Saturday, July 24, 2010

Facebook FriendPhotoCaptcha Roadblock

Update: I was subject to the captcha again, and this time I took screenshots.
Update 2: I have created a Facebook group for fighting this security feature. Once you have your account back, join the group and invite your friends!

Facebook has recently and silently introduced a new "security" feature, that does a lot to prevent legitimate users from accessing facebook, but almost nothing to deter determined scammers and hackers.

The security feature works as follows:

Suppose you try to log in to Facebook from a location you don't usually use, for example when traveling (which is usually when it's most important for you to keep in touch with friends and family). Facebook asks you to verify your identity.

Please review recent activity on your facebook account

And how would you do that? First, you have to solve a CAPTCHA. Fair enough, just prove you're human.

Next, starts the tricky part. You need to identify your facebook "friends" by identifying photos where your Facebook friends have been tagged. In order to regain access to your account you need to solve a CAPTCHA, then identify 7 out of 9 photos of friends. Even a single error fails the test but you do have two "skip"s.

The photos are selected randomly from all photos in which any of your friends have been tagged. If you fail, you can try again within an hour. Returning to a "verified" location does not help once the roadblock has been triggered.

Please come back in a little while

I guess the reasoning behind this: If you are really you, you should be able to identify your friends by their pictures. Right? Wrong! First of all, Facebook (and certain apps) keep pushing you to add more and more distant acquaintances as friends. People who you're unlikely to even identify by seeing a clear picture of their face. Second of all, people tag each other in photos that are nothing like a clear portait. When I was faced with the challenge I had to tag pictures of feet, pictures of dogs, blurry pictures of people from behind, and "funny" drawings. I am not the only one. Many people have been locked out of their accounts for hours due to this impossible "security" challenge.

Below is an example of one of the worst images I've got in my challenge:

The pictures are low resolution, and the pic itself is an xmas card. One of the faces is almost completely obscured by a hand holding a camera. The person in the picture is a work acquaintance I have never met it person, and the worst thing security-wise (and lucky for me) is that the greeting text includes his name!

How did I eventually regain access to my account? The same way any attacker who isn't me could have. The questions in the challenge are multiple-choice. One or two pictures and five names to choose from. Since my profile is relatively open to the public I could create a bogus Facebook account and see my friend list and their public pages. Most of these include a profile picture which allowed me to try and verify the person. Some have a more public profile where all pictures are available, and then I could find the actual picture from the challenge -- just like anyone who isn't me could have.

After finally succeeding in solving the challenge, I was presented with the oh-so-horrible offensive access. I tried to login to Facebook Chat from the United States. Thanks for being so specific, Facebook.

Please review recent activity on your Facebook accountAfter guessing this is probably OK comes the next screen asking me to be a fan of Facebook Security. What can I tell you, I am not a fan!

Thanks Alon - you've successfully restored your account

From a security perspective, this is not at all useful. An attacker's arsenal would include looking up public friend info, and creating a new account with my name and photo, and trying to "friend" all my Facebook friends. With enough people accepting this friendship (which many will), you can access all their photos and easily solve the challenge. In fact, this could be automated, and the only obstacle is several CAPTCHAs that need to be solved, a problem easily solved by spammers using outsourcing or fake "free porn" sites.

Finally, I would like to suggest several other security methods that could actually work:

  • Require a user to tag only photos he or she has uploaded, or that he or she appears in. Ask about where or when a picture was taken, and be more lenient.

  • Require a user to use an alternative method to contact a few of his or her friends (of the user's choice) and have them log in can confirm they are OK (for example by giving them some kind of key).

  • Get security questions or challenges from the users in advance -- something the user knows he or she can solve. Make it clear that these questions are not ONLY for the case of lost passwords.

  • Make a phone call or send a text message to a phone number that is in the user's profile with a key to access the site.

Better still, allow several of these methods at once. Besides, Facebook is not a bank. Just let go of the stupid security.

Here is Facebook's real world contact information. Call them, send them a letter, or drop by their offices:

1601 S. California Ave.
Palo Alto, CA 94304
+1-650-543-4800 (Phone)

Saturday, May 15, 2010

Delays, Downgrades, Dress Shoes - My visit in Toronto

I haven't blogged here for a long time, opting to tweet short cryptic messages, if at all. Well, my trip to and from Toronto was eventful enough to warrant a full post or two.

Being the mileage optimizer I am, instead of flying direct to Toronto, I had a stopover in Houston, a Continental hub. Due to differences in price, I flew from San Jose airport instead of SFO, and parked my car in a hotel near the airport. This minor fact will prove crucial later.

The outwards flight went well, except that I did not get an upgrade on the flight to Houston (I was 2nd on the waiting list). I arrived in Toronto, and took the cool wifi enabled bus to my hotel. Upon arrival, I checked the conference schedule and was somewhat surprised to see that the main part of the conference starts the next evening, which meant I had a whole day to tour the city.

Since the banquet was to be held in the CN tower, Toronto's primary attraction, I decided to use my free day to visit the Royal Ontario Museum. That day I walked several kilometers to the conference venue, then to the museum, inside the museum, and finally back home. During all that time I wore dress shoes I usually wear for interviews -- I packed my best clothes for the conference.

What I did not realize, is that dress shoes can severely hurt your feet. By the next day my feet started to develop painful blisters and abrasions, which made it painful to walk. I used taxis for my travel to and from the conference venue since.

Academically, the conference was very fruitful. I got to meet many colleagues from institutions around the world, including Michael Wooldridge from the university of Liverpool, where I am about to interview soon. My students' talks went well and there were many interesting posters, some with the potential to lead to further research.

The conference banquet was held in the revolving restaurant on the top of the CN tower. This was the first time ever I've been to such a restaurant. Dinner was edible (not a trivial thing for a fancy restaurant) and the view was beautiful. Having the restrooms in the non-revolving part proved a challenge when I was trying to return to my seat. Sitting right next to the windows, I have attempted to send clever messages by writing them on paper and putting them on the non-revolving part of the restaurant. Few of these came back to me.

On the final day, I rushed to pack all my things and check out of the hotel. Then I took a taxi to the conference venue, attended the final talks and demos, and took the wifi bus back to the airport. At this point my feet were still in pain and it was difficult to walk.

At the airport, I found out that my flight to Houston was delayed by about an hour, which meant I was going to miss my tight 1-hour connection to my flight to San Jose. The Continental agents at Toronto had two options for me: Fly direct to SFO on Air Canada, or stay in a hotel in Toronto and fly via Houston the next day. In either case, my confirmed first class upgrade will be canceled since there was no first class availability.

Since my car was parked near San Jose airport, and they were not willing to pay for ground transportation to San Jose, I decided to go for the next day flight. However, since the flight was pretty early, I asked if it was possible to take the delayed flight to Houston and spend the night there. The agents agreed. This had the added benefit of being able to make the connecting flight in case the other flight happens to also be delayed.

By the time I made it through US customs and immigration at Toronto airport, the flight had been pushed back even more. The reason: Delayed incoming aircraft -- the plane from Houston departed late. With the flight two hours late, there was little hope in making the connection. By the time I was ready to leave toronto the plane I was supposed to board to San Jose was already en route and on time from San Juan Puerto Rico.

Upon hitting the ground in Houston, I decided to check the flight status to San Jose in a last-ditch effort to make that flight. To my astonishment, the flight was severely delayed and I would be able to make the flight! As it turned out, the plane fron San Juan (SJU) had to be diverted to Baton Rouge (BTR) due to weather in Houston. By the time I landed, the diverted plane was en route from BTR to Houston (IAH).

As it turned out, I had to spend a few additional hours waiting in Houston. The plane had to be maintained and was even further delayed. I finally landed in SJC 3 hours late. I still had the upgraded first class seat so I was able to sleep for most of that flight until finally returning home, going straight to sleep. Until now.

Wednesday, March 17, 2010

Blog update, forum crash.

Some have you may have noticed that my blog has a new look. Others may have noticed that the Israeli polyamory forum that I'm hosting has crashed, losing all information. Both of these events have to do with my (paid) hosting account at

It all started when I wanted to upgrade my ancient wordpress install (with some custom modifications) to a more modern and standard install. So, I backed up my blog and database and proceeded to install the new version. This required a few iterations, each requiring to delete the old instance of the blog.

My major mistake was during one of those installations, I have misclicked and deleted the wrong site -- the active poly forum. The delete action did create a backup, but since the database was exported using the wrong encoding, all Hebrew data (including the entire forum) was lost.

I immediately called my hosting provider, but they did not have backups of my account. I never set up a backup script for my hosting account, so the entire contents were lost.

I did reinstall a new forum and the blog. I am now working on a backup solution for my account.

The new blog has several nifty features: On the right sidebar you may find my current exact location. Also, the subscription system should work better and replies could be verified by OpenID.

Sunday, March 14, 2010

Happy π day!

Today is March 14th, aka pi day, a day celebrating one of the most important numbers in mathematics - π.

Since I happened to be in Germany today, I celebrated π day with my brother and his wife by making 2π -- a yummy beef pie for dinner and a chocolate pie for dessert.

 Beef pie for pi day

For dessert we decided to make the pie even more meaningful and decorate the pie with the first few digits of π, resulting in a delicious, and informative pie:

Chocolate pi with digits!

More photos are available on Flickr and Facebook.

In other news, I'll be arriving in Israel on Tuesday. If you want to meet me, let me know...

Tuesday, February 2, 2010

Open Letter to Stanford University

I have sent the following letter regarding the AlertSU system at Stanford University. I am hereby posting the letter I have sent verbatim.

Subject: Troubling unsigned email message sent via AlertSU.

I have received an email message regarding a personal issue via the AlertSU system, which is supposed to be only used for emergencies (letter attached below). The letter was unsigned except by the general name "STANFORD UNIVERSITY".

First of all, I would like to request the name and job title of the author of this message, since this information was never supplied.

Second, this message is by no way shape or form related to any kind of emergency, and therefore should not be posted via AlertSU -- a system the Stanford community cannot opt out of.

Third, I am very concerned about the content of the message itself. The message uses phrases such as "stranger", "Unbeknownst to the student" and "did not appear to pose a threat" and selectively mentions some of that person's private belongings. It seems these were designed to lead the readers to assume that the stranger may have intended to act maliciously, when this is just a simple case of a person forgetting his bag in a stranger's car. The important cautionary note is that you should make sure to take your belongings with you upon leaving a vehicle.

Implying that lighter fluid and handcuffs have no use other for illicit purposes reeks of intolerance that the Stanford community should not be subject to.

Alon Altman
In the early morning hours of Saturday, January 30th, a Stanford student struck up a conversation with a stranger at a bar in Palo Alto near the campus.  The stranger, a male, suggested that they go out for food.  The student drove the stranger to a McDonald's in East Palo Alto.  The stranger then asked the student if he could crash at the student's residence. The student refused, so the stranger got out of the student's vehicle.  Unbeknownst to the student, the stranger left a bag of personal items in the student's car.  Upon discovering the bag, the student took it to the Stanford Police (on Monday, February 1) so that it could be returned to the stranger.  Among the items in the bag, the police located a pair of handcuffs and lighter fluid.  The officers were able to ascertain the identity of the stranger and, after some investigation, determined that the individual did not appear to pose a threat to the student or the community.  None-the-less, the Stanford Police would like to remind you to be wary of offering rides to people whom you do not know.

Sunday, August 23, 2009

Macs, part 4: getting a new MacBook

In my previous post I wrote about my experience with macs, and the conclusion was that in order to criticize macs effectively, I should get one. Over $3,000 and one week later, I got a brand new MacBook Pro 15" (and a free iPod touch).

Apple MacBook box Everything mac

The mac came in a brown box, which included a white box inside it. Inside the white box, was the MacBook, the power and video adapters, and a black envelope. Inside the black envelope was a book titled "Everything Mac". There was also an envelope labeled "Everything Else". Following the instructions in the "Everything Mac" book I connected the power supply and powered on the mac using the hidden power button. The book included important information about using the TrackPad, stuff I had to figure out slowly in the previous posts.

Power connector  Power button

When the system started for the first time, I was greeted with a language selection screen, and then a welcome video (with no useful information). After the welcome video, I was prompted to press Esc to hear instructions on how to use the mac. I did, however, it started a detailed explanation about an accessibility feature that didn't even work.

Macbook (off)  VoiceOver

I managed to complete the setup without much difficulty, but no tutorials were provided. According to instructions in the Everything MAC book, I installed software updates, and started to explore. I found a document about "Stacks" and document and download stacks. I also found some online tutorial videos.

Taking my picture   After setup

One of the things I tried to do with the new mac was use the "Time Machine" backup software. I tried connecting two different external HDs, and got no visual response from the OS for the first, and only the small FAT partition showed up for the second. Reading about it online, I figured that ext3 partitions are not supported, and only plain old FAT drives can be used for backup. Big fail!

Another thing I tried was to download TV shows on iTunes, but I was stumped by the repeated requests for money. I have paid $3000 for a mac, why do I have to pay extra to use it???

Tuesday, August 11, 2009

Macs, part 3: Podcasts, Customer Service, and Fingers

As I've posted before, I'm staying at a fancy hotel in the Boston area. Next to the hotel is a Mall, and in this mall is an Apple store. Again I tried using the display laptops. If you recall, the laptops have no mouse buttons (the entire pad is a button), which after a short use causes pain in the wrist. The answer I got regarding this issue from "mac people" was: My mac has a button, but I'm sure the no-button pad is just A-mazing, Steve Jobs is God and I am his servant!

So, this time I tried a new approach: I asked a customer service person at the Apple store for help.  The customer service rep didn't repeat the same "Apple is God" story I get from fanpeople (I guess they are trained to avoid it). Instead, he calmly explained to me another Mac gesture: Hold a finger on the pad while dragging another finger. I had to ask where I find those fingers. It turns out Apple hardware uses unique input devices called "fingers". The idea is that the trackpad somehow reacts differently to multiple input positions. It turns out this feature is required for basic functionality. Right-click is also supported with the Ctrl button, there is also a multi-finger gesture for that but I'm not sure what it is.

The next thing I tried to do is to replicate functionality I have on Linux on the mac machine. The functionality I decided to try was downloading and playing podcasts. I googled it and the search results pointed me to software called "GarageBand". I launched it from the dock and selected podcast. It opened a complicated screen with space for male and female voices (why do I have to tell it who's talking in the podcast?). I decided to try listening to Car Talk from NPR. I used the Safari browser to find the Car Talk podcast, and copied the URL. Then I had to right-click (with Ctrl) on a submenu that said Podcast (why do I have to select podcasts again?), the only option was "open in iTunes". I know iTunes is spamware for copying music to iPods under Windows but that was the only option. Anyway, the iTunes had an option to add a podcast under the Advanced menu (If that's advanced, what's the basic way?). I pasted the URL using SpecialAlt(⌘)-V and confirmed.

Now I could go back to GarageBand and after a few trails I could finally see the podcast there and drag it to the play area. I put it under "Male Voice" since the show is narrated by men.  The GarageBand software seems to be an audio editor like Audacity. I'm reminded of old Windows 3.11 WAV files were opened in sound recorder... Anyway, I clicked the play button and it played! seeking was pretty hard since it was extremely zoomed and there was no way of seeing the entire file in one screen.

I thought to myself there must be an easier way to do it. So I googled "mac podcast player" and found a program called Juice. I installed it, subscribed to Car Talk with the URL, and clicked on the play button. Well, it stated playing. In the background. With the same show of Car Talk still playing in GarageBand. All attempts to stop it didn't work. I even closed Juice entirely (with SuperAlt-Q, as the customer service guy explained) and still both podcasts were playing. It finally stopped after I SuperAlt(⌘)-Q'd all applications I could find (except GarageBand, and Finder, that wouldn't close).

Then, I decided to see if GarageBand can export to a mobile device. The whole idea of podcasts is to listen to them on the move! So, under the share menu there was something about Podcasts and iWeb. I clicked that, and the podcast stopped playing and moved to the start, forgetting my playback location. Good thing I remembered what it was and seeked back there manually (the export failed BTW).

After all those trials, an Apple guy finally approached me, and told me -- that the store is closing and I have to leave. I asked why is the GarageBand thing so complicated, and he said that I should use iTunes to play podcasts. He couldn't explain more since I had to leave.  That's all for now.

PS: I forgot to mention the fact that keyboard shortcuts don't work as expected, the Alt-F4 Expose settings screen for example, says that expose could work F9, F10, and F11. Instead, those buttons adjust the volume! It turns out the real shortcut is F3! But I found that out only after coming back to my room. Amazing documentation from Apple, yet again.

PPS: I even thought I'd buy one just to see how it works, but an Apple laptop costs over $7,000, and for that price it's only a 256GB hard drive. What is it made of? Solid Gold? And you still have to pay extra for backup hardware (yes, macs need special $500 hardware to enable backups). It seems like macs are the fancy hotels of the computer world -- anything you want to do costs extra.

PPPS: I suspect Apple puts addictive substances in their products. That's the only way I can explain why anyone who's purchased an Apple product seems to be in love with it. On a more serious note, I think the main driver for people loving Apple products in cognitive dissonance -- You don't want to admit to yourself you significantly overspent for a product that is no better than others, and since things aren't customizable, people convince themselves they like it that way.