Social Media Technology

Facebook’s astonishing fail


I did find a reference to this type of behavior…from 2010.

What I suspect happened is some very old security code accidentally got compiled into the Facebook server app, in relation to the company’s new security feature, and I just happened along when it was exposed.

Either that, or I stumbled into a time vortex.


I treated myself to a new smartphone today. Among the apps I loaded was Facebook. I had copied my password from Dashlane and was ready to go, when I ran into something new:

Facebook’s new security system.

To prove I am who I am, Facebook displayed a set of images, each with a set of names, and asked me to pick the person who matched the image. OK, this ought to be good.

The first was an obviously 30+ year old photo of a chubby baby. So who is it?

I’d have a hard time recognizing one of my own baby pictures, much less the folks on Facebook. Especially considering many people, such as myself, don’t even use photos of themselves as their Facebook profile pictures. So, next image, please.

The next showed a cartoon strip, with a square around one of the panels. The security question then asked who the image was. I can tell you that it isn’t Barbara Schmitz or Nanny Baker.

The third showed an image I did recognize: Mr. Presidential Candidate Rand Paul. Which means it wasn’t Kevin Stamps or John Doppler.

The thing that saved me was when another photo of a woman looked like Sarah Barnett. Thankfully, Sarah also had a conference pass around her neck with “Sarah Barnett” printed on it. But by that time, I’d taken too long or missed too many images, or some such thing, so I had to start over.

Facebook…you’ve taken “being completely unaware of how people use your web site” to a level never before heard of, or seen. And then you exceeded it by using your complete lack of understanding to form the platform for your new security system.

Social Media

Don’t touch that tweet

As many people are discovering, Twitter has been compromised, and badly.

It would seem, from what I can piece together from the web sites discussing the problem, the new Twitter interface doesn’t bother to do a little thing called escaping the input so that JavaScript can’t be inserted into Twitter messages. Messages have then been posted that capture the MouseOver event on links and play havoc with the page (if not re-directing you to porn sites).

We’ve been indulgent of Twitter for too long, probably because it’s simple, easy, and free. However, the company’s habit of piling on new additions, without ensuring that they are either robust or secure, has now bit it in the butt. Bit us in the butt, I should say. I frankly have lost trust in the application, and have to re-think if I want to continue using the site and services. At a minimum, I am looking at third party applications rather than accessing Twitter, directly.

Maybe this event is a reminder that Twitter isn’t the only way to communicate; that it’s time to get back to writing. Real writing, with punctuation and words without the vowels removed.

For now, don’t access Twitter until you see all clear messages from reliable sites at Techmeme.

update Netcraft has a nice rundown on the genesis of the problem. And I’m trying TweetDeck for the first time. Don’t really care for it.

second update Why on earth doesn’t Twitter shut down the web site until the problem is fixed? Irresponsible isn’t the word that comes to mind, right now.

third update Supposedly the Twitter XSS exploit was fixed this AM. Oh, but, fa la la!—Twitter also posted some new stuff, so that people are all talking about the cool new stuff—rather than the obvious security flaw the company left in its application, and that it actually left the web site up while fixing the bug.

Social Media

St. Louis Today violates commenter trust

The St. Louis Today staff did it again.

The site asked a question of its readers: what was the strangest thing you’ve ever eaten. Evidently one person posted “pussy”. A crude answer, true, and a little vulgar, but also on-topic. At the most you’d expect the comment to be deleted, perhaps the person banned, if they’ve made a habit of writing semi-vulgar comments. What happened, though, is astonishing. In St. Louis Today’s Kurt Greenbaum’s own words:

someone posted in reply a single word, a vulgar expression for a part of a woman’s anatomy. It was there only a minute before a colleague deleted it.

A few minutes later, the same guy posted the same single-word comment again. I deleted it, but noticed in the WordPress e-mail alert that his comment had come from an IP address at a local school. So I called the school. They were happy to have me forward the e-mail, though I wasn’t sure what they’d be able to do with the meager information it included.

About six hours later, I heard from the school’s headmaster. The school’s IT director took a shine to the challenge. Long story short: Using the time-frame of the comments, our website location and the IP addresses in the WordPress e-mail, he tracked it back to a specific computer. The headmaster confronted the employee, who resigned on the spot.

The title of the article at St. Louis Today is “Post a vulgar comment while you’re at work, lose your job.” A more appropriate comment would be, “We get people fired because they write the word ‘pussy’ in a comment.” And Kurt Greenbaum hasn’t a clue why people are angry. What’s sadder is that Greenbaum is the Social Media director for the paper.

Social Media Specs W3C

HTML5 status and when not to tweet

I’m in the process of rolling out some change proposals and bug reports for HTML5. I had volunteered to help with reviewing MathML during Last Call, and submitting comments for the HTML WG. Unfortunately, the process did not go smoothly.

In the meantime, this week was the W3C’s TPAC meeting, where all the boys and girls from all the W3C working groups get together for a face to face. Interesting stuff happened, including the TAG (TAG is the overall W3C architecture group) recommendation that HTML WG split Microdata from HTML5. We’ll see where that goes.

Twitter was very useful for those of us who were not at TAG. Those at TAG pointed out the IRC channels associated with each meeting, and where links to reports and presentations could be found. It was an example of good Twitter use.

What was not an example of good Twitter use last week were the “live” Twitter messages that came from a soldier in a hospital within Fort Hood during the recent tragic events. The inappropriate and less than helpful use of Twitter was detailed in an exceptionally good post at Techcrunch, written by Paul Carr.

In the writing, Paul makes the point that rather than help, or at least get out of the way, during a crises, we grab our cellphones and become mini-journalists—macabrely excited about being “live” at the event. We post photos of people hurt in accidents, or shot by a crazy man, regardless of who we might harm, including family members or the victims themselves. We exaggerate the event until one gunman becomes three, and an act of insanity becomes one of terrorism.

More importantly, we jam necessary cellphone lines in order to get that last tweet out, cause confusion, and aid and abet chaos.

Even outside a crises, we don’t seem to know when to turn off the spigot. How many of us woke up this morning to be met with the ultimate of absurdities: hundreds of messages from folks “live tweeting” a Congressional vote. My god, it’s just a bloody vote. There is nothing exciting about a vote until the vote is finished and the tabulation made.

Frankly, I would rather hear what people had for breakfast.

Anyway, more on HTML5 later, and do read Paul Carr’s writing.

update Suw Charman-Anderson has a detailed rebuttal. She has some good points, especially about the Iranians feeling reassured that people were listening.

What she misses, though, is the past tense: people were listening. People listened during the Iranian election, dyed their avatars green, and filled Twitter trends with the topic. And then…it all just went away. And that’s the point I think that Paul was making: social media’s ability to influence events is directly proportional to the attention of the participants, and the participants are being subjected to a continuous barrage of new events, and new outrages.

The green avatars are gone. Do the Iranian people still feel assured that people are listening?

HTML5 Social Media

Google Wave, Twitter, and HTML WG

I rejoined the HTML WG. Again. The group has come up with a change procedure/process that I can support. There was confusion before about whether HTML WG members could issue formal objections, since supposedly we’re part of the group making the original decisions. The new procedure, though, reserves us the right to submit a Formal Objection if all other avenues are blocked. I’m more comfortable being part of the group, now. I even have a first change proposal assignment, due after the book deadline.

Good news from the group: the HTML+RDFa document is now a published draft. However, the work on distributed extensibility is slow going. It’s difficult to split off the technical concerns from the knee jerk reactions.

You may, or may not, have noticed that I don’t post links to my main feed, or this site, for my Just Shelley site. That site is very personal, and a lot of people who read my stuff are more interested in my more impersonal writings, such as tech. Of course, I haven’t been writing at any of my sites lately. Too busy with the book.

I did get a Wave invite–thanks to whoever sent me it. And yes, I’ve given out all of the Wave invitations I have.

What do I think of Google Wave? I think it’s too much for me, though I did have a fun exchange with Marius Coomans, as he was sailing the ideal waters around Australia. We exchange emails and twitter messages, but there’s something different about seeing a message being typed out by someone who is on a boat, and watching them make corrections, as they’re watching you correct your own mistakes. And you’re on opposite sides of the planet, and different hemispheres. It’s not earth shattering, but it is a bit uncanny.

So what else is there to say about Wave. The user interface sucks, but that’s not unusual for a Google application. The performance is sluggish, but it’s alpha. And it performs better than Twitter. Other than that, though, I’m just not sure about the usability of the service. I know that others like the tool, such as Laura Scott who had a nice write-up.

Frankly, though, I’m really getting burned out on the whole social media thing so I may not be a good judge.

There was another instance where I wrote one thing, and it was interpreted as the opposite. I supported what Kurt Cagle wrote on HTML5, but based on a intense Twitter exchange I had with another person, Kurt interpreted my reaction to be opposite of what it is.

Twitter is useless as a tool for doing more than pointing out a link or talking about what you had for breakfast.