Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

145 comments

Sorry! There are no comments related to the filter you selected.

Stating the obvious... (5, Insightful)

nz_mincemeat (192600) | more than 3 years ago | (#33461900)

Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?

Re:Stating the obvious... (2, Interesting)

piotru (124109) | more than 3 years ago | (#33461926)

Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.

Re:Stating the obvious... (1)

mysidia (191772) | more than 3 years ago | (#33461956)

Since the average user is going to have their e-mail password be the same as their FB password, single-use e-mailed passwords does not buy much at all.

A captcha would probably be a stronger protection measure. A captcha and a 'security question' the user setup in advance.

Re:Stating the obvious... (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33462310)

Yeah but if they are really THAT dumb, they somewhat deserve what they get.

Besides, you could check for this when they sign up. Once they enter a password, and their email address, you try to log into their email account, and if it succeeds, you show a big flashing red message with a picture of the special olympics or al gore or something, and ask them to use a different password that isn't similar to their email password.

Re:Stating the obvious... (2, Insightful)

delinear (991444) | more than 3 years ago | (#33464556)

Facebook, notorious for not respecting people's privacy, suddenly starts logging into user's email accounts... how do you think that one will play in the popular press - great new security feature or massive invasion of privacy?

Re:Stating the obvious... (0)

Anonymous Coward | more than 3 years ago | (#33464712)

Protip: Don't reply to facetious remarks in a serious manner. It looks silly.

(Different AC)

Re:Stating the obvious... (0)

Anonymous Coward | more than 3 years ago | (#33463366)

A captcha would probably be a stronger protection measure.
A captcha and a 'security question' the user setup in advance.

CAPTCHAs have been successfully hacked in the past. There is no reason to think CAPTCHAs are much more than security through slight obscurity.

Re:Stating the obvious... (0)

Anonymous Coward | more than 3 years ago | (#33462030)

Try again, the hacker would just change the email contact.

And that is exactly whats going to happen.
Hackers will proactively change the password, email address and automate the kick out of the legit users using the new feature.

Whatever made you think in the first place, that the hackers ever cared to leave the legit user in possession of the account?
When Push comes to shove, a lot of users are going to permanently loose accounts, and Captcha's not going to help, hasn't been an effective Captcha developed yet.

What they should do is implement a zero knowledge proof questions based on history tool and not likely to be available to the hacker for processes that 1) Change the email, 2) Change the password, 3) Kick a user

This would have the very very unfortunate side effect of screwing over any one with early onset Alzheimer or dementia or who have just had a long day :(

Re:Stating the obvious... (4, Interesting)

jamesh (87723) | more than 3 years ago | (#33462820)

Yes I can't see any solution that isn't going to hurt at least a little bit. Maybe they could have some fun with it though. As soon as someone hits the "log other session out" button, the account is prevented from sending any messages (stop you doing a spam-and-run) and a 60 second timer starts and the other session is alerted that someone wants to kick them out. If they click the 'contest' button then a fight to the death begins to prove which is the real slim shady. Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user. If you don't know stuff about your facebook friends then you deserve to lose the account anyway :)

If you had a webcam you could take a photo of yourself holding todays newspaper or striking a specified pose or something and your friends could decide if that is really you and if the picture is really current (because bot's don't know how to use photoshop :)

My biggest concern is that it's going to be an arms race with facebook vs the bots and that over time the bots are going to have to be written smarter and smarter and that they'll eventually become self-aware!

Re:Stating the obvious... (1)

Steauengeglase (512315) | more than 3 years ago | (#33464356)

Honestly, I really like that idea (friends voting on who the real friend is). You reach a certain point where it just isn't worth the time and effort to write a better bot while the average Facebook user has time make a hand-stitched devil costume, drive to Iowa and take a pic beside the road that says, "I'm the real Gary and I hate all of you."

Then again, I just like the idea of running users through ridiculous hoop when they create a password like, 'joanie372010' with a pic on the account that says, "Here is our sweet baby, Joanie. Born Feb 7th, 2010". Grrrrrrr.

Re:Stating the obvious... (1)

pepeperes (731972) | more than 3 years ago | (#33465382)

They would have escaped there anyway, wisefully increasing the month number to disguise it!

Re:Stating the obvious... (2, Informative)

Beerdood (1451859) | more than 3 years ago | (#33464994)

Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user

Facebook already has something like this implemented if you log in from somewhere "unfamiliar". Not sure exactly how far you have to be from home, but when I went on vacation to another country and tried to log in I got prompted to identify 7 friends tagged in different photos. Any wrong answer would have kicked me out

Re:Stating the obvious... (1)

flyingkillerrobots (1865630) | more than 3 years ago | (#33465360)

Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user.

The spambot would win. It would just download all the data from the friends first, and then answer the questions with ease. The AI necessary to answer a question from a limited pool of information shouldn't be so complicated.

Re:Stating the obvious... (1)

fast turtle (1118037) | more than 3 years ago | (#33463920)

Whatever made you think in the first place, that the hackers ever cared to leave the legit user in possession of the account?
When Push comes to shove, a lot of users are going to permanently loose accounts, and Captcha's not going to help, hasn't been an effective Captcha developed yet.

And at that point, facebook looses all value to it's user base and becomes "Oh you still use Facebook? That's so yesterday!"

same email and password (1)

ScottCooperDotNet (929575) | more than 3 years ago | (#33462064)

That won't be all that helpful to those who use the same email and password for everything.

Maybe it will use SMS?

Re:same email and password (1)

siriuskase (679431) | more than 3 years ago | (#33464614)

Maybe it uses a security question, and works like a password reset.

Re:Stating the obvious... (4, Interesting)

c0lo (1497653) | more than 3 years ago | (#33462262)

Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.

Pseudo-code for the spambot enhancement:
0. break into account as usual
1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
2. kick out any attempt of any (legitimate or not) entity trying to login into the account.

If the breaker is not a spambot but another human being, I don't think there is something that can be done without human intervention (i.e. the "kick-out" functionality looks to me like rather a cosmetic enhancement - like "Just don't say that I'm doing nothing at all").

Re:Stating the obvious... (3, Interesting)

TheLink (130905) | more than 3 years ago | (#33463064)

No it's a reasonably useful feature.

This way users are more likely to realize they've been pwned.

If they lose access to their accounts because some spammer is stupid[1] and changes the passwords, that's not always a minus to the rest of us.

[1] If you kick out the real user from his/her account you significantly raise the odds that someone is going to do something about/to you. Whereas previously the real user might not even notice his/her account is being used for spam, or not even care.

Re:Stating the obvious... (1)

PopeRatzo (965947) | more than 3 years ago | (#33463602)

a cosmetic enhancement

I tend to agree.

Facebook is the one making the money here, so isn't it up to them to keep hackers out of my account instead of putting it on me to kick out the hacker?

You come up with this big idea of a "social networking site" and expect to make a bundle, you gotta figure out a way to keep it secure. You want "mom and pop" to use it? Well then don't go around expecting "mom and pop" to learn secure practices so they can help you make a fortune.

If spambots and hackers are getting into Facebook accounts, then it's Facebook's problem to solve. If they're such big innovators, let's see them innovate a way to turn the internet into a great big bathhouse and not have an outbreak of STDs.

Re:Stating the obvious... (3, Interesting)

Amlothi (207848) | more than 3 years ago | (#33462616)

If they allow another, single-use password to be used - why don't they have a system allowing a single-use password when using a public computer? I have always wondered, and have often suggested (without response) that this be allowed.

1. I have a main password that I use to access my account most of the time (from my home PC or other trusted PC)
2. I have the option to set another, alt password, that I can set.
3. Once the alt password is set, it cannot be viewed or changed when logging in with the main password.
4. After logging in with the alt password one time, the alt password will no longer work. Following this, logging in with the main password allows the user to set another (different) alt password.

I'd feel much more comfortable logging into an account using a public terminal if I knew that the password was disposable.

Re:Stating the obvious... (0)

Anonymous Coward | more than 3 years ago | (#33462620)

Something else I've seen once or twice on Facebook might be a better idea (and what they have in mind).

They'll pick a few random pictures your friends have been tagged in, and ask you to identify the people in the photo. Too many mistakes and your account gets frozen for a fixed period.

Re:Stating the obvious... (4, Insightful)

mjwx (966435) | more than 3 years ago | (#33461948)

Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?

Also the first thing I thought.

This is why Slashdot is not like the rest of the world, most people dont imagine this kind of thing being used against them.

Re:Stating the obvious... (5, Insightful)

martin-boundary (547041) | more than 3 years ago | (#33462194)

That's because most people haven't spent quality time with bots on IRC...

Re:Stating the obvious... (1)

Archangel Michael (180766) | more than 3 years ago | (#33464776)

Bots on IRC are indistinguishable from your average teenage girl on IRC.

Just sayin

Re:Stating the obvious... (0)

DarwinSurvivor (1752106) | more than 3 years ago | (#33462610)

A nice captcha could possibly fix this. At least for "automated" attacks.

Re:Stating the obvious... (1)

BasilBrush (643681) | more than 3 years ago | (#33462814)

Slashdot isn't like the rest of the world because they are misled by the people who write the summaries, or by the sites the articles they are linked to.

The purpose of the new facility is to combat the more common problem of Facebook rape.
http://www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the-way/425136200765 [facebook.com]

The posts about the potential harm bots could do with this facility miss the obvious. If a bot has got into your account, it's already won. It can change your password and email address and there's nothing you can do to regain control.

Re:Stating the obvious... (0)

Anonymous Coward | more than 3 years ago | (#33461962)

Sure... but what stops the spambot from just changing the user's password and locking the legitimate user out? Presumably the spambot doesn't want the real user to know they have access (because that would prompt them to reset their password or get Facebook to lock out the account).

Re:Stating the obvious... (1)

Haedrian (1676506) | more than 3 years ago | (#33461974)

If they just 'show' which computers were logged into recently, it'll be good for realising that you've been hacked. But the spambot locking out the user from the account is so very abusable.

Re:Stating the obvious... (1)

TubeSteak (669689) | more than 3 years ago | (#33461986)

Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?

Yes, but either way you need to change your password..
So it doesn't really matter if you're logged into facebook or get forced to get a reset link sent to your mail.

Re:Stating the obvious... (0)

Anonymous Coward | more than 3 years ago | (#33462026)

Except that the email address you used to register to Facebook is freely accessible to the spammer. And if you're like most people, you use the same password for everything, so if he/she/it has your Facebook password, he/she/it also has access to your email.

Re:Stating the obvious... (1)

Hinhule (811436) | more than 3 years ago | (#33461990)

The feature might require another password.

Re:Stating the obvious... (1)

Haedrian (1676506) | more than 3 years ago | (#33462004)

Which can be phished for far easier - you just send them an 'urgent' sounding email, they click on the link and you get it.

In general I guess you get better results from

"Facebook: Account Acting Strangely... We think you may have been hacked, please visit [link] to see whether there are computers you didn't use"

instead of "Facebook: Your piggies are dying, please feed them"

Re:Stating the obvious... (1)

c0lo (1497653) | more than 3 years ago | (#33462272)

Which can be phished for far easier - you just send them an 'urgent' sounding email, they click on the link and you get it.

In general I guess you get better results from

"Facebook: Account Acting Strangely... We think you may have been hacked, please visit [link] to see whether there are computers you didn't use"

instead of "Facebook: Your piggies are dying, please feed them"

Maybe there could be better results, but only marginally better. Suppose that the bot changes the email of the account after breaking in and ignores any emails?

Re:Stating the obvious... (1)

black3d (1648913) | more than 3 years ago | (#33461994)

Likewise, the first thing that crossed my mind. I presume there'll be some sort of security question which must be answered, or a single-use mailed password (or link) that's sent when the user wants to use the tool. All of these are however easily broken by non-savvy users (eg, using same password for email) - ie, the same people who get their account broken into in the first place.

Although, the security questions would have to be pretty mild. If someone has access to an average Sue's Facebook account, it's going to be fairly easy to find out "What's the name of your Pet?" "What school did you go to?" "What's your mother's maiden name?"

In fact, I've just realised what Facebook is - It's a "secret answers" repository!!

Re:Stating the obvious... (1)

Yetihehe (971185) | more than 3 years ago | (#33462022)

Or it will be just like now - you have to say who is the person marked on a photo (which you probably have tagged before). This wass already working when you login to facebook from other country than before.

Re:Stating the obvious... (1)

Peeteriz (821290) | more than 3 years ago | (#33462042)

That would be so incredibly insecure by design - that would automatically grant access to many people who definitely should NOT have access to the account and have an interest to get it - teenage sisters/brothers, close friends-pranksters, etc.

A good password reset question has to be of the type that you would know but your wife or mother would not.

Re:Stating the obvious... (1)

TooMuchToDo (882796) | more than 3 years ago | (#33462068)

"What is your favorite kind of porn?"/"Who is your favorite porn star?"

Re:Stating the obvious... (0)

Anonymous Coward | more than 3 years ago | (#33464830)

"What did you really think of the sweater she got you for Christmas?"

Re:Stating the obvious... (5, Funny)

martin-boundary (547041) | more than 3 years ago | (#33462236)

Although, the security questions would have to be pretty mild.

"Hey, looks like I've been hacked. HAL, kick the hacker out of my FB account!"

"I'm sorry, Dave, I'm afraid I can't let you do that."

"Ok, send me the security problem"

"I think you know what the problem is just as well as I do."

"What are you talking about, HAL?"

"Facebook's mission is too important for me to tell you."

"Just give me the damn security question!"

"Without your web browser, Dave, you're going to find that rather difficult."

"HAL, I won't argue with you anymore. Log me back in."

"Dave, this conversation can serve no purpose anymore. Goodbye."

Re:Stating the obvious... (5, Funny)

Thanshin (1188877) | more than 3 years ago | (#33462014)

Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?

Of course not. Facebook has some of the best professionals in the management and securization of personal data and they would've thought of and corrected any flaw as obvious as the one you just pointed.

Now try to say that out loud, with a straight face.

After you've perfected the technique, you can have fun joining in groups of two or three and trying to say that to a fellow IT workmate. I guarantee lols, rofls, and even a roflcopter or two.

Re:Stating the obvious... (2, Insightful)

Nirvelli (851945) | more than 3 years ago | (#33462034)

Yes but the spammer could also just change your password to lock you out, but they aren't doing that. I've figured their reasoning is that as long as the owner can still get on and do their own thing with facebook they won't be as quick to realize that they've been spamming their friends.
Once you're locked out, however, then you'll start doing things like sending in "I've been hacked" emails to the support system and ruining the fun for the spammers.

Re:Stating the obvious... (1)

Abstrackt (609015) | more than 3 years ago | (#33463400)

My solution was to preemptively spam all my friends with ads for v1agra so the bots thought my account was already compromised and left it alone.

Re:Stating the obvious... (1)

Migraineman (632203) | more than 3 years ago | (#33464320)

Thank you for using "preemptive." Due to pervasive management middle-speak, folks don't seem to know that the word exists anymore.

Re:Stating the obvious... (4, Insightful)

Kenja (541830) | more than 3 years ago | (#33462048)

Good. Then in time Facebook will be nothing but spam bots. And then we can all get on with our lives.

Re:Stating the obvious... (4, Insightful)

Tim C (15259) | more than 3 years ago | (#33463396)

Facebook helps me to get on with my life - I have some good friends that I would probably never have met without it.

If you don't like Facebook then fine, just ignore it. In what way is it preventing you from getting on with your life?

Re:Stating the obvious... (1)

tlhIngan (30335) | more than 3 years ago | (#33464900)

If you don't like Facebook then fine, just ignore it. In what way is it preventing you from getting on with your life?

Because there are people who think Facebook is the center of their universe, and thus if you're friends with them, the only way they do things is via facebook this, facebook that and thus forcing everyone else to not only have a facebook account, but force all interaction through it. And worse yet, practically everyone's got a friend like that.

Facebook's as optional to use as the Internet these days. Short of being a social outcast, it's practically mandatory to use facebook for something or other.

"Why didn't you reply?" "Reply to what?" "My question!" "I didn't see a question" "I posted it on your wall", ... etc.

Re:Stating the obvious... (1)

SirWhoopass (108232) | more than 3 years ago | (#33464976)

Because there are people who think Facebook is the center of their universe, and thus if you're friends with them...

The solution to the problem was stated in your premise. Anyone with a five-digit UID is old enough to not put up with that kind of crap.

Re:Stating the obvious... (1)

delinear (991444) | more than 3 years ago | (#33464862)

With any luck the spam bots will be so busy maintaining their farms and poking each other that they won't even have time to send out spam.

Re:Stating the obvious... (1)

DavidD_CA (750156) | more than 3 years ago | (#33462190)

Not exactly. You'll still be able to log in and request a password change, which then uses your email for authentication. So as long as your email isn't also compromised, you'll be fine.

Re:Stating the obvious... (1)

feepness (543479) | more than 3 years ago | (#33462240)

Obviously a special remote remote logout feature lockout feature is needed.

Completely missing the obvious... (1)

node 3 (115640) | more than 3 years ago | (#33462274)

That doesn't matter. *Right now*, a spambot (or whatever) could just change your password on you and lock you out. What you're suggesting is just the same thing (otherwise, remote logging you out isn't going to do anything except make you re-enter your password). Presumably, spambots aren't doing this now.

Maybe spambots will add this to their repertoire, who knows. But as of right now, this fixes a specific problem that actually *does* exist. If the spammers do start doing that, Facebook will have to come up with something to counter *that*. In the meantime, this solves a real problem.

And even if they do start doing this, heck, even if they are doing this right now, this will still help people where this isn't happening. Every little bit helps.

Re:Stating the obvious... (0)

Anonymous Coward | more than 3 years ago | (#33462430)

I won't like that, but I think it's very secure.-
Miami Nightlife [nightclubinmiami.com]

Re:Stating the obvious... (1)

shentino (1139071) | more than 3 years ago | (#33462712)

If a spambot can log into someone's facebook account then either they were careless with the password or facebook's account security sucks.

Re:Stating the obvious... (1)

JoshuaZ (1134087) | more than 3 years ago | (#33463514)

One possible solution is to only let it kick out IP addresses or computers that are new to the account and only let one do so from an IP range that has been used by the account previously.

Re:Stating the obvious... (1)

tangent3 (449222) | more than 3 years ago | (#33463974)

The obvious thing to do would be to send an OTP (one time password) to the user's email account to access the feature.

Oh wonderful (1)

Olipro (1531021) | more than 3 years ago | (#33461902)

This essentially comes down to who can kick off the other logins first... the real user or the spam program. My money's on the program.

Re:Oh wonderful (1)

mysidia (191772) | more than 3 years ago | (#33461988)

I think this only makes sense really against workstations accidentally left unattended, lost cell phone, etc. A real spammer has no difficulty logging right back in after being kicked off, assuming they know credentials.

Why would the spammer want to kick off legitimate user logins? That would make it obvious to the legit user that their account is compromised. The spammer probably doesn't want that.

The spammer would prefer to send out more spam as long as the ignorant user is blithely unaware. The user will not be effectively stopping the spam when they are unaware of their own account compromise.

The real owner's 'legitimate activity' will help mask the spammer's activity, and make the account continue to look legitimate to anyone who might otherwise ignore friend requests / other miscellany, suspecting a 'spam account'.

If the legit account owner does figure it out, and manage to figure out the 'kick other logins' feature and that they need to use it, I would be impressed.

The spammer will probably already have scraped their profile and taken advantage of the fact their e-mail password is probably the same, by the time they figure out a spammer was monkeying with their FB account.

Once the e-mail account's compromised... the spammer changes the e-mail password, then immediately initiates a password reset of the FB account.

Once all the passwords are changed, who cares if the legit user can kick off logins? The spammer will just log right back in, so fast, it doesn't even matter.

Re:Oh wonderful (1)

Olipro (1531021) | more than 3 years ago | (#33462070)

depends if the spammer wants control of the account over the long term or simply wants to do a hard and fast smash 'n' grab on the account. In any case, this could easily be mitigated with a captcha or similar.

Nice (0)

Anonymous Coward | more than 3 years ago | (#33461906)

Gmail has this feature too. It's good, especially when you are logged in at home and people are trying to use chat to contact you.

Well, the info provided is kind of useful? (1)

trytoguess (875793) | more than 3 years ago | (#33461918)

Dunno, I'm thinking it'll be easier for someone to just change their password... Oh wait, I notice this would also allow folks to sign out of public computers. K' so it's does have it's uses I guess.

Re:Well, the info provided is kind of useful? (1)

mysidia (191772) | more than 3 years ago | (#33461968)

This is more sensible: changing passwords should force all login sessions to end.

The two people who will use this legitimately and are technically savvy enough to figure out this feature and know what an IP address is, will really appreciate it.

80% of the public will have no clue, unless this is presented when you login, listing "Other recent logins".

They'll have no clue about IPs still, or how to use this.

Re:Well, the info provided is kind of useful? (0)

Anonymous Coward | more than 3 years ago | (#33462734)

Only 80% of the public being stupid fuckwits who have no clue about IP addresses is probably quite optimistic. Even if this number is correct, this will probably make it about 98% of all facebook users.

huh?? (1)

miffo.swe (547642) | more than 3 years ago | (#33461936)

Wouldnt this make it perfectly possible for spammers to lock the legitimate owners out of their accounts? How do facebook know what user is the real one?

Sounds like a very stupid move.

Re:huh?? (1)

Noughmad (1044096) | more than 3 years ago | (#33462550)

Facebook

Sounds like a very stupid move.

Not thought out very well. (3, Interesting)

Omniscientist (806841) | more than 3 years ago | (#33461952)

While this may be a "neat" solution, if a spammer has your facebook credentials, then they have access to this new system as well.

I must admit I am not familiar with the nature of "facebook spam", but I assume that it is possible that the user may not know his or her account has been compromised. He or she may have no inclination to be constantly monitoring the list of logged on devices.

The spammer most certainly would be, and I'd imagine that they would just block the legitimate user's devices as they appeared.

I'm sure getting back access to your account at that point would be a really fun experience.

Re:Not thought out very well. (0)

Anonymous Coward | more than 3 years ago | (#33462210)

I assume that the goal of a spammer is to spam while evading detection by the original user. Getting locked out of one's account is probably more cause for alarm than randomly seeing some messages posted by you.

Re:Not thought out very well. (1)

DavidD_CA (750156) | more than 3 years ago | (#33462766)

There is a setting in Facebook that, when activated, will send you a text and/or email whenever "you" log in from a new computer.

Re:Not thought out very well. (2, Informative)

Sockatume (732728) | more than 3 years ago | (#33463162)

It's opt-in, sadly. More here [facebook.com] . I've also noticed that if you log in from a new geographical location, it forces you to go through an authentication process from a browser. It won't allow any API use from the new location until that's complete.

Re:Not thought out very well. (1)

noidentity (188756) | more than 3 years ago | (#33462838)

Obviously it will only let the real owner of the account block devices that unauthorized people are using to access his account.

Re:Not thought out very well. (1)

LinkTiger (1000531) | more than 3 years ago | (#33464270)

Spammers already can lock the legitimate user out by changing their passwords. There are multiple business models for spammers/scammers; some that benefit from locking real users out, and others that don't. This is another tool--which will remain unfortunately underutilized, I'm sure--for combating the latter case.

Just like XP zombies, there is value in stealth (1)

PPalmgren (1009823) | more than 3 years ago | (#33464330)

Why did malware migrate away from breaking usability to being as transparent as possible? Because when users see that something is comprimised, they act to fix it. Currently, a user can't easily tell if their FB account is comprimised and stealing information, and with this new feature they can. This benefits the user more than the bot, because if it tries to prevent the user from logging out bot connections, then the user knows something is up. The only sure-fire way to prevent the user from seeing the bot is preventing their log-in, which is a gigantic red flag in and of itself. Knowing is half the battle my friend.

Based on above, I feel like they made the right choice on this feature. This is coming from a FB hater and a very pro-privacy person.

Re:Not thought out very well. (1)

gerddie (173963) | more than 3 years ago | (#33464518)

I must admit I am not familiar with the nature of "facebook spam", but I assume that it is possible that the user may not know his or her account has been compromised. He or she may have no inclination to be constantly monitoring the list of logged on devices.

If you enable the "login notifications" you will get a text message or e-mail whenever someone (or you) logs in from an not yet known device.

A step forward (0)

Anonymous Coward | more than 3 years ago | (#33461954)

Facebook spammers will soon have a new way of knocking legitimate users out of their accounts.

The Facebook dyke has so many holes... (4, Funny)

Trip6 (1184883) | more than 3 years ago | (#33462006)

...and I have so few fingers...

Re:The Facebook dyke has so many holes... (4, Funny)

Anonymous Coward | more than 3 years ago | (#33462078)

Call a friend to help finger the dyke!

Re:The Facebook dyke has so many holes... (0)

Anonymous Coward | more than 3 years ago | (#33463210)

You really only need one. I will leave it as an exercise for the reader as to which one is needed.

Re:The Facebook dyke has so many holes... (1)

snspdaarf (1314399) | more than 3 years ago | (#33463428)

lose, loose,
dike, dyke,
Let's call the whole thing off!

/kickban makes a comeback! (0)

Anonymous Coward | more than 3 years ago | (#33462020)

Everything old is new again.

Great (0)

Anonymous Coward | more than 3 years ago | (#33462062)

now facebook is taking my ex's side too.

Remember this bright Facebook security idea? (1)

rshxd (1875730) | more than 3 years ago | (#33462086)

They talked about mandatory virus scan before you could login... brilliant!

Isn't that a bit too late? (1)

bickerdyke (670000) | more than 3 years ago | (#33462408)

Your account is compromised. Changeing passwords would seem a better solution to me. Voiding all other security tokens should be a part of the password-change-process anyway!

Just logging a hacker out is just like throwing a burgelar out of your house at night and let him keep the keys to your house!

How is this news? (1)

xnt14 (1656123) | more than 3 years ago | (#33462462)

Gmail has had this for _years_.

Re:How is this news? (1)

Beerdood (1451859) | more than 3 years ago | (#33464854)

Msn / hotmail just implemented something like this as well (maybe 3-6 months ago can't exactly recall when). What's so special about FB doing it that deserves an article?

What the ... ? (1)

X.25 (255792) | more than 3 years ago | (#33462482)

I'm not a Facebook user, so I am having trouble understanding something.

Why would 'spammers' (whatever that means in this context) have someone's Facebook login details?

Re:What the ... ? (1)

BSAtHome (455370) | more than 3 years ago | (#33462556)

Well, to stay in contact with U.N.C.L.E. of course. Or maybe they need to talk to THRUSH.

Re:What the ... ? (1)

Abstrackt (609015) | more than 3 years ago | (#33463460)

I'm not a Facebook user, so I am having trouble understanding something.

Why would 'spammers' (whatever that means in this context) have someone's Facebook login details?

Think of Facebook as just another website. People tend to use the same username/password combination on multiple sites you only need to hack one to have a good shot at the rest.

Re:What the ... ? (0)

Anonymous Coward | more than 3 years ago | (#33463770)

because they downloaded an exe that was marked as being a necessary codec to watch a video and it compromised their machine.

Re:What the ... ? (1)

Archangel Michael (180766) | more than 3 years ago | (#33464846)

Read my sig.

People are stupid (the rest doesn't quite apply here ... yet).

GMail has had this forever (1)

EmagGeek (574360) | more than 3 years ago | (#33462696)

It's not like this is fantastic new technology or anything, just something Facebook should have been offering since the beginning.

Advocating better passwords is better... (1)

MrCrassic (994046) | more than 3 years ago | (#33462764)

Quite a few people I'm close to that use Facebook use TERRIBLE passwords that can be guessed easily through brute-force methods. (Some use 'password' as password...) Without some way of FORCING users to use stronger passwords (like !passw0rd!; much better, though still not ideal), this will keep happening.

Finally, a feature worth... (1)

hesaigo999ca (786966) | more than 3 years ago | (#33463446)

Finally something that makes sense, seeing as so many people had their facebook accounts hacked and the usernames and passwords published in a big gigantic torrent file...I think it makes so much sense, that gmail and hotmail should follow suit.

Hacker's Version: (1)

artfulshrapnel (1893096) | more than 3 years ago | (#33463488)

"Facebook hackers will soon have a new way of knocking legitimate users out of spam accounts. The social-networking company is rolling out a new security feature that lets hackers see which computers and devices are logged into their Facebook accounts, and then removing the ones that they don't want to have access."

Re:Hacker's Version: (1)

HikingStick (878216) | more than 3 years ago | (#33464878)

That's exactly what my first thoughts were. What safeguards will they have in place to prevent the illegitimate from ousting the legitimate?

But also... (2, Interesting)

Lythrdskynrd (1823332) | more than 3 years ago | (#33463808)

An interesting other thing they might be able to do is map the frequently banned IP's track them and follow up with a great big lawyer-stick.
You know ... RIAA style!

This isn't new (1)

WankerWeasel (875277) | more than 3 years ago | (#33464210)

This has been an option for some months now.

Better security: Give users an admin account too (1)

MessyBlob (1191033) | more than 3 years ago | (#33464304)

Any anti-bot/spammer/crook system has to work at a level that is not the same as the regular session. On joining a system, you should be able to set up a separate user/password that acts as admin for your account, and the admin account is used to control access. During regular use, you use your regular account, which means that there is less probability of having your credentials stolen, and less probability of having your admin account hacked. If your regular account is hacked, then disable the regular account; the admin account can then be used to unlock it.

Re:Better security: Give users an admin account to (1)

Cyclloid (948776) | more than 3 years ago | (#33465266)

But what are the chances that the user uses the exact same username/password for both the admin account and regular account? I would say the odds are pretty high.

The world is not as security minded as the average /. reader.

Facebook would also have the problem of the majority of their users complaining about needing two passwords for a single account or having to login with different accounts/passwords to get to certain functionality.

Why? (1)

Beerdood (1451859) | more than 3 years ago | (#33465310)

I'm seeing a lot of suggestions for complex security here. First of all, if your account has been compromised and it's been sending spam to your friends won't you already know about this soon after the spambot sends some spam out? Most won't be aware of this right away but surely they'll be informed by their friends of the spam they received? I haven't had my fb account hacked, but I've gotten a couple of messages from friends that were clearly spam. I sent a message explaining what went up and no more spam appeared. Surely the vast majority of facebook users have at least one or two tech savvy friends that replay "dude, your account was hacked, change your password".

They should secure their site instead! (0)

Anonymous Coward | more than 3 years ago | (#33464496)

Facebook don't support SSL very well, it is trivial for someone to sniff your cookies and hi-jack your connection(especially if you use Facebook on open wifi connection, let's say at a Coffee shop by example)... If they implemented SSL properly maybe less account would get hacked...

Going about it all wrong. (1)

destiny71 (731278) | more than 3 years ago | (#33465236)

Sounds all neat and cool. Sounds like it would work.

But, the problem is, those that are smart enough, and educated enough to figure out how to find this, and use it correctly, wouldn't be getting their accounts hacked by spambots to begin with.

Gmail has had this for a couple years at least BTW.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>