Thursday, January 27, 2011

Will Facebook's choice of social authentication (face CAPTCHAs) lead to huge gains in facial recognition software?

We've actually talked about this sort of thing considerably within my research group, so it's hardly a new idea, but it's still interesting because I hadn't heard of a large scale implementation of this before: Nevermind CAPTCHA, Facebook Asks If You Know Your Friends.

They're calling it "social authentication" where rather than reading obfuscated text as in a normal CAPTCHA, you're asked to identify friends.

"Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication," writes Rice. "We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are."

Of course, that's not true at all. For many people with public profiles, flickr accounts, etc. it's pretty easy for a hacker to identify your friends. (Even easier if your would-be hacker is a jilted lover or angry sibling, but presumably those folk could also pass a regular CAPTCHA.) The key here isn't that this social authentication isn't hackable, though, it's that the hack has to be more carefully crafted to your account, and may well require a human to do the facial recognition necessary, thus slowing down the attack and doing exactly what CAPTCHAs were intended to do.

I'm curious to see how well it works in practice, though. CAPTCHAs in their current "mangled text" form relied on assumptions about the ineffectiveness computer text recognition... assumptions that have been rapidly broken as determined attackers and researchers have improved our text recognition algorithms. (Nowadays, many captchas can be bypassed with a higher than 90% success rate. Here's a link to one such paper but a websearch will turn up many others.)

So the interesting question to me is "Will Facebook's choice of Face CAPTCHAs lead to huge gains in facial recognition software?" -- we're well overdue for gains in that area, actually, given that law enforcement is hoping to use facial recognition to stop crime and even terrorism, but the technology is so poor right now that if they used it now they'd likely be arresting a lot of innocent folk. Facebook will lead to some great cases: What about when your friends are in costumes? Wearing different makeup? Different lighting? Different poses? Different hair?

Beyond the usual halloween costumes, my facebook friends include theatre geeks, haunted house aficionados, members of the 501st legion of Star Wars costumers and folk involved with things like the Society for Creative Anachronism. Will my friends' and acquaintances' penchant for elabourate costumes mean that I'm more secure? Or will it mean that I'll have more trouble identifying them in photos unless I've seen their standard costumes before?

Mostly I'm torn between excitement at new gains in image processing and a vague sense of unease when I contemplate the potential applications of better facial recognition software.

"My account got hacked"

Some bite-sized wisdom from Jeremiah Grossman:

Funny how people, "my account got hacked," rather than "someone hacked into my account", like they think getting hacked is an act of nature.

I had a good laugh, but it's got me wondering... given how frequently attacks occur online, maybe it really does make sense for people to conceptualize attacks as something that just happens as opposed to something more akin to "that guy robbed me." Makes it easier to deal with somehow, or perhaps easier to accept that there will likely be no retribution?

And more disturbingly, does this "act of nature" approach to hacking explain the general public's sometimes apathetic response to routine privacy violations, both online and offline?

Wednesday, January 26, 2011

Zuckerberg... hacked?

There's an amusing story up on TechCrunch suggesting that Mark Zuckerberg's fan page may have been hacked.

Obviously, Zuckerberg didn’t actually write it. Or at least, we’re pretty sure he didn’t. Instead, it would appear that his fan page was hacked. Facebook has now taken down the page — but not before we grabbed a screenshot.

Honestly, these things happen. But what made the story actually funny to me was this tweet:

@snipeyhead Hah. FB is flagging the Tech Crunch article reporting on Zuckerberg's fan page hack as "abusive or spammy" #classy

Edit: More news on what happened according to Facebook: Facebook blames bug for Zuckerberg page hack

Ethical hacking? How about some ethical writing?

Now, I haven't verified this at all, but here's an interesting link for you: Ankit Fadia / Manu Zacharia - "Network Intrusion Alert" Heavily Plagiarized.

An extremely detailed analysis has been performed for the first chapter (10 pages) to show the scope and method of plagiarism. Our analysis shows that roughly 90% of the first chapter, including the six graphics used, has been taken from other sources. Due to time constraints, notes are used for brevity for the rest of the material.

Given my experiences with plagiarism among my undergraduate students and the recent Cooks Source plagarism story (which attracted quite a lot of attention)... I'm sadly inclined to believe that this entire book may be plagiarized.

What's funny about this story is that the book in contention here is titled "Network Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection." Emphasis mine.

Monday, January 17, 2011

Facebook now enabling annoying phone calls and paper junk mail?

Sophos points out that Facebook has made yet another change to the way it handles your information: this time, allowing third-party developers access to contact information on Facebook.

Now, part of me wants to just shrug: it's always been technically possible for third party developers to get access to this information because of the current state of web security. It's long been true that anyone who can execute JavaScript in your browser on a site (e.g. every facebook app) can gain access to anything you can see. So if your friend installed FarmVille and you've allowed your friend to see your phone number, FarmVille can see your phone number (and the pictures of you in that horrible halloween costume, and that drunken post you made on your ex's wall...). And if you install FarmVille, they can even more easily glean your phone number and anything else on your profile. What Facebook's doing is in some ways good: they're helping to make this clear to users, and maybe even helping to track who is actually looking at and using that info.

But of course, most people aren't aware that this has always been possible, so they're suddenly envisioning FarmVille sending them paper brochures filled with new crop info, or phoning all their friends to ask why they haven't helped out on the farm lately. Maybe an automated call would help convince you to join the game and seek out that lost kitten?

And maybe those third party apps didn't realize they could do it either, and they're salivating over the extended marketing possibilities. Technically possible doesn't imply endorsed by Facebook the way putting the ability into the API does, so while getting this information might have been in the realm of sketchy scams before, now it's going to be considered a legitimate asset by more companies. After all, you consented when you installed the app. And remember, corporate assets do tend to be about making money, so don't assume they won't sell those lists.

So, while it was technically feasible before, maybe now is a good time to reconsider what data you keep within Facebook. And it's always a good time to re-evaluate which applications you have installed or will install. As always, I recommend that you don't leave anything on facebook you wouldn't want shared with the world, so now's a great time to delete your phone number and address from your facebook profile. And if you don't? Well, don't be too surprised when you start getting texts saying that someone needs help with their FarmVille crops.

Monday, January 3, 2011

A bit late: Santa's privacy policy

A bit late, but sent to me by a few folk as a fun follow up to A brutally honest privacy policy, here's a gem of a privacy policy from... Santa Claus.

Santa Claus requires your information in order to compile his annual list of Who is Naughty and Who is Nice, and to ensure accuracy when he checks it twice. Your information is also used in connection with delivering the kinds of goods and services you've come to expect from Santa, including but not limited to toys, games, good cheer, merriment, Christmas spirit, seasonal joy, and holly jollyness.

Read the rest here: "Santa's Privacy Policy" and leave those christmas decorations up just one more day before getting back to regular old January.