Facebook’s History of Spying

Reading Wikipedia this morning, I came across an interesting tidbit from the days when facebook was still thefacebook.com. As seen in The Social Network, after launching the site Mark Zuckerberg was under investigation for potentially stealing the idea from the Winklevoss brothers.

Not covered in the movie though, while this investigation was going on Zuckerberg did a little investigating of his own, by accessing the email accounts of the investigators:

Zuckerberg knew about the investigation so he used TheFacebook.com to find members in the site who identified themselves as members of the Crimson. He examined a history of failed logins to see if any of the Crimson members have ever entered an incorrect password into TheFacebook.com. In the cases in which they had failed to login, Mark tried to use them to access the Crimson members’ Harvard email accounts, and he was successful in accessing two of them. In the end, three Crimson members filed a lawsuit against Zuckerberg which was later settled.

~ The History of Facebook, Wikipedia

The way I read this, thefacebook.com was logging failed passwords! Meaning, when you entered an incorrect password on thefacebook.com’s login page, the website would save the text you entered. Obviously websites have to have a record of your password in order to authenticate you. Passwords are normally encrypted in such a way that developers cannot access the password. The wikipedia article doesn’t say whether or not regular passwords were encrypted.

However, if you were intending to use a website you created to log into email accounts of the site’s users, collecting  passwords that failed would give you more passwords to try when logging in to those user’s third party email accounts.

Zuckerberg was caught breaking in to 2 accounts, but one has to wonder how many other accounts he broke in to. Remember, in 2004 (prior to gmail), email accounts did not have 2-factor authentication, they did not detect suspicious login activity, they did not have the security features we’ve come to take for granted. Anybody could log into any body else’s email accounts undetected.

Password security is the most basic of implicit trust between a website and its users. A site that is logging passwords and password attempts cannot be trusted, period.

Who knows if or how the culture at Facebook has changed. Nevertheless, if the company’s CEO was willing to exploit users for personal gain in the early days, what sort of things are they willing to do when governments or other powerful entities pressure them?

Ads Don’t Work

There has been a lot of hubbub on the internets today about web ad/tracker/content blocking. It seems that 36hrs of full on iOS9 content blocking was enough to cause every single ad-supported publication to collectively loss their shit. Imagine how abysmal ad numbers must have been for Marco Arment to pull his highly successful iOS9 content blocker.

I started blocking ads over a month ago (based largely on Marco’s advice) and I’m not going back!

I don’t feel bad about it.

Banner ads do not work.
Showing me ads for a product I just bought on amazon… on every website… for the next month… is a dumb waste of everyone’s bandwidth, resources and money; Nobody has clicked on a banner ad in at least 10 years, at least not by choice; And haven’t publishers been complaining about not making any money off of banner ads since the beginning of internet time?

Make up your mind publishers. Are you making any money off shitty low-quality, data stealing, phone crashing ads? Or are ad blockers THE END OF THE INTERNET AS WE KNOW IT?! OMG!1!1!11

Do you know what works?

  1. Native advertising. (except native advertising is generally bad)
  2. Getting content consumers to pay for stuff.

That’s right, I am suggesting that people would pay for ad free web experiences. Why not have an ad-free version for a small monthly payment? It’s worked for services like Livejournal, Flickr, Reddit, for years.

I am surprised that in 2015 we still haven’t cracked the micropayment promise of 2005. The promise of a world where sites load unencumbered by 33 javascript includes, where publishers make decent money without selling out their readers. Hell, in a world where I pay $8 to Netflix, instead of $70+ to a cable provider for video entertainment. I have a few extra dollars to spend on the sites I value the most.


astsu: why Mr Robot is the most tech-savvy show ever

I finally watched the pilot episode of Mr Robot and I was totally blown away by the way the handle the hacking aspects of the show. If you haven’t seen the show, the main character is a professional security engineer by day and a “cyber vigilante” at night. It’s great!

Every aspect of the way he goes about his job is authentic (+/- reasonable poetic license) from: social engineering techniques, password cracking, right down to the command line.

As an example of the authenticity + poetic license = tech-savviness, throughout the pilot the lead character uses a command: `astsu`. astsu is not a real linux command and it’s not totally clear what it does. However, the way that he uses it is totally legit. He doesn’t use it when other commands would do the job and the arguments he passes to it look believable for something vaguely network/security related. We can assume that this command is code that he’s written himself. The command is basically a plot device for the nerds that will notice this sort of thing.

The fact that writers/producers/whoever demonstrate an incredible attention to detail and authenticity. I’m definitely going to continue watching

Oh, the soundtrack is perfect too.

Today I Block Ads

Marco Arment just published a post on The ethics of modern web ad-blocking.

His opening position is pretty similar to my own, I’ve been a long time advocate of not blocking ads. In the past, I have also put food on the table via ad revenue. Until today, I have been morally opposed to blocking ads has until today.


Nobody could blame the users of yesteryear for killing pop-up ad rates, and nobody should blame the users of 2015 for blocking abusive, intrusive, misleading, and privacy-stealing ads and trackers, even if it’s inconvenient for publishers and web developers.

PS. Ghostery is great!

Using Jetpack’s Photon CDN to host images in custom WordPress themes

Photon is a great free image CDN that you can use with any self-hosted WordPress install via Automattic’s Jetpack suite of plugins. Photon uses wordpress.com’s infrastructure to host your site’s images on one of the fastest CDN globally.

I highly recommend enabling it on every WordPress install. If your site is on cheap shared hosting, it will dramatically improve page load times. If you’re hosting a huge news site, it’ll save you loads of money.

By default, Photon automagically serves any images embedded in or attached to a WordPress post or page. Including feature images, galleries, third-party sliders. Due to the nature of WordPress hooks and filters, it’s not possible for photon to grab images stored in post meta fields, or any images that are part of theme template files.

I’ve written a gist that exposes Photon’s CDN wrapper as a simple function you can call in templates:

Relevant Jetpack documentation.