So Facebook wants me to install yet another permissions-greedy app just to read messages? That is so frustrating! So no, don’t think so guys. I’m putting Facebook back into the (slightly) safer sandbox that is the mobile web;
So thanks for reminding me why I love my mobile browser that much Facebook!
Does Facebook want its chat back?
I’m pretty pissed. A couple of months ago I configured Thunderbird to connect to Facebook’s XMPP-powered chat. I did get logged out sometimes, with mails from Facebook saying someone tried to access my account from an unknown location. Given the origin IP-address mentioned (in the private 10.x.x.x-range), this looked like a Facebook-internal problem (between their XMPP & Authentication servers).
Things have however taken a turn for the worse now; I’m not only getting logged out from Facebook on my 3 devices (work Win XP PC, home Ubuntu netbook & Android smartphone), I’m now even getting locked out of my account altogether, having to change my password on my smartphone (as that one has the OTP generator in the Facebook app). This happened 4 times in the last week and it is that frustrating that I disabled Facebook Chat in Thunderbird. And maybe that’s just what Facebook is aiming for; encouraging users to use Facebook Chat in a Facebook-owned/ -controlled context instead of in a neutral, ad-free 3rd party application? Wankers!
Now you can have my Facebook password as well!
It’s been almost a year since I volunteered to give my readers my Google password, after enabling 2-step verification that is. I ended the blogpost on that topic with
And now off to Facebook security settings, to enable login notifications & approvals.
And although I did activate “login notifications” at that point, I did not enable approvals (for reasons I don’t remember, maybe I was just being lazy).
Fast-forward to yesterday evening, when I received a mail from Facebook that stated that my account was temporarily locked because my is was logged into from a location I had never used before. I immediately changed my password and finally enabled “login approvals” this morning as well. “Approvals” sends a security code via SMS when logging in from an unknown location, which you’ll have to enter before effectively logging in. I was pleasantly surprised to see Facebook added a Google Authenticator-like code generator to their Android and iOS apps that you can use to generate a security code as well. Adding the extra security of login approval is easy enough. If you’re on Facebook or Google, you really should consider enabling those (with or without their respective smartphone-based security code generators).
One downside though; using an external chat client (Mozilla Thunderbird in my case) to access Facebook Chat over XMPP doesn’t work any more as Facebook doesn’t provide “application specific passwords” like Google does. Update: as Jensen points out in the comments below Facebook does have application passwords, so I reenabled Facebook Chat in Thunderbird. But that might be a good thing anyway, as the warning mail I received from Facebook seems to refer to the use of Facebook chat over XMPP;
It looks like someone logged into “Rtgw_xmpp_username_password_
login” on Wednesday, November 14, 2012 at 9:04pm.
Not 100% sure if this was a real login attempt or a false positive, but apparently I’m not the first one to receive such a warning.
Hey! Widgets! Leave our privacy alone!
After having NoScript disable the Facebook Like widget a couple of weeks ago, I felt really bad for Mark Zuckerberg who must have been feeling singled out by my actions. If only to make all widgets equal and as I don’t use them anyway, I’ve now told NoScript (only available in Firefox) to also block the Google+ and Twitter widgets with the following ABE User ruleset (under NoScript Advanced options):
# also stop google+ widget
Site plus.google.com
Accept from plus.google.com
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
# and twitter
Site platform.twitter.com
Accept from twitter.com
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
You can have my Google password!
Although web security is something I like to dabble in, I can’t honestly say it always is on the top of my mind. Up until an hour ago, access to the vast amount of information that Google manages for me (including access to my Google Android account) was protected by nothing but a password. A rather strong password for that matter, but it wasn’t entirely random and it has been the same for quite some time now.
As access to important online services such as Google should ideally not only rely on just a password (session hijacking anyone?), I activated Google 2-step authentication. What this means is that access to Google (Mail, Docs, …) is now also limited to authenticated devices. If I try to access Google from another computer, I’ll have to authenticate the device using an SMS-challenge or a code generated by the Google Authenticator application on my Android-phone.
If you’re still unsure about what 2-step authentication entails, here’s a brief intro-video from Google:
httpv://www.youtube.com/watch?v=rGnAg11uy7c
So yeah, you can have my password now. Theoretically. If you really insist. But even if I do decide to give it to you, you still won’t be able to access my account. How’s that for peace of mind? And now off to Facebook security settings, to enable login notifications & approvals.
Remove Facebook like buttons with NoScript
If you don’t like Facebook’s omnipresent Like widgets (there were already plenty of reasons why not to like them and last week’s cookie-debacle only added to that conclusion) and if you already use NoScript so you don’t want to install another plugin (like Ghostery, which reports any tracking activity and allows you to block it), you can put this in NoScript’s ABE user ruleset (NoScript Options -> advanced -> ABE);
# Allow Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com .fbcdn.net .facebook.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
This tells NoScript to allow Facebook scripts (you know, to visit facebook.com), but to stop them from being included in other sites. I guess with NoScript’s surrogate scripts one might even be able to replace Facebook’s Like-widget with one that just shows the old-fashioned (and harmless) share-button. Now wouldn’t that be fun?
Out with Google Plus, in with Yammer
I’m not a social network expert by any measure, but it seems to become clear that although the initial enthusiasm among the geek-crowd was big, Google Plus isn’t cutting it in the real world. I don’t have a Plus-tab open in my browser any more and when I do go Plus, there isn’t a lot going on in my circles which I want to participate in.
Compare that to the way Yammer took off at the company I work for; in less than a months time 800+ colleagues (out of approx. 1500 employees) joined and we’re getting to know new colleagues, discussing more or less work-related topics (1500+ messages) in the open or in multiple interest-specific groups (15 at this moment). Good times!
I don’t know how Yammer is doing in other companies in Belgium (and Europe by extension), but to me is seems that Yammer succeeds where Google Plus is failing; bringing together a group of people (in a more or less “private” environment) that share a common context but who didn’t share a social network before and allowing them to engage and to create engagement.
Google Plus might be neat from a technology & privacy point of view, but it essentially was (and still is, I guess) a “me too” exercise, trying to occupy a market that has already very successfully been taken by Facebook & Twitter. And yes, Yammer does have an API.
Google Security says “Thanks Frank”
A few weeks ago I received the following in a mail from Google;
As a small token of appreciation for helping keep Google’s users safe and secure, we’d like to credit you on our website.
And indeed, yesterday my name was added to the “Honorable Mention” paragraph on Google’s Security Hall of Fame.
I don’t consider myself a security expert by any measure (although I am very interested in web app security) and I discovered that vulnerability in the iGoogle Facebook gadget merely by chance, but it’s nice to see my name (and a link to this blog) up there! Thanks for thanking me Google!
Binnenkort Blog Action Day over Water
‘t Is maar om te zeggen dat ik hier op 15 oktober (Blog Action Day) iets stichtelijks over water zal schrijven. Misschien over flessenwater en de Facebook-pagina “100.000 leden voor kraantjeswater in restaurants”?
Ge moet daar overigens maar al eens naar gaan kijken, naar die pagina, dan ziet ge hoe ge als Communications Dikkedeur van pakweg een flessenwater-bedrijf niet met sociale media moet omgaan. Van de weeromstuit gaat ge misschien “kraantjeswater-fan” worden, ook al zit dat niet in uw genen, al dat Facebook-fan-gedoe.
De rest is voor de 15de en voor “Water no get enemy” van Fela Kuti, hier door zoon Femi en een handvol nobele onbekenden;
httpv://www.youtube.com/watch?v=aEBf4k1ZC3s
StuBru, Facebook and why we need (something like) Diaspora
Earlier this month Facebook deleted the official Studio Brussel page, cutting the Flemish youngster radio station off from their 114.000 fans. StuBru didn’t receive information on why the page was deleted, just a vague statement that they breached the Facebook Terms. It took a week to get the page restored, but nonetheless web-editor Stijn Van Kerkhove raved (translated from Dutch);We were surprised when our website got deleted, but we’re even more pleasantly surprised to be back.
“When our website got deleted”, seriously Stijn? A Facebook-page isn’t a website and it isn’t yours either, ultimately. When on Facebook you are (and I am) at the mercy of a private company that has absolute power over anything you do on its premises. Facebook decides what pages look like, Facebook decides what you can and cannot post and Facebook reserves the right to expel you from their community for whatever reason they do or don’t come up with.
Given the increasing importance of social networks in our lives and economy (and the never-ending privacy-problems with Facebook), I do believe that we’d be better of with a open, decentralized system which does not have a sole (commercial) owner with absolute power. That’s why it’s a good thing that Diaspora exists, even if the alpha code they released a couple of days ago is not up to expectations. That’s why status.net (and identi.ca) are great. And that’s why OStatus, an open standard for following friends and sharing statuses on distributed social networks which is already implemented in status.net and which will probably go into Diaspora as well, is incredibly important.
And on a vaguely related note; that Facebook-movie by Aaron Sorkin and David Fincher looks great, doesn’t it:
httpv://www.youtube.com/watch?v=lB95KLmpLR4