Facebook Account Hacked

Today my Facebook account was hacked. Messages were sent to 42 of my friends, with a random subject and contents of the form:

hi! <recipient's first name>! <link>

All of the messages were shown as sent via Facebook Mobile, which, to my knowledge, I have never used.

I did several things:

  1. I posted on my Facebook wall advising people not to open these messages.
  2. I reported the intrusion to Facebook.
  3. I changed my Facebook password.
  4. Replied manually to every message sent warning people not to click on the links.

Below is the reply from Facebook. I've not replied yet, but it's frustrating that Facebook have not listened to a word I've said.

Subject: Re: Messages or Posts Were Sent From My Account, and I Didn't Send Them Hi, We have detected suspicious activity on your Facebook account and have reset your password as a security precaution.

Er... I told you about it. You're replying to an e-mail which I sent you about it. Detected my arse.

It is possible that malicious software was downloaded to your computer or that your password was stolen by a phishing website designed to look like Facebook. Please carefully follow the steps provided: 1. Run Anti-Virus Software: If your computer has been infected with a virus or with malware, you will need to run anti-virus software to remove these harmful programs and keep your information secure. For Microsoft http://www.microsoft.com/protect/viruses/xp/av.mspx http://www.microsoft.com/protect/computer/viruses/default.mspx For Apple http://support.apple.com/kb/HT1222

As I told you in my e-mail, I run Linux and it is up-to-date.

2. Reset Password: From the Account Settings page, you will need to create a new password. Be sure that you use a complex string of numbers, letters, and punctuation marks that is at least six characters in length. It should also be different from other passwords you use elsewhere on the internet. Here is your new login information: <redacted>

As I told you in my e-mail, I have already changed my password. Changing it again and sending it to me in cleartext e-mail is actually making the security of my account worse.

3. Secure Email: Make sure that any email addresses associated with your account are secure, since anyone who can read your email can probably also access your Facebook account. If you believe someone has accessed one of your email accounts, you should change its password.

As I told you in my e-mail, I don't believe anyone has access to my e-mail.

4. Never Click Suspicious Links: It is possible that your friends could unknowingly send spam, viruses, or malware through Facebook if their accounts are infected. Do not click this material and do not run any .exe files on your computer without knowing what they are. Also, be sure to use the most current version of your browser as they contain important security warnings and protection features.

As I said in my e-mail, my operating system is Linux and it is up-to-date. I cannot run any .exe files without serious difficult. In practical terms, it is very unlikely to have been compromised.

5. Log in at Facebook.com: Make sure that when you access the site, you always log in from a legitimate Facebook page with the facebook.com domain. If something looks or feels suspicious, go directly to www.facebook.com to log in.

Please. If I want to visit Facebook I select it from the AwesomeBar. I don't even receive e-mails from Facebook any more because I've disabled them, so I'd spot a phishing attack a mile off.

6. Learn More: Please visit the following page for further information about Facebook security and information on reporting material http://www.facebook.com/security

Wow, practical.

Finally, if this did not resolve your issue, please revisit the Help Center to select the appropriate contact form and submit a new inquiry: http://www.facebook.com/help/?ref=pf

So that you can ignore what I say all over again?

Thanks, The Facebook Team

Thanks for nothing.

These e-mails include random links, and it's probably that the nature of the attack could be uncovered by finding out more about what these links contain. It seems very probable that the page you would see will try in some way to continue the attack. That is the definition of a worm: an attack that propagates itself over the network. I tried downloading the contents of a link with wget. It timed out.

Worms are not unknown on Facebook. As always, think very carefully before clicking on untrusted links, installing untrusted apps, and check carefully that the site you are entering your credentials into is the one you expect.

My thanks to Sammy and Marit for alerting me to the attack.

What is Twitter?

Over the past few months, I have found myself in conversations about Twitter. Judging from the way people have voiced their preconceptions, Twitter is one of the more misunderstood websites on the intertubes, with common misconceptions including "Why would I want to read about every little thing someone is doing?", "It's just the latest fad" and "I don't know anybody on Twitter". Trying to avoid sounding like a shill, I would like to address these misconceptions.

Twitter is usually described as a microblogging service, a term which is not really descriptive but slightly disingenuous. Users write 140-character tweets. They can select other users to follow, thus building a stream of tweets that, hopefully, matches your interests. They can reply to or mention other users. It's also possible to retweet or "RT" a tweet, distributing it to your own followers.

This misses the point. Twitter provides three main things: identity, a voice, and the ability to build channels from other users' voices.

Supporting this, it also provides numerous ways to find different voices to add into the mix, with searches, and links from other tweets, and trending topics. Unlike other social networks you are generally free to follow whomever seems interesting: your voice is public, your followers are not your friends but those interested in your tweets.

Your identity, tweets and channels can be used on third-party sites as well as Twitter, which means that Twitter can be used as a platform for other applications. Whereas Facebook provides a photo albums tool - like it or lump it - use whatever photo-sharing website you like with Twitter. There are several in widespread use. It's quite a democratic system. You can often log into third party websites with your Twitter identity, tying your actions there to your Twitter voice.

Twitter is more like IRC than blogs; the short tweet length demands snippets, ideas, jokes, links and - though it's not quite a 'real-time' as IRC - it's quite possible to conduct a conversation.

People do not tweet about every little thing they are doing. Such a Twitterer would not be interesting to follow. It's not just the latest fad; it's a platform for sharing news and interesting tidbits that has already broken major news stories, made and buried film releases, and on which is built a rich and growing collection of social tools that, unlike Facebook, compete with and improve upon one another. And you don't need to know people, because there are already thousands of people tweeting about exactly those things you are interested in. Follow them, reply to them... maybe you'll even make some new friends. When's the last time you did that purely on Facebook?

The best advice I can give to anyone who has heard the buzz about, but didn't "get" Twitter, is just to try it. Twitter is new, and people are constantly discovering new ways to use it. Tweet about what interests you. Follow people who interest you. If you do, you'll probably find Twitter interesting and engaging.

The dangers of double resizing

Amazon have made a bit of an mess of building their thumbnails. On their homepage I was greeted with these:

51PVI7LcjDL._SL123_PIsitb-sticker-arrow-sm,TopRight,8,-14_OU02_51VA3NskorL._SL123_PIsitb-sticker-arrow-sm,TopRight,8,-14_OU02_

The moiré pattern of blurriness is an artifact - evidence of the fact that these "Look inside" thumbnails are caused by resizing already thumbnailed images - probably the thumbnail of the book cover without the "Look inside" banner. To avoid this on your sites, you need to build thumbnails from a sufficiently high-resolution image - ideally a high-resolution original. In practice, it can be faster and less memory-hungry to thumbnail from a medium-sized image, and this will generally not show visible artifacts. Of course, if you've already got a high-resolution image loaded into memory, you can side-step all of the quality issues by building all of the thumbnails you might need from it at once. Note also that you need to resize down enough to hide any JPEG compression artifacts.

To understand how the tell-tale moiré pattern comes about, let's imagine the source and destination pixel grids:

amazon-grids

When we overlay them you can see the moiré pattern appearing.

amazon-moire

Where the grid intersections are aligned, one source pixel maps fairly closely to a destination pixel, which makes that spot in the thumbnail crisp. But as you move away from those spots and the error builds up, the grid intersections disalign, and one source pixel is smeared over four destination pixels. That makes for a blurry spot.

Answers.com double-click

A few weeks ago I mentioned word-selection by double-click.

I have discovered that Answers.com improves on this with a rather nifty hidden feature: if you double click on any word on the page it will immediately look that word up in Answers.com using AJAX!

This looks very innovative to me. Using the rich Javascript API to augment the browser's existing functionality is very pleasant, but here the product is a dictionary/reference site that is totally cross-linked! Poor old Wikipedia seems rather limited by comparison (though, to be fair, there are massive advantages to conventional links. This technique is not a replacement for that).

Tip: Searching documentation

A very quick productivity tip: add search plugins for documentation that you refer to frequently to your web browser. Even if you know your way around the documentation well, it's still faster just to search for what you want.

To get plugins, search Mycroft, which is fairly comprehensive for documentation resources. Where the documentation you want doesn't include a search engine, plugins can be found that search the documenation with Google.

Semantic Whitespace

Perhaps a little-known feature of many applications, including most web browsers, is that as well as click-and-drag selection, you can often use double-click-and-drag word selection. There's also a triple-click paragraph or line selection that you may not be aware of. (Internet Explorer has a heuristic selection model that makes it easier to select words at the expense of making it harder to select arbitrary amounts of text.)

Though little-known, it's extremely useful! A favourite trick is to double-click and drag to select words, then right-click and "Search current search provider for".

This word selection can show up an accessibility problem. Browsers and probably some search engines identify words by splitting the content on whitespace and block-level HTML tags - not on inline-level tags! This is sensible. If I write HyperText Markup Language (ie. highlighting initials in bold), I don't want the semantic content to be "H yper T ext M arkup L anguage"!

The accessibility problem is this. With CSS it's possible to accidentally write HTML that is neatly padded to look like words, but which doesn't tokenize (split up into words) properly. For two words to be considered separate you need to include semantic whitespace. Sites as big as Facebook and Twitter still make this mistake!

If your browser supports proper word selection (Internet Explorer's word-selection model is useless here), try double-clicking near formatting changes to check that your website is semantically correct.

Try it out! Can you detect the difference between these?

withoutsemanticwhitespace

with semantic whitespace

Distributed Website Thumbnailing

Thumbnail screenshots of websites seem to improve web usability enormously. For me, seeing a thumbnail triggers clearer and faster recognition than a domain or a name alone. Favicons also help when I've used the site enough to become accustomed to it. The GooglePreview Firefox extension is a favourite of mine for this reason.

There are now quite a number of websites which allow free website thumbnails. While these services are pretty good, and I recommend using them, these services require a huge amount of bandwidth to load the websites and serve the thumbnails, a lot of CPU time to render the websites, and a lot of storage to store them all. This means they consume money and the companies running them place a variety of restrictions on what can be done with the thumbnails. Also you very frequently find thumbnails don't yet exist or no longer exist, and the thumbnail service serves up some advertising instead, which is bad for usability. Perversely, it's for the same infrequently visited sites that it's hardest to remember that thumbnails get purged quickest.

If Google or another large search engine entered this market they could make a fast and free service that would be self-supporting. They are the only people who are making vast amounts of money enhancing the web - because a better web drives more business through their main search engine.

However, in the absence of that, I wonder if we shouldn't turn to distributed technologies to make the business of understanding where a link takes you an innate part of web standards, rather than a bolt-on service controlled by a vendor.

You could imagine a web standard similar to the favicons system, where thumbnails of the website are available at standard sizes - say 128x128 or 256x256 - at /thumbnail128 and /thumbnail256, but this places the onus on the publisher to create the screenshots and keep them up to date. Even worse, it's not a great idea to trust the website themselves. Shock sites, porn sites or scam sites could benefit from misleading users into visiting a site.

One solution might be a distributed network for website thumbnails. A lot of research and development has been done in the area of DHTs particularly to improve the performance and decentralisation of peer-to-peer networks. A client could look up a URL in a DHT to obtain a URL for a thumbnail of that website.

There is also a way of generating thumbnails in a distributed manner: web browsers. There are so many web browsers visiting so many websites that if you could tap into only a tiny fraction of them - with, say, a Firefox extension that generates and uploads thumbnails using <canvas> (assuming you can work around the privacy implications) - you could get good coverage quickly. Because it piggy-backs onto the normal web-browsing experience, it uses very little extra bandwidth than what users were already using.

RSS: Error-prone

I subscribe to only about a dozen RSS or Atom feeds, but more than half of them suffer from one problem or another.

  • Intermittently dumping a dozen duplicate posts.
  • Dumping a dozen duplicate posts on every refresh.
  • Duplicating the most recent post on every refresh.
  • Double-escaping HTML entities, so I see &ldquo;, &rdquo;, &hellip; and such like in post names.
  • XML syntax errors causing total feed outage until some improperly encoded post drops off the feed.
  • <pre> code snippets that have lost their formatting.
  • And, of course, the occasional snippet of HTML that doesn't work as intended when removed from the context of the original HTML document and embedded in RSS.

I often have to search for Pipes to get a useful feed, which is a consequence of the way RSS specifies only a data format, not an obligation on producers, an architectural flaw I've discussed before.

But quite aside from this, it seems that a significant proportion of feeds aren't implemented properly.

Obviously we can blame developers for bugs, but the design of RSS may well be a contributing factor. The process of encapsulating HTML fragments in XML is not as straightforward as it looks. The requirement for a unique ID for each post at first glance does not look onerous. But does the ID correspond to the specific version of a post? Or does it correspond to the current version, however it may have changed since it was first published?

RSS may be useful, but it should also just work, and it doesn't. Developers and standardistas alike should start thinking why.

Sample Code for Employers

If you are looking for a job programming, you need to demonstrate to a potential employer that more than anything else, you will be profitable. In terms of programming, profitable code is robust, is produced quickly, is readable, understandable and maintainable by the rest of the team, and depending on the job you're applying for, may have to be secure or efficient too.

As an employer I consider it vital to see a sample of a developer's code before employing them - it's the most reliable way of assessing how competent a candidate. The standard of code I've encountered from candidates over the past few weeks was generally weak. If you want to stand out, you may be interested in a few tips. I've tried to put these in order of importance.

  1. Submit only your own code If you worked on the code with anyone else, it's worthless to me.
  2. Submit your best code If you have more than one project, submit the best. I'm liable to judge you on the worst. The most recent code you've written is normally the best, assuming your programming skills have improved over time.
  3. Make it easy to run the code I can't run most of the code I receive. Maybe it runs, but generally it's not clear how I get it running (web applications are generally hard to run). I am interested most in the code itself, not seeing the program run, but it's a big bonus if I can run it. So why not include an INSTALL file documenting the process. For web applications, you could include database dumps with sample data, or swap your application onto SQLite and include the database file. But an even easier way is just to get it hosted somewhere and send a link.
  4. Submit code that does something interesting A lot of code is either boilerplate or performs very common tasks. For example, a web application that takes input from a user, puts it into a database, retrieves data from a database, and outputs it into a page is the most simple web application it's possible to write. It's covered step-by-step in any web programming textbook. If that's all the application does, it had better be pretty dazzlingly tidy code. But I prefer to see code that is outside the scope of textbooks.
  5. Use plenty of third-party libraries The more libraries I see neatly integrated into your software, the more efficient you look as a programmer. There can be reasons to re-invent the wheel in practice, such as to overcome license restrictions, but when you're submitting sample code to employers it makes you look inefficient. Moreover when I see code draw on more and more appropriate libraries (or web APIs, or data sets) it also means that you know what's available and you're thinking about how to combine them creatively. (Incidentally, if you bundle third-party code with the source you supply, put it in a directory called "lib" or something so that I can see to ignore it.)
  6. Write good HTML. I'm less tolerant of bad HTML than a web browser is. I'm not going to pass or fail you purely for HTML that's not standards compliant because it's enormously widespread, relatively low-impact, and fairly easy to teach - but you're applying for a job writing software that outputs in a well-defined language. It comes across better if you're actually outputting in that language, and not some misinterpretation of it. It begs the question, would you do that for any other data format or protocol? Anyway, bad HTML breeds bugs.

If you can't find code that meets the above criteria, why not write something especially? It's possible you could write something in a weekend that can improve your job prospects significantly.

But if you're not employed at the moment, and you're looking for a job as a programmer, you should be constantly either writing code or reading articles on the web about writing code. Employers can teach you skills on the job, but it costs money to do this, and that's money that won't be going into your salary.