I work on the team that generated the warning that seems to be the crux of this post. I am pretty convinced that it is a bug.
His central theme, though, is a bit misguided. I don't understand why 1) using opengraph, or 2) using a like button implies facebook should trust your link and whitelist it. Even pages with those integrations can be malicious.
In this actual case though, the notification link (generated from the commenting widget) seems to malformed and causing it to trip a security check. I've pinged a bunch of people about figuring out what is happening and getting it fixed. The guy sitting next to me is currently trying to repro.
As for convincing Google/Microsoft to warn users when visiting facebook.com because of security false-positives, I'll leave that discussion for you guys.
Why does not Google pop-up similar warnings when you click on its search results?
-Because Google is dependent on the richness and abundance of third-party websites, for its search to be meaningful.
What is the objective of Facebook?
- To suck users into facebook.com, and sandbox them there. Similarly, the smaller objective of Facebook Social plugins is to lift the userbase from third party websites and move it into Facebook.
I appreciate your thoughtful response and want to make clear: I'm not ascribing ill intent to you or to any of your individual coworkers. What I am suggesting, instead, is that the overall goals of Facebook as a company combine to yield this result, and that the overall result is a deliberate outcome of the company's strategy.
That being said, I'd eagerly await resolution of the bugs you've described.
I do not mean to suggest that use of OG or the like button should imply trust, but rather that crawling of a site by Facebook consistently over months or years should show whether it has ever been a bad actor, or whether it's ever been flagged by others as a site with ill intention; Indeed, that's exactly what Stop Badware et. al do.
Thank you for expressing this so cogently and calmly. It's easy to get defensive when somebody starts flinging wild accusations like Anil does here, but informative and level-headed responses like this are much better at keeping the conversation on track.
I 've had this domain that was since forever a simple redirect to our facebook game spam-listed. I 've sent countless appeals for almost a year now and never heard back. Have something to suggest?
Having been bit by this warning message, all this sounds a bit too familiar.
At the time it was being caused by McAfee (yes, dust-off the anti-virus conspiracy theories) had flagged our domain as untrusted because our main virtual host (www.) was returning an HTTP 200 on a 404 Not found page. Yes, that's the "security risk" they found. sigh
we've been a big user of facebook but now we're all cancelling our accounts. we used it to organise trips and meet people but now this is just all becoming too suspicious.
Cache link is essential, of course the term 'gaslighting' [1] may be common in some groups, it was new to me. The general theme is that Facebook is making changes which make the service benefit Facebook more and is less user friendly. I'm not sure it rises to the level of abuse implied by the term but that is clearly subjective. The 'answer' of course is to leave.
I know, I know, "But all my friends are there!" or "Nothing else has the reach of Facebook!" or "I've invested thousands of hours in Facebook!". At the end of the day, Facebook is on the road to becoming a 'public' company, and they are making choices which are in Facebook's interest (mostly about the whole Open Graph stuff which they will sell for money to advertisers for revenue.
The 'good' Facebook you are looking for has to charge its users for accounts because that is the only way to pay the bills without selling you off to less purient interests.
The 'good' Facebook you are looking for has to charge its users for accounts because that is the only way to pay the bills without selling you off to less purient interests.
Is that related to how the only 'good' search engine would be one that has to charge you per-search lest it be forced to sell your click info and search terms to less prurient interests?
I'm usually pretty tolerant of Facebook's more aggressive initiatives, but I've started blocking all of the "frictionless sharing" apps. The user interface they present is ridiculous.
1. I see a friend read an article that looks interesting. I click it.
2. Every time I click one of these I'm asked to add the application before I'm allowed to view the link.
3. My options are "ok" and "cancel". The first few times I assumed I couldn't read the article without clicking ok so I just hit the back button. It turns out "cancel" really means "don't add the app, just take me to the link".
Without that confirmation dialog (which most people probably blindly click through) this is exactly how social media worms work.
Perhaps alert users will click "cancel" the first 5 or 10 times, but eventually they're going to accidentally click "ok" or just give in. Not cool.
Plus, why would I want to see articles that friends read, but didn't think were worthy of manually posting about in the first place?
This is the part I don't understand - last week there was an article about Salman Rushdie and FB. I doubt anything is going to change by complaining - FB is continuously going to do everything in its power to monetize and lock down it's users. Why not just stop using FB? May be I don't 'get' the importance of FB, but I think people can happily communicate with just email, phone and a bunch of other sites, which are less offensive than FB.
But as a website user I don't get to choose the commenting system.
As a blog maintainer, there are three major drop-in comments providers (disqus, intensedebate, facebook included), and if I've had gripes with one of the others, I might end up going for FB comments, despite allowing FB to extend it's "creep" there.
Regarding "Web sites are deemed unsafe, even if Facebook monitors them", wouldn't it be worse if Facebook deemed websites that it monitored 'safe'? Then Facebook would be saying: "use Facebook services on your site, or we'll scare all of your users with an interstitial message"
This is true. I presume a preferred option would be dumping the warnings altogether, but this would be a big boon for phishers.
What I don't like about the article is the suggestion that the best way of combating Facebook's excessively paranoid and usually unwarranted warnings about offsite content is to show excessively paranoid warnings to people trying to get into Facebook. Particularly when one of the principal gateways to Facebook is the browsers and websites operated by Google - not exactly a disinterested third party.
People who use Facebook are silly people. No this is not a flame, it's AOL all over again. The walled garden, except the garden is a dystopian big brother state.
I don't mind people being in the dystopia of their own choosing at all. I enjoy going for walks outside the cyberdome. It's quiet and peaceful out here and people are not monitoring and trying to manipulate and control me.
Those who enjoy being a cog in a machine I am sure lead happy fulfilling lives inside The Facebook.
You know, the dystopia in which I'm forced to share pictures of my newborn son with my family, and talk to friends on the other side of the country that I haven't seen for months, is better than pretty much any other dystopia I can imagine.
Point 3 ("WEB SITES ARE DEEMED UNSAFE, EVEN IF FACEBOOK MONITORS THEM") has been addressed. Here are the other two.
"YOU CANNOT BRING YOUR CONTENT IN TO FACEBOOK"
False. Facebook's API allows all sorts of external content to enter Facebook. They're just shutting down their app that does that automatically. There are plenty of third party apps that already solve this problem.
"PUBLISHERS WHOSE CONTENT IS CAPTIVE ARE PRIVILEGED"
False. The Washington Post has chosen to embed their stories within the Facebook canvas pages, but that's not a requirement. The other popular news sites on Facebook, The Guardian and Yahoo, do not do this.
It is only when the annoyance levels reach a breaking point that the FB alternatives will be made as user-friendly as FB and brought to the attention of the masses. One will emerge as dominant. And the cycle begins again.
I am no great fan of facebook. The timeline sucks.
I think the warnings fb use are necessary, there's so many worms and spam wall postings. You can debate the wording and motive. Many users need paternalism.
You can AUTOMATICALLY have posterous post a link on your wall every time you write a blog post. It doesn't use the notes system at all. It sounds like fb are stopping people using notes for something they weren't designed for.
If he's saying every dumb aol/xp/ie6 user will be too scared to ever leave fb for the rest of the web, wouldn't that be the end of the Eternal September, which some would welcome?
This sounds pretty similar to the complaints from SEO gamers whenever Google changes their algorithms and removes them from the top ranks for a search. I don't agree that any of the examples used by the author is anything particularly harmful.
I applaud the author's use of detailed documentation and the ability and willingness to dig deeper into the technical side of what he believes to be the problem. As soon as I had installed the Firefox addon Noscript I began to notice the facebook scripts put in place on many sites having nothing to do with Facebook. Their real interest is not in being nice by providing you with a free service, but in using data aggregated by its large user base in order to find patterns - and to sell that information to the highest bidder. Pretty soon advertisers and governments will know more about you than you do yourself.
And the effort is probably hopeless, but maybe it will at least draw some attention to facebook's abhorrent practices. But they get plenty of negative press already, doesn't seem to slow them down.
I figure it's going to take a lot more efforts like this, to stop the abuses when portals gain monopoly power on user's attention.
User's will put up with it, (and probably put up with much worse), there is no alternative to facebook for what facebook does and is. Chickens and eggs ...
Good luck with that. Imagine all the YouTube-quality comments that would flood crbug:
PLZ FIX TEH FACEBOOK LOGIN SCREEN!!
We can have discussions all we like about whether or not Facebook is a net-positive or a net-negative for the Web, but there's no way Google, Microsoft, or Apple is going to blacklist them.
Exactly! I hate to say this because it makes me sound like a tech elitist, but some people really do need those warnings because they can't tell what website they're on.
See the ReadWriteWeb article that had to put a big "this is not Facebook" notice on it.
I like to login to FB for several minutes once or twice a week - a quick way to see what some friends are doing. However, I logout as soon as I am done. I also went through and disabled all FB apps, except for my own test app.
Given these simple precautions, is there really anything wrong with FB? Am I missing something?
If you think that people less prudent than you should be "protected" from Facebook, then your participation may be harmful to them because it's part of what encourages them to participate.
The only way to stop Facebook is to protest and boycott it. It worked in 2006 and 2007 (News Feed and Beacon, but Beacon might have been 2008) and it'll work again.
I agree with your first sentence. Whether it worked in the past is arguable, since they continue to do slimy things. But one thing is sure: they can't abuse your data if you don't give it to them.
[+] [-] lbrandy|14 years ago|reply
His central theme, though, is a bit misguided. I don't understand why 1) using opengraph, or 2) using a like button implies facebook should trust your link and whitelist it. Even pages with those integrations can be malicious.
In this actual case though, the notification link (generated from the commenting widget) seems to malformed and causing it to trip a security check. I've pinged a bunch of people about figuring out what is happening and getting it fixed. The guy sitting next to me is currently trying to repro.
As for convincing Google/Microsoft to warn users when visiting facebook.com because of security false-positives, I'll leave that discussion for you guys.
[+] [-] cft|14 years ago|reply
Why does not Google pop-up similar warnings when you click on its search results?
-Because Google is dependent on the richness and abundance of third-party websites, for its search to be meaningful.
What is the objective of Facebook?
- To suck users into facebook.com, and sandbox them there. Similarly, the smaller objective of Facebook Social plugins is to lift the userbase from third party websites and move it into Facebook.
[+] [-] anildash|14 years ago|reply
That being said, I'd eagerly await resolution of the bugs you've described.
I do not mean to suggest that use of OG or the like button should imply trust, but rather that crawling of a site by Facebook consistently over months or years should show whether it has ever been a bad actor, or whether it's ever been flagged by others as a site with ill intention; Indeed, that's exactly what Stop Badware et. al do.
[+] [-] qeorge|14 years ago|reply
I find it annoying as hell, but I took it as a bad UX decision and not a conspiracy.
[+] [-] chc|14 years ago|reply
[+] [-] zerostar07|14 years ago|reply
[+] [-] andr3|14 years ago|reply
At the time it was being caused by McAfee (yes, dust-off the anti-virus conspiracy theories) had flagged our domain as untrusted because our main virtual host (www.) was returning an HTTP 200 on a 404 Not found page. Yes, that's the "security risk" they found. sigh
[+] [-] mishlawyer|14 years ago|reply
[+] [-] ChuckMcM|14 years ago|reply
I know, I know, "But all my friends are there!" or "Nothing else has the reach of Facebook!" or "I've invested thousands of hours in Facebook!". At the end of the day, Facebook is on the road to becoming a 'public' company, and they are making choices which are in Facebook's interest (mostly about the whole Open Graph stuff which they will sell for money to advertisers for revenue.
The 'good' Facebook you are looking for has to charge its users for accounts because that is the only way to pay the bills without selling you off to less purient interests.
[1] https://en.wikipedia.org/wiki/Gaslighting (warning Wikipedia link)
[+] [-] evgen|14 years ago|reply
Is that related to how the only 'good' search engine would be one that has to charge you per-search lest it be forced to sell your click info and search terms to less prurient interests?
[+] [-] redthrowaway|14 years ago|reply
What's the warning for? If it's warning against being confronted with Jimbo's piercing gaze, that seems a bit snarky.
[+] [-] tlrobinson|14 years ago|reply
1. I see a friend read an article that looks interesting. I click it.
2. Every time I click one of these I'm asked to add the application before I'm allowed to view the link.
3. My options are "ok" and "cancel". The first few times I assumed I couldn't read the article without clicking ok so I just hit the back button. It turns out "cancel" really means "don't add the app, just take me to the link".
Without that confirmation dialog (which most people probably blindly click through) this is exactly how social media worms work.
Perhaps alert users will click "cancel" the first 5 or 10 times, but eventually they're going to accidentally click "ok" or just give in. Not cool.
Plus, why would I want to see articles that friends read, but didn't think were worthy of manually posting about in the first place?
[+] [-] paganel|14 years ago|reply
[+] [-] marshray|14 years ago|reply
Everything I read about it just makes me happier that I don't.
[+] [-] vijayr|14 years ago|reply
[+] [-] r00fus|14 years ago|reply
As a blog maintainer, there are three major drop-in comments providers (disqus, intensedebate, facebook included), and if I've had gripes with one of the others, I might end up going for FB comments, despite allowing FB to extend it's "creep" there.
[+] [-] mnutt|14 years ago|reply
[+] [-] notahacker|14 years ago|reply
What I don't like about the article is the suggestion that the best way of combating Facebook's excessively paranoid and usually unwarranted warnings about offsite content is to show excessively paranoid warnings to people trying to get into Facebook. Particularly when one of the principal gateways to Facebook is the browsers and websites operated by Google - not exactly a disinterested third party.
[+] [-] droithomme|14 years ago|reply
I don't mind people being in the dystopia of their own choosing at all. I enjoy going for walks outside the cyberdome. It's quiet and peaceful out here and people are not monitoring and trying to manipulate and control me.
Those who enjoy being a cog in a machine I am sure lead happy fulfilling lives inside The Facebook.
[+] [-] thom|14 years ago|reply
[+] [-] natrius|14 years ago|reply
"YOU CANNOT BRING YOUR CONTENT IN TO FACEBOOK"
False. Facebook's API allows all sorts of external content to enter Facebook. They're just shutting down their app that does that automatically. There are plenty of third party apps that already solve this problem.
"PUBLISHERS WHOSE CONTENT IS CAPTIVE ARE PRIVILEGED"
False. The Washington Post has chosen to embed their stories within the Facebook canvas pages, but that's not a requirement. The other popular news sites on Facebook, The Guardian and Yahoo, do not do this.
This entire post is woefully misinformed.
[+] [-] ricardobeat|14 years ago|reply
[+] [-] ck2|14 years ago|reply
Of course shooting themselves in the foot wouldn't hurt either.
Remember MySpace? How about Digg?
[+] [-] 1010010111|14 years ago|reply
It is only when the annoyance levels reach a breaking point that the FB alternatives will be made as user-friendly as FB and brought to the attention of the masses. One will emerge as dominant. And the cycle begins again.
Every itch gets properly scratched, eventually.
[+] [-] aj700|14 years ago|reply
I think the warnings fb use are necessary, there's so many worms and spam wall postings. You can debate the wording and motive. Many users need paternalism.
You can AUTOMATICALLY have posterous post a link on your wall every time you write a blog post. It doesn't use the notes system at all. It sounds like fb are stopping people using notes for something they weren't designed for.
If he's saying every dumb aol/xp/ie6 user will be too scared to ever leave fb for the rest of the web, wouldn't that be the end of the Eternal September, which some would welcome?
[+] [-] anildash|14 years ago|reply
[+] [-] tawm|14 years ago|reply
[+] [-] Semiapies|14 years ago|reply
http://webcache.googleusercontent.com/search?q=cache:dashes....
[+] [-] steve8918|14 years ago|reply
[+] [-] nomdeplume|14 years ago|reply
[+] [-] jerhewet|14 years ago|reply
[+] [-] derekreed|14 years ago|reply
Well thought out and sound reasoning.
And the effort is probably hopeless, but maybe it will at least draw some attention to facebook's abhorrent practices. But they get plenty of negative press already, doesn't seem to slow them down.
I figure it's going to take a lot more efforts like this, to stop the abuses when portals gain monopoly power on user's attention.
User's will put up with it, (and probably put up with much worse), there is no alternative to facebook for what facebook does and is. Chickens and eggs ...
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] bsimpson|14 years ago|reply
[+] [-] carols10cents|14 years ago|reply
See the ReadWriteWeb article that had to put a big "this is not Facebook" notice on it.
[+] [-] mark_l_watson|14 years ago|reply
Given these simple precautions, is there really anything wrong with FB? Am I missing something?
[+] [-] MBlume|14 years ago|reply
[+] [-] iamandrus|14 years ago|reply
[+] [-] billybob|14 years ago|reply
[+] [-] mikeklaas|14 years ago|reply
[+] [-] bct|14 years ago|reply