Facebook FriendPhotoCaptcha Roadblock

Update: I was subject to the captcha again, and this time I took screenshots.
Update 2: I have created a Facebook group for fighting this security feature. Once you have your account back, join the group and invite your friends!

Facebook has recently and silently introduced a new "security" feature, that does a lot to prevent legitimate users from accessing facebook, but almost nothing to deter determined scammers and hackers.

The security feature works as follows:

Suppose you try to log in to Facebook from a location you don't usually use, for example when traveling (which is usually when it's most important for you to keep in touch with friends and family). Facebook asks you to verify your identity.

And how would you do that? First, you have to solve a CAPTCHA. Fair enough, just prove you're human.

Next, starts the tricky part. You need to identify your facebook "friends" by identifying photos where your Facebook friends have been tagged. In order to regain access to your account you need to solve a CAPTCHA, then identify 7 out of 9 photos of friends. Even a single error fails the test but you do have two "skip"s.

The photos are selected randomly from all photos in which any of your friends have been tagged. If you fail, you can try again within an hour. Returning to a "verified" location does not help once the roadblock has been triggered.



I guess the reasoning behind this: If you are really you, you should be able to identify your friends by their pictures. Right? Wrong! First of all, Facebook (and certain apps) keep pushing you to add more and more distant acquaintances as friends. People who you're unlikely to even identify by seeing a clear picture of their face. Second of all, people tag each other in photos that are nothing like a clear portait. When I was faced with the challenge I had to tag pictures of feet, pictures of dogs, blurry pictures of people from behind, and "funny" drawings. I am not the only one. Many people have been locked out of their accounts for hours due to this impossible "security" challenge.

Below is an example of one of the worst images I've got in my challenge:

The pictures are low resolution, and the pic itself is an xmas card. One of the faces is almost completely obscured by a hand holding a camera. The person in the picture is a work acquaintance I have never met it person, and the worst thing security-wise (and lucky for me) is that the greeting text includes his name!

How did I eventually regain access to my account? The same way any attacker who isn't me could have. The questions in the challenge are multiple-choice. One or two pictures and five names to choose from. Since my profile is relatively open to the public I could create a bogus Facebook account and see my friend list and their public pages. Most of these include a profile picture which allowed me to try and verify the person. Some have a more public profile where all pictures are available, and then I could find the actual picture from the challenge -- just like anyone who isn't me could have.

After finally succeeding in solving the challenge, I was presented with the oh-so-horrible offensive access. I tried to login to Facebook Chat from the United States. Thanks for being so specific, Facebook.

After guessing this is probably OK comes the next screen asking me to be a fan of Facebook Security. What can I tell you, I am not a fan!



From a security perspective, this is not at all useful. An attacker's arsenal would include looking up public friend info, and creating a new account with my name and photo, and trying to "friend" all my Facebook friends. With enough people accepting this friendship (which many will), you can access all their photos and easily solve the challenge. In fact, this could be automated, and the only obstacle is several CAPTCHAs that need to be solved, a problem easily solved by spammers using outsourcing or fake "free porn" sites.

Finally, I would like to suggest several other security methods that could actually work:

• Require a user to tag only photos he or she has uploaded, or that he or she appears in. Ask about where or when a picture was taken, and be more lenient.


• Require a user to use an alternative method to contact a few of his or her friends (of the user's choice) and have them log in can confirm they are OK (for example by giving them some kind of key).


• Get security questions or challenges from the users in advance -- something the user knows he or she can solve. Make it clear that these questions are not ONLY for the case of lost passwords.


• Make a phone call or send a text message to a phone number that is in the user's profile with a key to access the site.

Better still, allow several of these methods at once. Besides, Facebook is not a bank. Just let go of the stupid security.

Here is Facebook's real world contact information. Call them, send them a letter, or drop by their offices:

1601 S. California Ave.
Palo Alto, CA 94304
USA
+1-650-543-4800 (Phone)

Delays, Downgrades, Dress Shoes - My visit in Toronto

I haven't blogged here for a long time, opting to tweet short cryptic messages, if at all. Well, my trip to and from Toronto was eventful enough to warrant a full post or two.

Being the mileage optimizer I am, instead of flying direct to Toronto, I had a stopover in Houston, a Continental hub. Due to differences in price, I flew from San Jose airport instead of SFO, and parked my car in a hotel near the airport. This minor fact will prove crucial later.

The outwards flight went well, except that I did not get an upgrade on the flight to Houston (I was 2nd on the waiting list). I arrived in Toronto, and took the cool wifi enabled bus to my hotel. Upon arrival, I checked the conference schedule and was somewhat surprised to see that the main part of the conference starts the next evening, which meant I had a whole day to tour the city.

Since the banquet was to be held in the CN tower, Toronto's primary attraction, I decided to use my free day to visit the Royal Ontario Museum. That day I walked several kilometers to the conference venue, then to the museum, inside the museum, and finally back home. During all that time I wore dress shoes I usually wear for interviews -- I packed my best clothes for the conference.

What I did not realize, is that dress shoes can severely hurt your feet. By the next day my feet started to develop painful blisters and abrasions, which made it painful to walk. I used taxis for my travel to and from the conference venue since.

Academically, the conference was very fruitful. I got to meet many colleagues from institutions around the world, including Michael Wooldridge from the university of Liverpool, where I am about to interview soon. My students' talks went well and there were many interesting posters, some with the potential to lead to further research.

The conference banquet was held in the revolving restaurant on the top of the CN tower. This was the first time ever I've been to such a restaurant. Dinner was edible (not a trivial thing for a fancy restaurant) and the view was beautiful. Having the restrooms in the non-revolving part proved a challenge when I was trying to return to my seat. Sitting right next to the windows, I have attempted to send clever messages by writing them on paper and putting them on the non-revolving part of the restaurant. Few of these came back to me.

On the final day, I rushed to pack all my things and check out of the hotel. Then I took a taxi to the conference venue, attended the final talks and demos, and took the wifi bus back to the airport. At this point my feet were still in pain and it was difficult to walk.

At the airport, I found out that my flight to Houston was delayed by about an hour, which meant I was going to miss my tight 1-hour connection to my flight to San Jose. The Continental agents at Toronto had two options for me: Fly direct to SFO on Air Canada, or stay in a hotel in Toronto and fly via Houston the next day. In either case, my confirmed first class upgrade will be canceled since there was no first class availability.

Since my car was parked near San Jose airport, and they were not willing to pay for ground transportation to San Jose, I decided to go for the next day flight. However, since the flight was pretty early, I asked if it was possible to take the delayed flight to Houston and spend the night there. The agents agreed. This had the added benefit of being able to make the connecting flight in case the other flight happens to also be delayed.

By the time I made it through US customs and immigration at Toronto airport, the flight had been pushed back even more. The reason: Delayed incoming aircraft -- the plane from Houston departed late. With the flight two hours late, there was little hope in making the connection. By the time I was ready to leave toronto the plane I was supposed to board to San Jose was already en route and on time from San Juan Puerto Rico.

Upon hitting the ground in Houston, I decided to check the flight status to San Jose in a last-ditch effort to make that flight. To my astonishment, the flight was severely delayed and I would be able to make the flight! As it turned out, the plane fron San Juan (SJU) had to be diverted to Baton Rouge (BTR) due to weather in Houston. By the time I landed, the diverted plane was en route from BTR to Houston (IAH).

As it turned out, I had to spend a few additional hours waiting in Houston. The plane had to be maintained and was even further delayed. I finally landed in SJC 3 hours late. I still had the upgraded first class seat so I was able to sleep for most of that flight until finally returning home, going straight to sleep. Until now.

Blog update, forum crash.

Some have you may have noticed that my blog has a new look. Others may have noticed that the Israeli polyamory forum that I'm hosting has crashed, losing all information. Both of these events have to do with my (paid) hosting account at bluehost.com.

It all started when I wanted to upgrade my ancient wordpress install (with some custom modifications) to a more modern and standard install. So, I backed up my blog and database and proceeded to install the new version. This required a few iterations, each requiring to delete the old instance of the blog.

My major mistake was during one of those installations, I have misclicked and deleted the wrong site -- the active poly forum. The delete action did create a backup, but since the database was exported using the wrong encoding, all Hebrew data (including the entire forum) was lost.

I immediately called my hosting provider, but they did not have backups of my account. I never set up a backup script for my hosting account, so the entire contents were lost.

I did reinstall a new forum and the blog. I am now working on a backup solution for my account.

The new blog has several nifty features: On the right sidebar you may find my current exact location. Also, the subscription system should work better and replies could be verified by OpenID.

Happy π day!

Today is March 14th, aka pi day, a day celebrating one of the most important numbers in mathematics - π.

Since I happened to be in Germany today, I celebrated π day with my brother and his wife by making 2π -- a yummy beef pie for dinner and a chocolate pie for dessert.

 

For dessert we decided to make the pie even more meaningful and decorate the pie with the first few digits of π, resulting in a delicious, and informative pie:

More photos are available on Flickr and Facebook.

In other news, I'll be arriving in Israel on Tuesday. If you want to meet me, let me know...

Open Letter to Stanford University

I have sent the following letter regarding the AlertSU system at Stanford University. I am hereby posting the letter I have sent verbatim.

Subject: Troubling unsigned email message sent via AlertSU.

I have received an email message regarding a personal issue via the AlertSU system, which is supposed to be only used for emergencies (letter attached below). The letter was unsigned except by the general name "STANFORD UNIVERSITY".

First of all, I would like to request the name and job title of the author of this message, since this information was never supplied.

Second, this message is by no way shape or form related to any kind of emergency, and therefore should not be posted via AlertSU -- a system the Stanford community cannot opt out of.

Third, I am very concerned about the content of the message itself. The message uses phrases such as "stranger", "Unbeknownst to the student" and "did not appear to pose a threat" and selectively mentions some of that person's private belongings. It seems these were designed to lead the readers to assume that the stranger may have intended to act maliciously, when this is just a simple case of a person forgetting his bag in a stranger's car. The important cautionary note is that you should make sure to take your belongings with you upon leaving a vehicle.

Implying that lighter fluid and handcuffs have no use other for illicit purposes reeks of intolerance that the Stanford community should not be subject to.

Alon Altman

In the early morning hours of Saturday, January 30th, a Stanford student struck up a conversation with a stranger at a bar in Palo Alto near the campus.  The stranger, a male, suggested that they go out for food.  The student drove the stranger to a McDonald's in East Palo Alto.  The stranger then asked the student if he could crash at the student's residence. The student refused, so the stranger got out of the student's vehicle.  Unbeknownst to the student, the stranger left a bag of personal items in the student's car.  Upon discovering the bag, the student took it to the Stanford Police (on Monday, February 1) so that it could be returned to the stranger.  Among the items in the bag, the police located a pair of handcuffs and lighter fluid.  The officers were able to ascertain the identity of the stranger and, after some investigation, determined that the individual did not appear to pose a threat to the student or the community.  None-the-less, the Stanford Police would like to remind you to be wary of offering rides to people whom you do not know.