Categories
Websites

Facebook Security Still Lacking

In October I blogged about a Firesheep, a Firefox plugin that highlights the inherent vulnerabilities in the way that Facebook and other websites handle sessions. TL;DR – Install the extension and with a click of a button you can capture un-encrypted Facebook sessions of any user using a WiFi network you’re connected to (read the full post for all the details). For research purposes, when a friend of mine was at Pearson a few months ago he fired up Firesheep and instantly had access to several dozen Facebook accounts.

This is a bad, very bad.

To combat this security hole, Facebook enabled secure HTTP connections in January. Enabling this feature renders Firesheep useless.

Unfortunately, Facebook’s implementation has one serious flaw. When you use (almost) any Facebook app you’re required to switch back to un-encrypted HTTP mode! You’re presented with this dialog:

The wording used in the dialog may make you think the setting is temporary while you’re using the app. I don’t know if it’s designed that way or if it’s just poorly worded. But in fact clicking “continue” will permanently disable your HTTPS preference!

Sad.

I suspect there’s probably a technical reason for this requirement, something about the way that apps include data from external domains. I haven’t looked into it. Facebook really needs to address this.

My suggestion would be to disable some sort of alert when navigate away from the app, which a one click solution for re-enabling HTTPS.

Categories
Tips & How To's Websites

Facebook Now More Secure

In a blog post today Facebook detailed some of their new security improvements:

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the “Account Security” section of the Account Settings page.

Enabling this option will effectively prevent you against Firesheep and similar account hijacking methods. I think it’s fairly safe to assume this feature is a direct response to Firesheep, even if it seems to have taken them 4 months to roll out. Though, it could also be a response to Zuckerburg’s account hack yesterday.

I’m going to go one step further than Facebook and say, you should absolutely enable this option as soon as it’s available to you.

Categories
Culture Tips & How To's Websites

Thought of the Day: Newspapers Websites

I’ve posted about newspapers before, the industry’s seemingly imminent collapse and lack of success online are interesting problems to me. As far as I’m concerned, newspapers (and “old media” in general) are still a relevant source of information and there’s really no reason they should be dying.

As Erica Glasier put it on her blog the other day:

They take raw information and give it the context that years of newsgathering provides, and the clout of accuracy commiserate with the individual media org’s brand.

The Problem

I am under the impression that newspaper website are struggling to make ends meat because online ad revenue is not making up for their losses in print distribution. On top of that in their attempt to keep up with the times by added commenting functionality to their sites, they’ve degraded the experience of their online presence. Much to nobody’s surprise news site comments are often filled with trolls, bigots, spam and other meaningless drivel.

My Thought

An extremely simple solution to address these two problems would be to charge a small monthly subscription fee for access to the commenting system. Somewhere around $3 – $5 per month.

Being required to go through an ecommerce transaction should be enough to deter outright, viagra-selling-spammers who depend on bots and cheap labour to blanket the internet with spam.

But also, in theory this small fee should  discourage trolls and other nuisance commenters who are likely to register an account on a whim, if registration is free and easy. These same types of people would be very unlikely to shell out a few bucks just to spew racial slurs. In the case that a fee isn’t enough to discourage unwanted commentors, having an account tied to a credit card makes it much more easy to ban an individual; it’s quite a lot more difficult to get a new credit card number, than it is to get a new email address and register another account. Site’s like Metafilter have been using this tactic for years.

Would anyone actually pay to comment?

I’m really not sure, but I think it’s worth a shot. It’s clear that blanket paywalls don’t really work – they sort of break the internet and nobody wants to pay just to read an article similar to another one posted elsewhere for free. Blocking comments on controversial topics works to a degree, but reasonable dialogues about controversial issues are often fascinating.

I believe that every newspaper has core audience who would pay a small fee to comment.

Categories
Links Websites

This Week I Learned

Turns out being a dad and employed full time leaves little room for things like long blog posts. I came across a number of particularly fascinating things this week in my travels on the information super highway.

  • Monday: Protocol relative URLs
    Turns out, you can leave out the protocol (http, https, ftp, etc) when including a URL in html and browser will figure out what to do with it. This is particularly useful when including unsecured content on a secure page. I’m sure knowing this years ago would have saved me one or two headaches.
  • Tuesday: What Jason Calacanis Learned From Zuckerberg’s Mistakes
    In his weekly LAUNCH newsletter Calacanis talks about his take on rollout hiccups and privacy mistakes Facebook has make over the years. In his educated opinion “Facebook’s success — and mistakes — are based on its developer-driven culture, not because Zuckerberg is some evil mastermind.” Essentially, Facebook developers have historically been allowed to roll out new features with little to no oversight, allowing the site to iterate quickly, keep ahead of the competition and occasionally annoy foreign governments. He makes a convincing argument.
  • Wednesday: How a quartz watch works
    I already had a rough understanding of the piezoelectric effect as used inside digital watches, the video does an excellent job of explaining the concept. As usual reddit commentary filled in the gaps, explaining in detail exactly how the electronics translate the quartz vibration into time
  • Thursday: Google Bookmarks exists
    Someone leaked that Yahoo! would be shutting down delicious and the internet lost it’s ever-loving mind! Turns out there’s some hope for delicious. Anyways, I haven’t used delicious much since the days it was still called del.ico.us. As far as I can tell, Google Bookmarks has done a pretty good job of pulling out delicious’ most useful features, plus you get the added bonus of having your bookmarks appear at the top of Google results when your search is relevant – if you’ve ever starred something on a search results page you’ll already have some links in Google Bookmarks. I had actually been looking around for a good bookmark service, this discovery couldn’t have come at a better time.
  • Friday: Word Lense
    This iPhone(3GS+) app instantly text on-screen. As in, you point your iPhone at a Spanish sign and the words are replaced onscreen with the english translation. This is easily the most impressive augmented reality technology I’ve seen to date! We are truly living in the future.
    iTunes Link
  • Saturday: Boardgame Remix Kit
    I am a huge fan of the boardgame revival hitting nerdom over the past 10 years, as such, I’ve become quite bored of the classics like Monopoly, Clue(do), Trivial Pursuit and Scrabble. When I came across Boingboing’s post about the Boardgame Remix Kit I was absolutely blown away the creativity and simplicity. The kit is a set of tweaks, mashups and completely new games built on 4 classic board games. It’s available as a PDF for £2.99 on the official site or as an iPhone app for £2.99 ($4.99 in the Canadian store). Both are beautiful.

There you have it, my week in links. This post contains something like 13 links in addition to the main links, I really suggest you click them all.

Categories
Apps Tips & How To's Websites

Gawker Hacks [update: no Digsby]

If you missed it, Gawker Media’s username/password database was hacked and paswords decrypted! This is very very bad. Lifehacker, has a comprehensive post about the compromise.

They only left out one little piece of info, your password may have been exposed even if you’ve never logged in to a Gawker site. Multi-IM client Digsby is owned by Gawker and Digsby username/passwords are also in that database! Seriously, this is bad. No more blogging after midnight…This was totally incorrect, my apologies. I didn’t read the email very well (or possibly at all). Thanks for the comments from the Digsby team. I incorrectly made the connection based on the password Gawker had on file; it was an old password I was sure I had only ever used for IM clients.

Again, if this is the first you’ve heard this, here are the important links: