If Facebook were a country, it would be the third
largest in the world, just behind India and China. And like any country,
Facebook has a police force to keep things under control. 300 people have been
entrusted with the responsibility of keeping a 900-million-person virtual
society from itself and from external forces. How do you look after people who
use the same username and password on every website and get "hacked"?
What about "likejackers" determined to make people spam themselves
over and over again? What do you do when Facebook users keep clicking
on
tantalizing links like "WATCH: Justin Bieber stabbed by lunatic fan"?
Facebook's deal with the world's biggest anti-virus companies to include their
blacklists in Facebook's URL-scanning database got us thinking about other
things the company does behind the scenes to keep its users safe, because a
hacked, spammed, and depressed user isn't coming back for more. "Creating
friction is the key to making users aware of what they're actually doing,"
Facebook Security and Safety team member Fred Wolens said, because a vast
majority percent of "hacked" Facebook accounts don't get hacked on
Facebook.
DUMPING AND SCANNING
Facebook starts by scanning the usual suspects of
PasteBin-esque websites weekly to check for hackers dumping thousands of
usernames and passwords. Facebook cross references credential dumps with its
entire database of user credentials, then alerts any users that match to change
their passwords. By signing up for Facebook, you've inadvertently entered
yourself into its witness protection program, of sorts. During events like the
Gawker credentials leak or Playstation Network security breach last year,
Facebook alerted users if their passwords were on the loose. "We keep our
ear close to the ground," Wolens told us.
FACEBOOK CROSS REFERENCES CREDENTIAL DUMPS WITH ITS
ENTIRE DATABASE OF USERS
Another measure Facebook takes is stripping every user
of their referral URL when they click one of the two trillion links posted to
Facebook every day. In other words, when you click a link on Facebook that
takes you to an ESPN article, ESPN cannot see what Facebook page referred you
to its site, and instead sees something like
"facebook.com/l.php?u=http%3A%2F%2F." These "sanitized"
URLs prevent external websites from using personal information against you.
LIKEJACKING, CLICKJACKING, AND PASSWORD HACKING
A popular and nefarious way that spammers manipulate
you is by putting invisible Like buttons on top of real buttons you can see
like "Download File." For example, if you're trying to pirate an
album from a suspicious site, the Download link might actually be a Like button
that subscribes you to content from that site. Without even knowing it, you are
liking a page and thus polluting your friends's News Feeds with a spam post,
which in turn generates ad impressions for spammers. These spammers can also push
information to you in your own News Feed, much like brands can whose pages
you've liked. Facebook responds to "likejacking" by sometimes showing
a pop up that confirms whether or not you meant to Like that website.
Another type of "clickjacking" that spammers
engage in is posting crazy looking pictures and videos. Clicking a link to an
article about Justin Bieber allegedly killing a fan is not going to get your
account "hacked" instantaneously (he didn't, by the way). The goal of
many of these spammers is to generate impressions, just like banner ads do for
content farm websites. Spammers get paid every time somebody clicks a link and
sees an ad, so Facebook spots and kills these types of posts whenever they crop
up. "This is us wanting to protect our users and de-incentivize spammers,
because where they monetize is off of Facebook," Wolens said. It's kind of
like if the government came around to your neighborhood and grabbed spam fliers
others have pinned on your door.
THE GOAL OF MANY OF THESE SPAMMERS IS TO GENERATE
IMPRESSIONS, JUST LIKE BANNER ADS DO FOR CONTENT FARM WEBSITES
When somebody has accidentally liked a page or clicked
a nefarious link, it's unlikely that their Facebook account will be
compromised. The real problem is that most people use the same username and
password on most sites they sign up for. When a user's credentials for another
site are stolen, thieves simply try them on banking sites and social networks
like Facebook. In many cases, accounts get compromised when people type their username
and password into a phishing site without knowing it. There are also a large
amount of cases where people leave Facebook open after logging in on an Apple
Store or library computer. Almost always, having your password
"hacked" really means that you (or another site you've signed up for)
lost your password or it's been stolen. So what about the minority of users
that get hacked "on" Facebook? Malware is the chief cause of accounts
getting compromised without an obvious cause, Wolens said. In order to detect
infected users, Facebook employs a variety of automated systems to flag
accounts sending tons of messages and exhibiting other anomalous behaviors. If
you're confirmed to be infected, Facebook alerts you and helps you sort it out
using McAfee's Scan and Repair software. The company also provided a page that
lists all the various threats to Facebook users such as Koobface, which sends
out Facebook messages on your behalf once you've downloaded a malicious file
posing as Adobe Flash Player.
THE MISSING FRIEND REQUEST
When someone friends you on Facebook, that request
doesn't always get through to your inbox. Facebook employs a complex algorithm
to decide the likelihood that you know somebody, and whether or not to push
through a friend request or file it as spam inside your "See All Friend
Requests" folder. In real life, this would be like the government stopping
random people from approaching you in a public place and saying hello. If these
people message you, their messages will go to your Other Messages folder, a
place most people don't explore. "With a high degree of certainty, we know
who you would be friends with," Wolens told us.
"WITH A HIGH DEGREE OF CERTAINTY, WE KNOW WHO YOU
WOULD BE FRIENDS WITH."
If you have no friends in common with "David,"
who lives in Brazil, and who friended 50 people in the last hour, it's unlikely
you'll receive his friend request. But what if David's an exchange student who
just arrived in town? A local check-in in your area, new school email address,
or anything else that might tie him to you might instantly validate his friend
request as authentic.
SECURITY INSIDE THE LARGEST SOCIAL NETWORK
Facebook's database of malicious links contains
billions of bad URLs, and its spam filters are precise enough that just .5 percent
of users see spam on a given day, by its estimates. Facebook does it all by
monitoring every piece of content that gets posted on the social network, which
raises many questions about how Facebook is governed — the Security team's logo
even has a police badge on it. The balance between security and freedom is one
of the oldest debates in governance, and Facebook now manages an enormous
community of people with little say in how that community is policed. And once
in a while, Facebook gets it wrong and deems a benign comment
"irrelevant" or "inappropriate," which tangles the line
between censorship and safety.
The difference for now is that we're all choosing to
use Facebook and explicitly accepting the company's monitoring and control —
they're unfortunate preconditions of the virtual society. Without these rules,
a site that entertains us for hours each day might descend into a spam and
crap-filled cesspool, which isn't very fun. And unlike the real world, if these
rules change, it's a lot easier to delete your Facebook profile than it is to
relocate to another country.
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου