Hacker News new | past | comments | ask | show | jobs | submit login

It sounds like you're equating basic social engineering to an elaborate, large-scale, nearly impossible architectural trick. Are you trying to discount the effectiveness or feasibility of social engineering? Social engineering requires far less effort that your proposed analogy. I doubt if it took this guy more than half an hour to do the "hard work," which is just duplicating a profile and cross-referencing friends from two social networks.

I agree that accidentally friending a fake account probably won't lead to much further online problems: the trusted friends example used in the article is far-fetched (and other HN comments indicate it's complete bogus), and they're not going to get your credit card info or account passwords. However, it's still a privacy concern. Anyone from an estranged ex-lover to a private investigator could get information like home address, vacation times, etc.




However, it's still a privacy concern. Anyone from an estranged ex-lover to a private investigator could get information like home address, vacation times, etc.

Only if you put information on Facebook that you're not comfortable sharing with the whole world.


I'm not sure what you mean by that statement. Are you saying that Facebook's internal security is weak, and therefore you shouldn't trust it with data that you explicitly make private? To my knowledge, Facebook's privacy concerns are more related to the tracking of users on other websites, having insensible privacy defaults, and having confusing privacy controls. I've never heard any concerns about Facebook ignoring your settings and leaking your content (that was just meant for your friends or a certain group) with the whole world.

Are you singling out Facebook, or just referring to web services in general? Would you also say that you shouldn't have data on Gmail that you're not comfortable sharing with the whole world? What about online banking? All of those things are probably vulnerable to social engineering.


I've never heard any concerns about Facebook ignoring your settings and leaking your content (that was just meant for your friends or a certain group) with the whole world.

That's the end-result of "having insensible privacy defaults, and having confusing privacy controls." It happened when they changed their privacy model, and things that were private-only became public by default. But, normally, it's not that Facebook ignores your settings, but, rather, people assumed things were more private than they actually are. See people's recent reaction to the real-time updates of what your friends are doing on Facebook - many of the people I am friends with where aghast at this, because I don't think they realized all of that stuff was already public.

Basically, I think the privacy-model on Facebook is complicated, but I think it's an inherent complexity. It's not complex because Facebook is inept, it's complex because the problem of determining who in your large social network should know what is actually a complicated question. That privacy model is too complicated for people to grapple with every time they share something on Facebook, so they don't grapple with it. I don't want to grapple with it, either. Hence, I only share things on Facebook I'm comfortable sharing with the world. My Facebook page - wall, photos, info, comments - are all public. Then I have a very simple decision to make: am I okay saying this to everyone? If not, I don't say it. Hence, I don't say much on Facebook.

The internet is an inherently public place. Facebook puts a megaphone on the internet.

Would you also say that you shouldn't have data on Gmail that you're not comfortable sharing with the whole world?

In general, yes, although even I have difficulty with that one. But email is just plain text (unless you encrypt it, and very few people do) bouncing around the ether. It's out there, and you have little control over it. Banking is different, as the information is only shared between you and your bank. Not so with email, which always has at least one other party involved.


Considering Facebook has ignored the explicit privacy settings in the past exposing 'private' information, I think it's more a question of them being untrustworthy than having poor security.


> It sounds like you're equating basic social engineering to an elaborate, large-scale, nearly impossible architectural trick.

Seems about proportional to the difference between having a stolen car and having a fake friend account. I mean honestly what are you going to do with that? Find out some posts that hundreds of other people know about and would probably tell you if you called them up and asked? Stage an elaborate ruse with the fake account that will fall apart the second the target communicates with the real person on a non-Facebook channel? I mean I guess someone might have there reasons, but there's a million crazy things a stalker can do in real life too.


The risks from using social engineering to get a person to follow you is precisely equivalent to gaining unauthorized access to all the content that person has shared with his/her friends.

Depending on the victim, this may or may not pose any real concern. Some people probably share their entire profile and activity to their entire network, and probably don't post anything dangerous. However, some people are selective with their friends, and may very well share more private things (e.g. health/employment status, home address, phone number, etc.).

You're probably right that the average Facebook user wouldn't be at risk, since they probably already share with hundreds of quasi-friends and therefore don't post anything too personal or risky. The thing is, that probably applies to most Gmail accounts too, yet everyone recognizes a compromised Gmail account as a bad thing. I don't understand why you're minimizing the potential impact of having a bogus friend on your friends list.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: