Flawed Facebook Policy on Hacked Pages Exposes Users to Security Risk

UPDATE: 6/20/2011
After one week, Facebook finally fixed this problem and returned this particular page to its rightful owner.  Unfortunately, judging from this discussion where hundreds of page owners have been crying for help for 6+ months, Facebook page theft remains rampant and will continue to be a terrible problem as their policies make it nearly impossible to recover a page.  The only reason this particular page was recovered was due to the pressure of thousands of outraged followers.

Facebook page theft is a soft target with high reward.  It is simply too easy to steal a Facebook page through the use of computer viruses and spyware.   The reward to the attacker is very high, as they can use the hijacked page as a platform to infect confused page followers with viruses.  Meanwhile, Facebook allows it to happen as it is their policy to never help legitimate owners recover their stolen pages.

How would you feel if you spent the last year building your Facebook fan page with thousands of followers, only for it to be hijacked, allowing the attacker to ruin your reputation by insulting your followers and attempting phishing attacks on your fans/customers?   By current Facebook policies you cannot recover your stolen page.

Monday, June 13th, a popular Facebook Fan Page for a canceled TV show was hijacked by a script kiddie on a power trip.     The attacker apparently targets admins of popular pages using phishing techniques to trick them into visiting dangerous websites, where their cookies are stolen or browsers exploited to install trojans and key loggers necessary to fully compromise their account.  Once the attacker gains control of a Page admin's Facebook account, they are able to fully seize control by removing all previous admins.

Now two days later, the attacker continues to post taunting messages bragging about his conquest.  Even worse, the page's 55k+ fans are exposed to confusing and dangerous links to sites that attempt to steal their cookies or exploit their browsers, an effective method of using the social network itself to compromise other accounts and hijack other popular fan pages.  Despite the pleas of thousands of followers reporting the dangerously abusive phishing links on the self-proclaimed hacked page, it is apparently Facebook policy to do nothing.

Please note that is not technically possible to compromise a Facebook group or Page. As long as the current administrators of a group keep their login details secure, keep their account enabled, and do not allow any suspicious people to become admins, then the group or Page will remain secure. If an unauthorized person gains admin status, we encourage you to contact them directly to resolve this matter. Unfortunately, Facebook is not able to reinstate you as an admin for any group or Page.
Facebook is unreasonable in these expectations, as it is far too easy for ordinary users to be infected by viruses and spyware and their personal accounts to become compromised.  As an administrator of other Facebook pages for both companies and non-profit causes, it is absolutely frightening to learn that if the account of any page co-admin is compromised, then weeks or months of hard work may be stolen with NO RECOURSE.  Most egregious of all, Facebook is unwilling to do anything about attackers using compromised pages as phishing attack platforms.  Facebook's unwillingness to get involved puts the security of users at risk.

Some have suggested that Facebook could mitigate this problem of page hijacking by allowing greater protections to Creators like page-level mandatory cell phone verification or allowing the delegation of "assistant admins" incapable of removing other admins.  While these measures would have likely helped to prevent this particular compromise, it wouldn't stop a determined attacker when the reward can be so large.  Ultimately the policy of never returning a clearly stolen page to its rightful owner must be changed.

Facebook's social networking can be an invaluable tool to improve customer loyalty around a business or organize people around a cause.  Unfortunately, given current policies, companies should be wary of investing real money in Facebook ads or putting significant effort into Facebook page recruitment when all of their hard work can be too easily destroyed.

Serious DST Bug in Android and Google Calendar Sync

There exists a serious issue affecting users who live in States like Arizona or Hawaii that do not observe DST where appointments in your calendar erroneously shift by one hour when DST changes in most States.  Searching around both Google Calendar Help and Android bugs it seems this has been going on since at least 2009.

To make matters worse, in this bug Google seems to be blaming the users for misconfiguring their phones or Google Calendar timezones.

This issue seems more insidious than simply a correctable "view" when you change the timezone settings.  Today I found that all of my one-time appointments had shifted one hour earlier, while weekly repeating appointments kept the correct time.  It seems the stored time itself was changed within Google Calendar's server-side for only a portion of appointments, so changing your view will not correct this error.  I may need to go through all of my appointments of the next year and manually decide if times need correction. =(

Blogger and Planet, Edit Post Bump Annoyance

I just now discovered an annoying behavior with Blogger and my new blog syndicated to Planet.  Apparently every time I edit an old post, it bumps a field in the atom feed that causes Planet to bump old posts to the top.  This old post indicates this has been a common problem with Planet in the past.  Is this a bug in Planet, miconfiguration in Planet, or a bug in Blogger?

UPDATE: Add ?alt=rss to the Blogger feed URL and it solves this problem!

Cable Modem and Direct Sunlight

Oceanic Time Warner's Scientific Atlanta cable modem would mysteriously screw up and randomly drop lots of packets every afternoon.  The cable modem and wireless routers were high-up off the ground (for better wireless signal strength) right in front of a window.  I simply put the black plastic cable modem on the floor below the window, and the cable modem began working perfectly.  Direct sunlight was causing the cable modem to overheat mysteriously only in the afternoon. =)

Warren's Sprint Epic 4G Review

Just a few thoughts about the Sprint Epic 4G.

  • MUCH BETTER THAN EVO: I previously had the Evo 4G for 30 days.  It was a great phone, but I disliked the lack of hardware keyboard and the screen was just too wide.  The Samsung Galaxy S seems to be about the upper limit of acceptable phone size.
  • BEST SPRINT PHONE EVER, especially if you live in a 4G area.  I love the real hardware keyboard.  Battery life is pretty good.  Android UI and apps are very responsive.  The apps included by Sprint (Telenav, Swype) are more useful than the stock apps included on my friend's Verizon Droid Incredible.  I think it might even be currently the best Android phone out of all the carriers.
  • CUSTOMER SERVICE: Not about the phone, but I think it is important to mention.   I've been with Sprint for the past decade.  I've witnessed lousy customer service a few years ago, but I stuck with Sprint largely because I was grandfathered into an extremely cheap legacy plan.  But in the last year or two I've noticed they've seriously turned things around.  Their 30 day return policy surprised me.  I disliked my previous Android phone.  They let me return it and reverted to my previous contract, no questions asked.
  • POOR USB PLACEMENT: Micro-USB on the top of the phone?  WTF were they thinking?  Makes it very annoying to talk on the phone while the USB cable is plugged in.
  • DOCK DISASTER: Samsung's official desk dock for the Epic 4G is a complete failure of design.  Even worse than Masochist's Teapot fail.  The phone does not behave differently while in the dock.  The screen remains in vertical orientation while the phone is horizontal in the dock.  The volume buttons are under the phone, out of reach so you cannot change the volume of music while it is docked.  To make matters worse placement into the dock often pushes on the volume buttons making it max out or mute the volume.  Finally, you cannot have the phone in either of the two cases that they sell in the Sprint store, because the phone will no longer fit into the dock.  Don't waste your money on the dock.  UPDATE: A commenter pointed out that you need to install an app for the dock to automatically become a horizontal desk clock.  So it isn't that bad.  Only why didn't they install this app by default?
  • ANNOYING BATTERY FULL NOTICE: When the battery is full, it chimes and asks you to unplug the USB charger.  Who thought this would be a good idea?  Nobody is going to follow those directions and it is annoying to hear the chime for no good reason a few hours after you went to sleep.
This is one seriously awesome phone.  Sadly they completely failed on the design of specific aspects like the USB port placement and dock.  At least the Battery Full notice could be fixed in a future firmware update.

Palm Pre: Still a Good Phone

I've had the Sprint Palm Pre for ~13 months now.  It had some initial problems with build quality of the first batch, but after the warranty replacement I have had no problems for the past year.  Early during June I upgraded to the HTC Evo 4G.  The Evo is a very sweet phone in many respects.  It is very clearly one of the best phones on the market now along with Droid Incredible, Droid X or Samsung Galaxy S.  But I had three key problems:
  • The Evo is too huge.  With the 4.3in screen it crosses the line of acceptable upper bound size for a phone.
  • On-Screen keyboard.  It is simply clumsy and slow to use compared to a real physical keyboard.
  • The Android UI is less streamlined in design compared to WebOS.  Various tasks on my Palm Pre that would take mere seconds would take 5X as long on the Evo.  I found myself missing the sweeping gestures of the WebOS interface.  I do not need to press upon precise locations on the screen to go "Back".  Multitasking between apps on WebOS is very smooth with the card sweeping gestures.
Having used the HTC Evo 4G for a month, it became clear to me that Palm put a serious amount of good design into the usability of WebOS.  There is a lot to like about the WebOS platform.  Hackers have seen how friendly Palm has been toward developers.  FOSS developers have commented about how Palm used various Open Source components like upstart and pulseaudio a well integrated fashion.  If WebOS had launched a year earlier and with fewer initial hardware glitches, it might now be a serious contender to Android.  But various indicators now show that Palm simply lacks the momentum of customers against the likes of RIM, Apple or Android.  Palm is heavily investing in their app ecosystem, without which they have no chance.  It remains to be seen if HP's continued investment will keep the platform alive.

I returned the HTC Evo 4G under Sprint's excellent no questions asked 30 day trial policy.  The Evo is a very good phone, but I'm simply more productive with the streamlined interface of WebOS.  I think the ideal phone would be a larger Pre, with horizontal instead of vertical slide-out keyboard and modern 1GHz processor.  Unfortunately it seems no such device is in the plans.  HP seems to be working on a WebOS tablet.  I might consider the Samsung Epic 4G.  The slide-out horizontal keyboard might make it usable enough for me to tolerate the UI negatives of Android.

Paula Cole in Phoenix Saturday Night 9:00pm

Thursday I flew out from Boston to visit my friend in Phoenix, Arizona.  While waiting for the plane I met this woman Jill who happened to be the tour manager for Paula Cole.  Admittedly I did not know of Paula Cole prior to that day.  But I looked her up and realized that I was familiar with some of her songs including the theme song of Dawson's Creek.  She studied music and Jazz from Berklee College of Music in Boston and is a Grammy Award winner.  As a wannabe musician, I have such a deep appreciation for genuine artists, especially singer-songwriters with formal roots.

Friday night we went to see her perform.  It was a bit of an unusual performance in the tiny lounge of Harrah's Ak-Chin Casino in Maricopa.  Not an ideal venue for this type of performance when you're surrounded by people who have more interest in the slot machine than the world-class performer only a few yards away.  But not bad for a FREE concert!  We got there a bit early to be sure we had the best seats in the lounge, ate some food from the takeout place around the left side of the lounge, and sipped some mixed drinks.  She played mainly a mainstream style of music tailored for this particular crowd.  I've seen videos of other performances where she does Jazz standards, so I know she is capable of a broader spectrum of musical styles.  At the end of the performance she did some freestyle beat-boxing that was interesting to see.

spamassassin-3.3.1 RPM Packages

spamassassin-3.3.1 was released last week.  It fixes a few minor bugs from the 3.3.0 release, but most importantly adds support for the new URIBL Spamhaus DBL.  See the 3.3.0 RPM announcement for other notes that remain relevant to this release.
Picture for no particular reason except that any picture makes a blog post more interesting.
Packages for Fedora 11, Fedora 12, and Fedora 13.
Packages for RHEL5.  Requires deps from EPEL5.