not having 500 friends! I think that with 40 I have enought. I don't want to think what will hapen to those who have to remember the names of hundreds of people, specially of those who have a random pic as their profile.
I would assume that this announcement means that Facebook will now be fully compatible in HTTPS mode.
If not, nothing really changed, as you said yourself, it's been possible to use Facebook in HTTPS for quite some time now.
Just IM isn't working in HTTPS.
- Don't do what I do, it's probably not healthy nor safe. -
What about all those pictures with a bunch of cartoon characters describing a particular personality trait and then you tag the friends that best fit that trait? Just about every female friend I have either has or is tagged in at least five of those. Am I to remember that a mutual friend that I've never met thinks my buddy is "the comedian" or "the athlete"? What about people with horrible tagging skills? I see tons of picture with tags that are nowhere near the person. Or pictures of my friend in their halloween costume that covers their face? A friend of mine was recently married. She got tagged in every single picture in this one lady's album of the wedding, even if she wasn't actually in the picture. All examples of situations where this fails and I end up super pissed off.
This is a good idea in theory. The odds of someone else being able to identify each of the people you know is slim at best. Even your best friend or spouse will have trouble unless you grew up together and were inseparable. The problem is that the system relies on something that isn't at all reliable.
I think the best solution is encouraging strong passwords with a good recovery question. If the user is too stupid to come up with something that can't be guessed then they deserve to get hacked. In my humble opinion, if a website needs this level of security to "protect my private information", then they have far too much of my private information.
When someone mines your profile, they'll grab all your photos and the tags on them. People will create huge databases of photos and who's been tagged in them. To pass the security checks, the hacker just has to look up the photo in the database and reply with the right tag.
Why wouldn't this work?
Half of my "friends" have a picture of their child instead of themselves for their profile picture. One couple, I kid you not, both have the exact same picture of their baby in their profile. If it gets around to pictures where someone's been tagged, God forbid, it'll be idiots who tagged me so that I'll see the picture because they're too stupid to hit "share", or the cartoon panels with "the babe, the ditz, the idiot, etc." where all their friends are tagged.
Holy shit, facebook makes people mouth-breathing stupid.
Do you have ESP?
This was deployed in the Vancouver area for a small stint a month or two again. I was asked to verify someone's picture who I know religiously untags all photos of herself. Hmmmm.
GET YER TIN FOIL HATS!
You are on their list. And do you know why? Because you were betrayed by people you trusted. They "named names".
Princess Leia: The more you tighten your grip, Tarkin, the more star systems will slip through your fingers.
I am getting really darn sick of Facebook.
I'm down to posting an interesting picture every few days.
I no longer play any of the games.
I do NOT WANT TO BE UNIQUELY IDENTIFIED.
I WANT MY PRIVATE LIFE PRIVATE.
I DO NOT WANT TO BE JUDGED BY EMPLOYERS AND OTHER PEOPLE IN 10 YEARS FOR THINGS I DID TODAY.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Enough already...
I swear the media should stop reporting everything Facebook does (or not).. it is just free advertisement for them...
So wooohoo Facebook FINALLY was arsed (out of their busy personal data resale business) to modify a couple config files to enable HTTPS and now Facebook is HTTPS compliant, so are alot of other sites big fucking deal!
Media reporting on Facebook are, with the user, what keeps the cancer growing.
And if you are than you obviously don't even care about this, something that should have been done years ago.. (HTTPS)
Shame people willingly sacrifice privacy for convenience.
There's no way someone could have tagged a picture of a toy or other inanimate object as a person on my friends list...
so all the 'friend whores' who have 87239872347+ friends, non of whom actually are real friends... are now locked out of their accounts! Karma's a B*&Ch.
HTTPS option doesn't appear in Security panel in Canada. What countries was this rolled out to?
Most people I know have like over 300+ friends on their fb. Out of the 300+ they probably only really know 50 by name - the others are random acquaintances - people they met in bars, people they met on other Internet websites, etc.
This Social Login has been around for months, I remember seeing it in July when I was on holidays. As far as I know, this only happens when you try to log in from a country other than the one you usually log in from.
we noticed this at work by accident, when we could get by the company firewall (we're in IT)
the https site doesnt have https links so clicking on ANYTHING goes back to unsecure. Also what if your friends are fucking dumbshits and post pictures of their friends in their pictures - i got asked picture questions like this trying to log in from another state, and its stupid as shit.
You're just relating the most recent news you heard to what has now been announced.
Just because you lack information it doesn't mean that you have to force whatever tiny bit you know to explain everything else.
Check this out:
http://www.theatlantic.com/technology/print/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/
Why not make it so that, when they implement this feature, you get an alert to tag (three/six/nine/etc) photos of yourself that you want to show up on your friends verification screen. This way it gets rid of all the 'omg my friends tag me in photos they want me to seeeeeeeee!' complaints (well, for those people who aren't dicks about it).
These new features are a response to an attempt by Tunisian Internet censors tried to steal the Facebook passwords of everyone in the country to disrupt the protests against the government.
I don't have friends on facebook !
Just adding the 's' on the profile page doesn't work for me... I add the s, hit reload, and it takes me back to the "news" (wall?) page instead of the profile page. I've tried bookmarking the profile page with the 's', and FB messes up (I've ended up in freakin PHOTOS instead of profile). Plus, if you TRY to edit your profile, the yellow yield sign pops up saying that action can't be performed (just like the chat notification).
Again, though, you ALSO lose ads with https, which I consider a plus ;D
I remove the 's' from https, and it all works as intended (including the blasted ads if I have ABP disabled). I'll be checking FB over the next few days to see if things improve. I don't really care that much since my FBs are 'fake' and nothing on them is real, and even if they beef up security, I expect the privacy problems (can they sell your info) will still be a problem. However, I hate that people were dying (or being incarcerated) for posting on FB in other countries, so I support any security measures MZ attempts.
What about this scenario:
1. Hacker Application tries to log in.
2. H-A get a picture with faces along with names.
3. H-A store the picture locally, recognize the face and tags it with the possible names.
4. Go to step 1 until it's able to recognize the face.
There is an extension for Chrome (Use HTTPS) which forces https for Twitter and Facebook by default. You can also add more sites.
Those aren't the only two options.
For example, passwords are neither public nor private info.
Expert in software patents or patent law? Contribute to the ESP wiki!
This is a nice way for Facebook to get rid of all those fake accounts. No matter what info you posted, your friends will answer security questions enough times (in)correctly for their engine to decide which information was truthful.
If I was an evil mastermind behind this would be a nice moment for diabolical laughter.
I dropped my FB account a few months ago because I finally decided that it wasn't worth it, and it ticked me off that I had an almost obsessive urge to check my phone for updates every 3 minutes. For someone like me the social login wouldn't be too bad, I made it a point to only friend people that I know in the real world. Depending on how the login works I don't know or remember their full names so if it is looking for the person's full name or just first name that makes a difference. My last name is 12 characters, so good luck trying to remember that or typing that in correctly.
Now lets talk about some of the other folks that I knew on FB, mostly women/girls that would friend anyone and everyone that they had a class with, met at a party, etc... in other words, a bunch of people that they don't know. This is going to to over great for them because they won't have a clue who some of the pictures are, not to mention most pictures are group shots with several people in them anyway...which one is the person they are supposed to ID. Maybe its FB's way of getting people to only post pics of themselves as their profile pic. I personally hated it when someone would use pics of their kids because when you think you know who the person was but the pic is absolutely no help I just moved along. Maybe FB is trying to curb users from friending anyone that sends a request. I think this is going to cause more outrage than acceptance on the site, and is yet another reason that I'm glad I'm no longer a member.
I got hit by this yesterday. Friend of mine picked up some malware on his PC that posted to his wall and sent messages to everybody on his friends list with a link to Yet More Malware. Since I was on his friends list FB forced me to change my password and certify that I'd changed my email password and scanned my PC for viruses - I only access FB with a Linux box but scanned it anyway just for fun ;-)
All was good until I got to the facial recognition thing. They sent me pictures of a buncha people I'd never seen - since you can tag any photo with any name I got three pictures of people I'd never seen before - at least they'll let you opt out and do CAPTCHA as the facial recognition thing was an epic fail for me.
we see things not as as they are, but as we are.
-- anais nin
Yes, I really see this working for people like me. I litterly have 1000's of contacts on facebook, because a few job sites I work at have had the great idea that it's the best way to collaberate on projects when us developers are spread around the world. A few organizations that I belong to also use facebook as a primary means of communications, so I get a few dozen people that I don't really know, but want to have a conversation with. Sure, ones that I've dealt with recently I may recognize if it's their profile picture, but if it's a grainy family photo, then I probably wont recognize them. What about photos that have 2 friends in them, with only one person tagged, and both names come up?
The end of everyone having a million friends they barely know will be awesome. This will force everyone to have only the friends they can remember as friends....I complained about this a long time ago, being the sore spot for me about facebook....now watch as many will not be allowed into their accounts as they forget who the last 100 friends they added are...and can't remember their names....LOLOL
too funny!
I hate facebook, i hate facebook, i hate facebook (click my heels together)
I figured the same thing. Irritating that facebook still doesn't support encrypted chat traffic.
But in such a case, it's not like there's anything new. NoScript, for instance, has been able to force seamless https on Facebook for months.
Half my FB friends are people I added from another online forum we belong to. The other half are HS friends I knew 30 years ago. One of them has a picture that I think is two human beings. I've been told that it's her & her 8 y/o son, but I can't tell that from the pic, let alone recognize her. Another has recently died her hair, and looks a lot like another who hasn't. My own picture was taken with an iPhone is bad light; I bet most of my friends couldn't recognize me from THAT.
I just can't see this working.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
facebook has already a face detection algorithm used to help tagging uploaded photo collectiosn. They should use it in their captcha system too.
also, as pointed out by the next reply bellow, problems will also come from remote friends (the kind of friend you invite only to expand your farm). This too should require some hacking (like selecting only the most revelant friend based on shared common - the same kind of stuff facebook is already using for suggestions)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The social login is not new -- they've used it for location verification for a long time, if you suddenly log in from, say, another town within the same day. My pet peeve is that some profile pictures don't contain actual faces, and some tagged pictures are tagged incorrectly -- so sometimes there's no way to correctly ID a person. You are allowed a few misses, but it calls for (a) Facebook to perform facial recognition to make sure the pictures they show at least show recognizable faces, and (b) for us to prune friends list to keep only those contacts whose profile pictures we recognize (either because it's their actual face, or because one knows them well enough to recognize silly non-facial logos)
Michel
Fedora Project Contribut
What good is HTTPS if the security risk is coming from WITHIN? (am reminded of the "killer is on another phone in the house" Urban Legend...
E8B8B