

New security settings coming to Facebook - riledhel
http://blog.facebook.com/blog.php?post=486790652130

======
cosgroveb
The social captcha idea is neat, but sometimes my friends tag each other in
pictures that aren't of them (cartoons - or places) sometimes to joke around
with each other or get a friend's attention. I can see someone getting locked
out of their account for being shown a picture which Facebook thinks has a
given friend in it but in reality does not.

~~~
stefanobernardi
They actually have face-recognition algorithms that only show you pics where
the face is clearly visible now.

~~~
steadicat
This is probably also a really clever use of captcha as a way to train their
face-recognition algorithm.

~~~
SammoJ
They already have the faces annotated via the tagging system. To be really
sneaky they could inject faces which have been detected but NOT tagged.
However they probably have enough data anyway - enough being the largest
facial recognition training data set in the world.

~~~
elvirs
The tagging made by users in their photos and face recognition is different.

When a user has to tag someone they are given standard sized box to drag over
the person you want to tag while the face recognition systems selects only the
face of the person no matter how big or small it is on the picture.

------
kschua
Wonder if it had anything to do with this
[http://it.slashdot.org/story/11/01/26/1417208/Mark-
Zuckerber...](http://it.slashdot.org/story/11/01/26/1417208/Mark-Zuckerbergs-
Facebook-Page-Hacked)

~~~
flyt
No, Facebook has been working on this for a while

~~~
RockyMcNuts
Another possible great moment in Facebook security and privacy - unpeel image
URLs of shared pictures to see albums that are marked private

<http://i.imgur.com/d44kb.jpg>

------
michaelchisari
One feature I've always wanted for any site with a login, is the ability to
send a text message to my cell phone whenever my login/pw is used, with an
option to text back 'no' to deny the login and kick off the user.

This way, when I know it's me logging in, I can just ignore the text, but if
it isn't me (some hacker in Germany, for instance), I can immediately bump
them off, and I don't have to wait for the damage to be done to reclaim my
account.

~~~
flyt
Facebook already supports this (as another commenter says) but you can also
send a text to FBOOK with the next "otp" to get a one-time password that
expires after a few minutes.

If you're in a place where it's likely your computer could be compromised then
this keeps your regular password secure.

------
nano81
Excellent to see FB moving to site-wide https.

Haven't the social captchas been used for some time now? I'm sure I've seen
them before.

~~~
cryptoz
> Excellent to see FB moving to site-wide https.

Except they're not really doing that yet. Read the full section: some facebook
sections, and most applications aren't yet HTTPS. And it's off by default. And
the setting is hidden deep inside your advanced security settings.

They do say it will be default at some point in the future, which is exciting.
But for the moment, this HTTPS step is just a small one.

~~~
flyt
Gmail SSL support started as opt-in as well, and they didn't have to deal with
a site anywhere near as complex as Facebook. Give it some time.

------
blahedo
The social captcha idea is really clever, but doesn't it just mean that the
first thing a serious hacker will do will be to download your friends list and
at least their main profile pictures?

~~~
beaumartinez
With profile pictures of them it could be an issue; if the friends' photos are
public then it certainly is an issue. There's a bit of irony regarding
Facebook's privacy settings.

------
joshklein
I'm reproducing the comment I left on their blog post below:

My biggest privacy complaint is my inability to change my application/privacy
settings to keep other people from changing MY profile page by tagging me in
pictures.

I do not want people tagging me in photos, and while I explicitly tell people
not to, they still do. I can remove the tag once Facebook notifies me, but I
don't hover around my computer waiting for notices, so there is a period
during which these pictures appear in my status, my albums, my wall, and I
have no ability to keep people from seeing them. This is a violation of my
privacy, to which the only solution is deleting my account to make myself
untaggable; something I don't want to do, because I truly enjoy using
Facebook.

This really needs to change. Please add a privacy/application setting that
either makes you "untaggable", or at least prevents tagged pictures from being
automatically put into your status feed / wall / albums.

~~~
qq66
This already exists.

------
callahad
I'm a little anxious about not being able to recognize enough of my Facebook
"friends."

~~~
code_duck
Yeah, it seems Facebook is overestimating the depth of the average connection
between a member and each of their 467 'friends'.

------
jedschmidt
Facebook is obviously showing only one gender at a time for their social
authentication capchas, but I wonder if the correlation between last name and
ethnicity is enough to collapse the space of possible answers pretty
significantly.

------
markessien
This social captcha is the stupidest idea ever. When I was travelling, I got
locked out of facebook so many times and was unable to get back in because I
could not figure out who my friends are.

People tag themselves wrongly. A lot of my friends are people from when I was
young - I don't know how they look anymore.

And in Africa for example, you are often using Satellite connections, so
depending on the internet Cafe, you log in from Israel, then Kenya, then South
Africa, all in one day. And you get locked out each time.

Practically, it's very, very retarded.

------
pak
What use is the social captcha if your friends list is public? Many people had
this set because it was the new default when the settings switched some half-
year ago. A lot of them probably don't even realize it.

~~~
flyt
An attacker would have to:

1: Load the social captcha

2: Load your entire friend list

3: Look at the first photo of a friend, then examine every one of your friends
(the average user has a couple hundred) and match them up, assuming that their
profile photo is similar to the randomly-selected photo from the social
captcha

4: Repeat this whole process two more times

Social captchas protect you against somebody from Nigeria hacking your
account, and makes this process more computationally intensive. Even if they
_did_ login to your account after all this work you'd end up getting an email
and SMS saying that there was a login from an unrecognized computer.

~~~
bedris
_Look at the first photo of a friend, then examine every one of your friends
(the average user has a couple hundred) and match them up, assuming that their
profile photo is similar to the randomly-selected photo from the social
captcha_

The example posted on the FB site looked like a multiple-choice selection was
to be made, so the putative hacker would only have to look up those six
friends, not look through all of your connections.

------
philthy
I don't see what has taken the HTTPS implementation so long, and why is it
user opt in? Most of the user base doesn't even know you can have privacy
settings let alone what the benefits of a HTTPS connection actually are.

Can anyone answer me how it is safe to have the advertising accounts which
require credit card information to make payments, not be HTTPS like they are
currently? How has there not been a serious breach with all the kiddies
running around with fire sheep and the like?

Fuck the social captcha, how about Facebook nationalizes the best non
obtrusive apps (I don't know of any, but maybe there are some) and eliminates
third party shit from the site entirely. Third party crap apps will destroy
the site if not kept in check.

------
amalcon
So, they're enabling HTTPS, but telling people that it's an account setting
and adding an authentication system that will lock out Farmville players. Why
am I not impressed?

------
elvirs
Did you notice that most of the comments on the facebook blogpost are made by
ladies?

Looks like they are more concerned about the security of their accounts than
men do.

------
ladon86
It's about time.

