Results tagged “security”

Well, it seems like my post on how Facebook is gaslighting the web struck a nerve with a lot of folks. I have to give first priority to publishing the responses I've gotten directly from Facebook employees, to be fair to their perspective.

• Louis Brandy, a Facebook engineer, responded in the comments on my site:

I work at facebook on the team that generates the warning in question (site integrity). This warning appears to me to be a bug and we are currently trying to repro and fix. Continuing, though, to say that the warning is disingenuous is simply not correct. I do not agree with your premise that because you use a social plugin we should automatically whitelist you and exempt you from security checks. Malicious pages do that stuff too.

In this particular case, though, in my opinion so far, this would appear to be a false positive (a bug) from the way the comment widget generates notifications.. Those notification seem to wrongly trip a particular security check.

• Louis also left what is substantially the same comment on the (surprisingly thoughtful!) Hacker News thread about my post.
• Christopher Palow, another Facebook engineer emailed me privately to address many of the same issues as Louis. Christopher explained that what he called the "linkshim" (the redirect which handles outbound links) performs a few key functions: It works for spam prevention by preventing access to known spam links, preserves privacy by obscuring your Facebook user ID from potentially being passed as a referrer, and allows referrer logs to show that traffic is coming from Facebook which wouldn't ordinarily happen otherwise if a Facebook user is accessing the site via HTTPS. Christopher offered a detailed perspective on the linkshim redirect which I found interesting, even outside of the context of my particular post:

Every external link clicked on Facebook and sent by Facebook in an email goes through the linkshim (if it doesn't, that's a bug). Each of these links is generated on the fly for the intended viewer and is cryptographically signed for only that viewer. We do this to prevent our linkshim from being abused by spammers as an open redirector. You saw the warning message that occurs when this signature is either missing or you are neither the user who generated the link nor one of that viewer's friends. This happens when our linkshim links get passed around outside of Facebook via IM or email. [Functional example of reproducing this behavior omitted.] In addition to other checks, we added a grab all your friends and check if the signature matches exception in order to mitigate abuse false positives from friends sharing links over IM/email. Only a very tiny fraction of users of the linkshim see the warning you saw.

I feel the language of the warning is pretty benign but I am open to your suggestions on how to improve it. Just keep in mind we have to balance false positives such as the one you saw with the damage that can occur if spammers can exploit our users' trust of Facebook URLs.

• More compelling to me was this thread on Les Orchard's Facebook profile, where he'd shared a link to my post. In that thread, Mike Shaver offered his perspective on the post. This is particularly notable because Mike is both a (brand new) Facebook employee and a board member for StopBadware. That's an extraordinary combination, and potentially an extraordinary conflict, but Mike's thoughts are worth a read. A highlight:

Facebook is not saying that your site is unsafe, and the text is bog-standard "hey, be careful where you put your password" motherhood and Apple-pie advice. It does not block the load like Google and Mozilla's malware interposition, and the experience is entirely different. Comparing them as you have is frankly fatuous, and I suspect pretty disingenuous as well. Do you really think that FB set out to put that screen up for any reason other than trying to protect users? You're going to be pretty much calling people straight-up liars, based on what they've said publicly about it.

(I'm on the board of StopBadware, and have some idea of what happens to sites when they get on the malware-block list, and what the false positive rate is.)

• MetaFilter's discussion of my post was also fairly thoughtful, if a bit one-sided, and it was nice to have my ideas discussed on the site without the thread being a referendum on me personally.

I also wanted to address a few key issues that have surfaced since the post first started getting responses:

• Holy shit, one of the board members of StopBadware works for Facebook! That kind of blew my mind. Now, Mike's a nice guy, and the StopBadware folks are both trustworthy and well-intentioned. But as an industry, we in tech effectively delegate much of our policing to volunteer organizations such as StopBadware, and that leaves the potential for extraordinary conflicts when someone requests (as I did) policing actions against major players which employ members of those organizations.
• "But you have Facebook comments on this page!" Yep, I do. I'm not some anti-Facebook zealot, and I don't like to make criticisms of companies or products without making a sincere effort to use and understand those tools. I like using Facebook for things like sharing what I'm listening to on Spotify, or to find my friends on Mixel, and I have no objection to it providing services such as commenting in some contexts. It's important to me to communicate that my misgivings about Facebook's relationship with the web is not the rantings of an extremist.
• "You're saying sites should just be whitelisted and marked as safe simply for using Facebook plugins!" Nope, that's not what I said at all. What I was communicating that given that Facebook is already making the effort to index sites when they use social plugins, they can cross-reference this against databases such as StopBadware which do give feedback on whether a site is safe or not.
• "These were just honest bugs (or explainable but unfortunate features) on Facebook's part." Let's grant that this is the case for the engineers who work on systems like Facebook's link warning. First, I'm glad if it encourages them to either fix the bugs or update the systems so that spurious warnings are not issued. There is no mechanism by which an ordinary publisher could request such reviews. But second, even if they are just simple bugs the impact is still the same

Overall, I don't ascribe evil or malicious intent to any of the earnest and passionate coders whose responses I've quoted above. But I think some seemingly-innocuous features they work on can work as part of an overall strategy at Facebook that's in tension with the web, and I urge them to consider those implications very broadly whenever possible. All software has bugs, and that's no big deal. Facebook, though, has a unique burden to ensure that it's not accidentally trampling on the web, as an obligation of its dominant position in the web ecosystem, even if that simply means evaluating the potential for bugs or unusual edge cases of features resulting in content on the web being marginalized.

Finally, I am very aware of the privilege that I enjoy by having an audience that both sees and responds to pieces like the one I wrote yesterday. Having had much of my concerns addressed so quickly is gratifying. But to those who think Facebook got a bum rap: The only thing Facebook was facing as a result of my post was the threat of an unnecessary security warning being placed as a gateway to their site. The rest of us face that threat from Facebook every day.

Facebook has moved from merely being a walled garden into openly attacking its users' ability and willingness to navigate the rest of the web. The evidence that this is true even for sites which embrace Facebook technologies is overwhelming, and the net result is that Facebook is gaslighting users into believing that visiting the web is dangerous or threatening.

In this post I intend to not only document the practices which enable this attack, but to also propose a remedy.

1. You Cannot Bring Your Content In To Facebook

This warning appeared on Facebook two weeks ago to advise publishers (including this site) that syndicate their content to Facebook Notes via RSS that the capability would be removed starting tomorrow. Facebook's proposed remedy involves either completely recreating one's content within Facebook's own Notes feature, or manually creating status updates which link to each post on the original blog. Remember that second option, linking to each post manually — we'll return to it later.

2. Publishers Whose Content Is Captive Are Privileged

Over at CNET, Molly Wood made a powerful case against the proliferation of Facebook apps that enable ongoing, automated sharing of behavior data after only a single approval from a user. In her words:

Now, it's tempting to blame your friends for installing or using these apps in the first place, and the publications like the Post that are developing them and insisting you view their stories that way. But don't be distracted. Facebook is to blame here. These apps and their auto-sharing (and intercepts) are all part of the Open Graph master plan.

When Facebook unveiled Open Graph at the f8 developer conference this year, it was clear that the goal of the initiative is to quantify just about everything you do on Facebook. All your shares are automatic, and both Facebook and publishers can track them, use them to develop personalization tools, and apply some kind of metric to them.

As Molly's piece eloquently explains, what Facebook is calling "frictionless" sharing is actually placing an extremely high barrier to the sharing of links to sites on the web. Ordinary hyperlinks to the rest of the web are stuck in the lower reaches of a user's news feed, competing for bottom position on a news feed whose prioritization algorithm is completely opaque. Meanwhile, sites that foolishly and shortsightedly trust all of their content to live within Facebook's walls are privileged, at the cost of no longer controlling their presence on the web.

3. Web sites are deemed unsafe, even if Facebook monitors them

As you'll notice below, I use Facebook comments on this site, to make it convenient for many people to comment, and to make sure I fully understand the choices they are making as a platform provider. Sometimes I get a handful of comments, but on occasion I see some very active comment threads. When a commenter left a comment on my post about Readability last week, I got a notification message in the top bar of my Facebook page to let me know. Clicking on that notification yielded this warning message:

What's remarkable about this warning message is not merely that an ordinary, simple web content page is being presented as a danger to a user. No, it's far worse:

• Facebook is warning its users about the safety of a page which incorporates Facebook's own commenting features, meaning even web sites that embrace Facebook's technologies can be marginalized
• Facebook is displaying this warning despite the fact that Facebook's own systems have indexed the page and found that it incorporates their own Open Graph information.

To illustrate this second point, I'll include what is a fairly nerdy illustration for those interested. If you're sufficiently interested in the technical side of this, what's being shown is Facebook's own URL linter, as viewed through the social plugins area in the developer console for a site. In this view, it verifies not only that the Open Graph meta tags are in place (minus an image placeholder, as the referenced post has no images), but that Facebook has crawled the site and verified enough of the content of the page to know their own comment system is in place on the page. (Click to view the whole page, with only the app ID numbers redacted.)

How to Address This Attack

Now, we've shown that Facebook promotes captive content on its network ahead of content on the web, prohibits users from bringing open content into their network, warns users not to visit web content, and places obstacles in front of visits to web sites even if they've embraced Facebook's technologies and registered in Facebook's centralized database of sites on the web.

Fortunately, the overwhelming majority of web users visit Facebook through relatively open web browsers. For these users, there is a remedy which could effectively communicate the danger that Facebook represents to their web browsing habits, and it would be available to nearly every user except those using Facebook's own clients on mobile platforms.

This is the network of services designed to warn users about dangers on the web, one of the most prominent of which is Stop Badware. From that site comes this description:

Some badware is not malicious in its intent, but still fails to put the user in control. Consider, for example, a browser toolbar that helps you shop online more effectively but neglects to mention that it will send a list of everything you buy online to the company that provides the toolbar.

I believe this description clearly describes Facebook's behavior, and strongly urge Stop Badware partners such as Google (whose Safe Browsing service is also used by Mozilla and Apple), as well as Microsoft's similar SmartScreen filter, to warn web users when visiting Facebook. Given that Facebook is consistently misleading users about the nature of web links that they visit and placing barriers to web sites being able to be visited through ordinary web links on their network, this seems an appropriate and necessary remedy for their behavior.

Part of my motivation for recommending this remedy is to demonstrate that our technology industry is capable of regulating and balancing itself when individual companies act in ways that are not in the best interest of the public. It is my sincere hope that this is the case.

Further Reading

Many aspects of this conversation are not, of course, new topics. Some key pieces you may be interested in:

• As I was researching this piece, Marshall Kirkpatrick published Why Facebook's Seamless Sharing is Wrong over on ReadWriteWeb, articulating many of these same concerns. His piece is well worth reading.
• Albert Wenger of Union Square Ventures makes a strong case for the long-term goal of a network of networks. I fully share his vision here, and hope most in our industry will endorse this idea as well.
• Molly Wood's excellent look at Facebook sharing which I referenced above is worth reading in its entirety.
• Blackbird, Rainman, Facebook and the Watery Web was a more optimistic look at how web platforms evolve that I wrote four years ago when Facebook was much less dominant.
• The Facebook Reckoning a year ago offered a perspective on the values and privilege that inform Facebook's decision-making.
• My ruminations on ThinkUp and Software With Purpose last week also explored the related danger of Facebook deleting everything you've ever created on their site.

I travel often, and until relatively recently I was doing over 100,000 miles a year. I've cut back a lot because my jobs have changed and I felt bad about my carbon footprint, but the bottom line is I've spent a lot of quality time with the TSA. And amidst all of the recent (often justified) blowback against their more-intrusive personal pat-downs, I thought I'd articulate a little bit of why overall, the security theater we go through at airports these days doesn't really bother me.

First, some important points:

• I'm not suggesting that taking off our shoes at x-rays, or having our testicles tapped, or not having more than 3 ounces of liquids actually keep us safe against any innovative new attacks.
• There are absolutely documented cases of a few of the many thousands of TSA agents out there abusing their stations, with infractions ranging from questionable to egregiously immoral.
• I'm not in favor of a police state, and strongly support civil disobedience and effective attempts to change overbearing security policies.
• TSA security policies are ridiculously over-focused on the last attempted attacks, instead of future ones.

With all that being said, I don't think our current system of security theater as practiced by the TSA is necessarily the wrong thing to do.

The Hand You're Dealt

The TSA lists their mission as "protect[ing] the Nation’s transportation systems to ensure freedom of movement for people and commerce." A mission like that is a bit like the mission of our financial regulatory agencies after the recent market meltdowns — some of it is about putting in place better preventive policies, but a lot of it is also about managing perceptions. Free movement of people essentially relies on the largest number of those people feeling safe to move.

And many people, frankly, are pretty stupid about air travel. They don't do it often, don't have a mental model of how air travel really works, aren't particularly educated about the security processes they have to participate in, and aren't logical in the way they respond to security measures.

I don't say any of these things as criticisms, just as observations based on experience. More often than not, the person behind me or in front of me in the security line at an airport seems to be unsure of some part of the process, not just at the level of "is it time to take our shoes off now?" but at the deeper sense of "what is this process I'm taking part in?" And often, their behaviors are similarly uninformed. Sure, I've gotten annoyed at having to go through random secondary screening, but that's frankly only happened a tiny fraction of the time I travel. By contrast, every single time I get on a plane in the U.S., I see at least one person studiously watching me put my belongings on the conveyor belt, as if they're performing an act of heroism by personally observing me. Sure, I look a lot like Marwan al-Shehhi, but I'm not sure their memories are that good.

I don't point that out in order to (merely) begrudge them their prejudices, though. I point it out because the TSA has to serve those people, too. Most of us who control the conversation on social media or in the rarified air of traditional media are experienced flyers, who pride ourselves on the logical rigor of our analyses of TSA technique. But we're not the majority of flyers. And some large percentage of people who travel, in order to feel safe, have to see or feel an experience that addresses their fears about traveling, regardless of whether that experience is based in logic or rationality.

Enter The Theater

This is where the "theater" aspect of security theater comes in. Any theatrical performance is designed to elicit a feeling in its audience, even though that's obviously a manufactured or even emotionally manipulative process. In the case of security theater, part of the TSA's mission is to elicit the feeling of safety from travelers. This is a good thing. As much as it pains those of us in the media establishment to say so, it is just as legitimate for the TSA to have "make people feel safe" as a goal as it is to have "make people actually be safe".

In the particular case of invasive body-scanning technology, this obviously raises the question of what we mean by "safe". There's safe from people hiding secret explosives or weapons, and then there's safe from the prying eyes of government employees. The majority of travelers, who aren't always savvy or logical in their evaluations of such processes, and who only rarely have to face the indignities of the situation anyway, don't see governmental intrusiveness as being nearly as "unsafe" as the other form of potential risk.

So, if you were in charge of the TSA, which audience of travelers would you piss off? I think the only reasonable choice you could make would probably look something like the current compromise, once you consider the different segments of the public you have to address, the level of training and experience of current field staff, and the variety of threats that are actually being attempted.

Keep in mind: If someone did get through with another shoe bomb, or someone successfully made a liquid explosive after that potential risk had been identified, or body-scanning technology was made available to stop certain types of attacks and the TSA knew about it but didn't use it, they'd be subject to far more criticism than they're getting today.

Almost any institution, when faced with a situation where they'll get harshly criticized regardless of their choice, is going to choose the option that lets them accrue more power as an institution. That's true of government agencies, corporations, and any other organization that can make itself part of society. This situation simply will not ever change until such time as Americans are willing to accept that a certain level of risk of aircraft-based terror threats always exist, and Americans have consistently indicated they're not willing to live with air travel being a fraction as deadly as, say, traveling by car. It's especially unlikely to change as, at a broader level, we encourage corporations to define our policy. The TSA is a symptom of the fact Americans like to think they're going to live forever, and that they trust corporations more than their government regardless of the track record of either. Change those facts, and then maybe we can change the TSA.

A Really Crappy Job

I'll admit, part of my willingness to partially exonerate the TSA for the current levels of stupidity at airports is because it's a really, really tough job for an agency to have. While airport screeners are obviously trained, any large force of employees who deal with the public turing times of stress are going to be constantly making egregious mistakes. Hell, there's a complaint about a McDonald's worker probably every other minute, and they're not involved in examining people's bodies, just giving them french fries.

Some of the people at the agency are also trying really hard. If you look at the TSA blog, which was one of the earliest blogs launched by any federal agency, and still remains among its best, there's a concerted effort to engage the public in a smart way. When attention-seekers exaggerate their mistreatment at the hands of the TSA, they don't get engaged in a back-and-forth, they just post footage of the event in question. When TSA agents screw up, they don't publicly shame them, they just talk about what their standards are for employees. Obviously, the range and scope of current complaints have overwhelmed their social media staff of late, but part of me thinks they'll have either reasonable answers for many situations, or take accountability for the times when they were clearly wrong. I recently answered an Ask MetaFilter question about how to contact the TSA to object to current screening procedures, and was pretty surprised at the range of options available to a citizen who wants to contact the agency, as well as the likelihood of getting a thoughful response.

All of that being said, obviously I still have misgivings about the awful experience so many of us have at the airport. I'm especially affronted because I know many of the common forms of objection, including merely opting out of the body-scanning devices, would earn me far more of an inconvenience or delay at the airport than the other folks who are protesting, simply because of how I look.

But the worst excesses of the TSA are caused by our culture, and the agency is responding to our culture's values. If you want them to change their behavior, you'll have to engage with your neighbors and fellow citizens about their fears, and evolve the way we all respond to them. They may find that conversation to be far too invasive, and you'll have to decide what to do when they ask to opt-out.

I want you to place the text of this blog post on your own site. But I don't want you to do it just by copying and pasting it into your own blogging tool. I think there might be a different way to do it.

Now, I probably obsess over embedded objects and copying and pasting even more than most geeks. When I attended the recent Graphing Social Patterns conference, one of my great frustrations is that people are talking about platforms like Facebook and OpenSocial and MySpace and widgets, but they're leaving out fundamentals like copy and paste. It's a basic capability, but none of these platforms address even basic interoperability for the applications that are built on top of them.

I don't know how we get there; I've written in the past about reinventing copy and paste, Live Clipboard, Ajax Linking and Embedding, and more.

Despite all these developments, what's actually taken off with real users is the plain old browser and operating system's copy-and-paste, combined with <embed> or <script> tags to pull in content from other sites. It's powered the rise of YouTube and many of the biggest widget providers. (APIs are of course a big part of this, too; Flickr and Delicious propagated themselves by posting directly to blogs using standard APIs.) But regular people on the web have settled on copying inscrutable, nonstandard HTML markup as a pretty effective way of getting the functionality they want.

But we've only been using this stuff for the most complicated parts of the web, like rich media. What about text?

My blog is mostly text, with some bits of video and images embedded. So, I've created a javascript embed tag at the bottom of every post on my blog, to let you embed the title, an excerpt of the post, and a list of commenters on the post in your own blog or site.

What use is that? I have no idea. Obviously, you could copy and paste the raw text to excerpt it. And certainly, pulilng in a javascript from my site to live on your site means you've got to trust my content, unless it's sandboxed somehow.

But there seems to me to be something really interesting, some kind of potential, to including our posts (or parts of our posts) in other blogs that way, and while I'm no great coder, making the Movable Type templates to do this took about five minutes. I'm hoping something even more interesting comes from the world of compound objects or compound embeds, with a text post containing a video clip or image, and then being included on another page.

So: Has someone done this before? I've made blog templates that output widgets before, but what if we assume every blog post is a widget? How could we address the security issues? What does it mean that the included text and content can be updated remotely? What purpose does this serve, or is it just a really complicated way of copying and pasting text?