Facebook status change is not a crime

September 6th, 2007 by Daniele Muscetta

TechCrunch has been speaking to Christian about his PHP code that he had to pull down, my C# code I had to pull down (about which I also posted a comment this week), and the others who did. you can read what they wrote about it at http://www.techcrunch.com/2007/09/06/facebook-opening-up-but-on-its-own-terms/

It's nice to see things called by their real name

September 3rd, 2007 by Daniele Muscetta

Facebook Terms of Service state that it is forbidden to "[…] use automated scripts to collect information from or otherwise interact with the Service or the Site […]"

For this reason, I had to pull down the code of the small application I had previously released, which was "logging" into the mobile web application "pretending" to be a mobile browser and change your status. Big deal!!!

I am quite sure there are a lot of people writing "official" applications (that is using the "platform API" and so on) that are collecting A LOT of information about users who install their applications. They are being sent the info about the visitors by facebook, they are storing them, they might do whatever they please with (study it, sell it to spammers, to marketers, to making-money-assholes) and nobody will ever notice because it is on their servers and nobody can check that.

But a script that changes your status from remote – since this is not a functionality they CHOSE to expose in their API – then THAT is a big issue. Doh!
It's just plain ridiculous, but that's it.

Sure, the terms of service for app developers say a bit more in this regard:

[…]
4) Except as provided in Section 2.A.6 below, you may not continue to use, and must immediately remove from any Facebook Platform Application and any Data Repository in your possession or under your control, any Facebook Properties not explicitly identified as being storable indefinitely in the Facebook Platform Documentation within 24 hours after the time at which you obtained the data, or such other time as Facebook may specify to you from time to time;

5) You may store and use indefinitely any Facebook Properties that are explicitly identified as being storable indefinitely in the Facebook Platform Documentation; provided, however, that except as provided in Section 2.A.6 below, you may not continue to use, and must immediately remove from any Facebook Platform Application and any Data Repository in your possession or under your control, any such Facebook Properties: (a) if Facebook ceases to explicitly identify the same as being storable indefinitely in the Facebook Platform Documentation; (b) upon notice from Facebook (including if we notify you that a particular Facebook User has requested that their information be made inaccessible to that Facebook Platform Application); or (c) upon any termination of this Agreement or of your use of or participation in Facebook Platform;
[…]
You will not directly or indirectly sell, export, re-export, transfer, divert, or otherwise dispose of any Facebook Properties to any country (or national thereof) without obtaining any required prior authorizations from the appropriate government authorities;
[…]

Are we sure everybody is playing by these rules, when every facebook "application" really runs on the developer'server ? How do you know that they are really storing only what you want them to store, and deleting what you want them to delete ? Everybody knows how difficult it is to really "delete" digital content once it has come into existance… who knows how many copies of this database/social graph are floating around ?

Of course that is not an issue because people don't talk about it enough. But a script that changes your status – now, THAT is a very terrible thing.

I just don't get this "politically correctness". It must be me.

Oh, no… look! It's not only me!
I had read this post of Dare, but I problably had overlooked the last bit of it…. because he did point out this Hypocrisy going on:

[…]
Or (5) the information returned by FQL about a user contains no contact information (no email address, no IM screen names, no telephone numbers, no street address) so it is pretty useless as a way to utilize one’s friends list with applications besides Facebook since there is no way to cross-reference your friends using any personally identifiable association that would exist in another service.

When it comes to contact lists (i.e. the social graph), Facebook is a roach motel. Lots of information about user relationships goes in but there’s no way for users or applications to get it out easily. Whenever an application like FacebookSync comes along which helps users do this, it is quickly shut down for violating their Terms of Use. Hypocrisy? Indeed.
[…]

He then insists in a more recent post in calling things by their name:

[…]
I will point out that 9 times out of 10 when you hear geeks talking about social network portability or similar buzzwords they are really talking about sending people spam because someone they know joined some social networking site. I also wonder how many people realize that these fly-by-night social networking sites that they happily hand over their log-in credentials to so they can spam their friends also share the list of email addresses thus obtained with services that resell to spammers?
[…]
how do you prevent badly behaved applications like Quechup from taking control away from your users? At the end of the day your users might end up thinking you sold their email addresses to spammers when in truth it was the insecure practices of the people who they’d shared their email addresses with that got them in that mess. This is one of the few reasons I can understand why Facebook takes such a hypocritical approach. 🙂
[…]

Thanks, Dare, for mentioning Hypocrisy. Thanks for calling things by their name. I do understand their approach, I just don't agree with it.

I did pull my small application off the Internet because I have a family to mantain and I don't want to have legal troubles with Facebook. Sorry to all those that found it handy. No, I cannot even give that to you per email. It's gone. I am sorry. For the freedom of speech, especially, I am sorry.

I will change my status more often on Twitter.

Web Application Security

May 5th, 2005 by Daniele Muscetta

http://www.modsecurity.org/blog/archives/000055.html

I agree with the comments on Arian Evans. He is cool.
I've attended his talk at BlackHat Europe (http://www.itvc.net/blackhat05/dayII.asp#Arian%20Evans) and it was great fun!

BlackHat Europe 2005

April 21st, 2005 by Daniele Muscetta

In my holidays I've been to BlackHat Europe conference as PRESS for the friends at "IT Virtual Community" also this year.
Report of the conference, and an interview to "the grugq" here (link to pages in ITALIAN):

http://www.itvc.net/blackhat05/

Article is out

May 26th, 2004 by Daniele Muscetta

http://www.itvc.net/opinion/view.asp?id=284 [broken link]
BlackHat 2004 Report/Article with Interviews with Jeff Moss (president of BlackHat) and Stefano Zanero 🙂

[original text of the interview in english]

BlackHat Europe 2004

May 22nd, 2004 by Daniele Muscetta

Also this year I have been at BlackHat Europe 2004.
I am preparing an article (in Italian) you will see soon on ITVC [broken link].

I've also interview Jeff Moss – and that's an interview that rocks 🙂

[original version of the interview in English]

BlackHat Europe 2003

May 20th, 2003 by Daniele Muscetta

I published an article on IT Virtual Community with a review of BlackHat 2003 in Amsterdam, where I took part as press for this purpose.
http://www.itvirtualcommunity.net/blackhat03/ [broken link]

It includes an interview with Lance Spitzner (translated in Italian).

The original (untraslated) text of the interview with Lance is instead to be found on http://www.muscetta.org/spitzner_interview.txt.

During BlackHat Europe 2003 Conference

May 14th, 2003 by Daniele Muscetta

BlackHat Europe 2003 is taking place in Amsterdam.
You can see some photos made today at this location