I’m pretty pissed. A couple of months ago I configured Thunderbird to connect to Facebook’s XMPP-powered chat. I did get logged out sometimes, with mails from Facebook saying someone tried to access my account from an unknown location. Given the origin IP-address mentioned (in the private 10.x.x.x-range), this looked like a Facebook-internal problem (between their XMPP & Authentication servers). Things have however taken a turn for the worse now; I’m not only getting logged out from Facebook on my 3 devices (work Win XP PC, home Ubuntu netbook & Android smartphone), I’m now even getting locked out of my account altogether, having to change my password on my smartphone (as that one has the OTP generator in the Facebook app). This happened 4 times in the last week and it is that frustrating that I disabled Facebook Chat in Thunderbird. And maybe that’s just what Facebook is aiming for; encouraging users to use Facebook Chat in a Facebook-owned/ -controlled context instead of in a neutral, ad-free 3rd party application? Wankers!
And now off to Facebook security settings, to enable login notifications & approvals.
And although I did activate “login notifications” at that point, I did not enable approvals (for reasons I don’t remember, maybe I was just being lazy). Fast-forward to yesterday evening, when I received a mail from Facebook that stated that my account was temporarily locked because my is was logged into from a location I had never used before. I immediately changed my password and finally enabled “login approvals” this morning as well. “Approvals” sends a security code via SMS when logging in from an unknown location, which you’ll have to enter before effectively logging in. I was pleasantly surprised to see Facebook added a Google Authenticator-like code generator to their Android and iOS apps that you can use to generate a security code as well. Adding the extra security of login approval is easy enough. If you’re on Facebook or Google, you really should consider enabling those (with or without their respective smartphone-based security code generators). One downside though; using an external chat client (Mozilla Thunderbird in my case) to access Facebook Chat over XMPP doesn’t work any more as Facebook doesn’t provide “application specific passwords” like Google does. Update: as Jensen points out in the comments below Facebook does have application passwords, so I reenabled Facebook Chat in Thunderbird. But that might be a good thing anyway, as the warning mail I received from Facebook seems to refer to the use of Facebook chat over XMPP;
It looks like someone logged into “Rtgw_xmpp_username_password_login” on Wednesday, November 14, 2012 at 9:04pm.
After having NoScript disable the Facebook Like widget a couple of weeks ago, I felt really bad for Mark Zuckerberg who must have been feeling singled out by my actions. If only to make all widgets equal and as I don’t use them anyway, I’ve now told NoScript (only available in Firefox) to also block the Google+ and Twitter widgets with the following ABE User ruleset (under NoScript Advanced options): # also stop google+ widget Site plus.google.com Accept from plus.google.com Deny INCLUSION(SCRIPT, OBJ, SUBDOC) # and twitter Site platform.twitter.com Accept from twitter.com Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
Although web security is something I like to dabble in, I can’t honestly say it always is on the top of my mind. Up until an hour ago, access to the vast amount of information that Google manages for me (including access to my Google Android account) was protected by nothing but a password. A rather strong password for that matter, but it wasn’t entirely random and it has been the same for quite some time now. As access to important online services such as Google should ideally not only rely on just a password (session hijacking anyone?), I activated Google 2-step authentication. What this means is that access to Google (Mail, Docs, …) is now also limited to authenticated devices. If I try to access Google from another computer, I’ll have to authenticate the device using an SMS-challenge or a code generated by the Google Authenticator application on my Android-phone. If you’re still unsure about what 2-step authentication entails, here’s a brief intro-video from Google: httpv://www.youtube.com/watch?v=rGnAg11uy7c So yeah, you can have my password now. Theoretically. If you really insist. But even if I do decide to give it to you, you still won’t be able to access my account. How’s that for peace of mind? And now off to Facebook security settings, to enable login notifications & approvals.
If you don’t like Facebook’s omnipresent Like widgets (there were already plenty of reasons why not to like them and last week’s cookie-debacle only added to that conclusion) and if you already use NoScript so you don’t want to install another plugin (like Ghostery, which reports any tracking activity and allows you to block it), you can put this in NoScript’s ABE user ruleset (NoScript Options -> advanced -> ABE); # Allow Facebook scripts and objects to be included only # from Facebook pages Site .facebook.com .fbcdn.net .facebook.net Accept from .facebook.com .fbcdn.net .facebook.net Deny INCLUSION(SCRIPT, OBJ, SUBDOC) This tells NoScript to allow Facebook scripts (you know, to visit facebook.com), but to stop them from being included in other sites. I guess with NoScript’s surrogate scripts one might even be able to replace Facebook’s Like-widget with one that just shows the old-fashioned (and harmless) share-button. Now wouldn’t that be fun?
I’m not a social network expert by any measure, but it seems to become clear that although the initial enthusiasm among the geek-crowd was big, Google Plus isn’t cutting it in the real world. I don’t have a Plus-tab open in my browser any more and when I do go Plus, there isn’t a lot going on in my circles which I want to participate in. Compare that to the way Yammer took off at the company I work for; in less than a months time 800+ colleagues (out of approx. 1500 employees) joined and we’re getting to know new colleagues, discussing more or less work-related topics (1500+ messages) in the open or in multiple interest-specific groups (15 at this moment). Good times! I don’t know how Yammer is doing in other companies in Belgium (and Europe by extension), but to me is seems that Yammer succeeds where Google Plus is failing; bringing together a group of people (in a more or less “private” environment) that share a common context but who didn’t share a social network before and allowing them to engage and to create engagement. Google Plus might be neat from a technology & privacy point of view, but it essentially was (and still is, I guess) a “me too” exercise, trying to occupy a market that has already very successfully been taken by Facebook & Twitter. And yes, Yammer does have an API.