Social Networks
Well, some of you have heard me rant about Social Networks, Facebook being an example, already, but here's a new one.
I had the great opportunity to have both a really informal breakfast (only 5 students, and the speaker) with a CMU professor who is looking at Social networks and privacy issues. Before I go further I should stress there's no such thing as privacy online. At least, not for the average user.
Facebook, after I started using it, really bugged me. There is no way to turn off displaying your email at all. Yes, it's displayed as an image, but it's not CAPCHA text, so can be "decrypted" on the fly in Perl. Using a Perl module called WWW::Mechanize, you can mine whatever you want from any profile. You can even do batches of profiles. Here's my findings so far.
Groups
Facebook numbers groups, starting from 0, and working up. Since not every number is a group, I assume that deleted groups just have their number removed. However, you can still "join" that group. Very fun. How could this be improved? Get a random number for each group, and set the upper bound several orders of magnitude higher then the expected number of groups. Then, if a bad group number is given, log the user out, and return them to a login page. So, if you expect 35,000 groups, make the random numbers be between 0 and 3 million. You only need a few more bits, and there is the same number of numbers actually used. Oh, and Facebook limits you to 101 groups at any time.
Profiles
My major bone of contention. Each profile is indexed by a number, that is sequential for the school. Indiana's start is 680001, and the profile is "The Creator". Interesting, huh? Count up from there, and they're almost all correct profiles. How can you fix that? Do what they do with email. Have a random number tacked onto the profile. So, instead of following php?user=######, you'd have to follow php?user=######&rand=######. If the random number doesn't match what's on file, you do the same as if they guess a bad group. Yes, you can still easily get that number by visiting every page, but it would make it so you actually have to spider every profile, not just start a counter, and view every profile. Also, these user ids are easily stolen through the search feature. It's the same as used by the message page, so, even if you can't view someone's profile, you can still get their user id. That's a problem, in my mind, and could be fixed by having a seperate mail ID, such that you can't link one to the other without actually being able to view the users profile anyways. Again, MAKE the attacker spider the whole site, its easier to see.
Details
By default Facebook makes everything completely open. Ok, anyne from your school can see anything on your profile. Let the fun begin. Have a phone number? It can be sold to telemarketers. Email? Sold to spammers (and that's on every sngle profile, some have multiple ones). Address? Snail-mail spam, stalking, fake pizza orders. Combine all the info given, DOB, address, etc, and you could even get access to bank accounts, or forge an ID. How can that be fixed without people realizing this is all open info to anyone in the world? By simply making the default level be to NOT show up in searches, NOT display information, etc. Make the users turn on everything, and give them a warning that "Hey, your information can be stolen, this is not secure". Even Facebook's privacy statement says that! Also, the email should *never* be shown, unless specified by the user. Yes, its handy for emaling people, but why not just ask them for their email? Its no where near essential to post this in the open.
Well... it turns out that all Social networks can be exploited, even real life ones... go figure. So, those of you on a MySpace account are even more vulnerable, as this great guy shows. Yes, he wrote a worm for MySpace profiles, sheer genious. But MySpace also uses the numbered profile system. In fact, every social network I've found does. Very interesting. A few alternatives occured to me, which I have to flesh out a little, but they result from work that's been done at IU. Assuming you require a login, and a good system for authenticating registration, I think Online Social Networks could be made much more secure.
But until then, Im systematically trying to delete myself from the Internet. Public offices I hold, such as Sexy Webmaster for NRHH will remain, as I believe in higher accountability for those in public office, but others... well... we'll see. I have to keep the Facebook account to keep playing with it, but I'd like to see it die by the years end. All of 'em (If you don't know how many I have... well... bully to you). That's the main reason I keep this blog anonymous. Yea, you could figure out who I was if you correlate enough data, and do some facial analysis on the pictures I have, or just know me anyways, but a script won't pick it up. That's also why I don't publish other's names here unless they specifically tell me to.
