Facebook 203: Security and Applications

Late last week I got a message from someone who wants to be known as “The Harmony Guy,” saying he had devised a method that could have been successful (eventually) in meeting the terms of the SMUG $100 Facebook Hacker Challenge. Harmony Guy is a social hacker of the “white hat” variety, as you’ll see in his blog, where he publicly exposes security flaws from social networking sites and urges the companies to fix them.

I learned a lot about Facebook security through my interaction with him, and if you click the (more) link, you will, too. Here’s what he said:

Continue reading “Facebook 203: Security and Applications”

Ending the Facebook Hacker Challenge

It’s time to bring the SMUG $100 Facebook Hacker Challenge to an end. No one has been successful (and I don’t think they would be), but in a comment today, Erik Giberti raised a good point that I hadn’t fully considered.

Lee, I’m not a lawyer, but I think you’re violating at least the Facebook Terms of Use and possibly the DMCA  (although that’s a tricky moving target) by encouraging this generally considered illegal activity; that is cracking Facebook vulnerabilities.

My purpose in issuing the Hacker challenge was to counter the FUD (Fear, Uncertainty and Doubt) being spread about Facebook’s secret groups. “Can you really trust that the data you put in a secret Facebook group would be safe? What about trade secrets, or marketing plans? Aren’t you putting those at risk by using Facebook instead of having them securely behind your firewall?”

I was comfortable enough with Facebook’s security that I was willing to risk $100 that no one would be able to get into the secret group I set up for purposes of testing. But while I thought the risk of losing $100 was worth taking to prove a point, the risk of having my Facebook account suspended isn’t.
So here’s my advice for people who are thinking about using Facebook groups for business discussions:

  • A secret Facebook group should be at least as secure as e-mail. Everyone uses e-mail to discuss business issues, even though e-mail messages can be forwarded to an unintended party, or possibly intercepted in transit. By contrast, it’s relatively harder to get into a secret Facebook group.
  • Create a legal warning notice for your secret Facebook group. Lots of companies put legal notices on the bottom of their e-mail messages or on faxes (remember when you used to send those?) saying that the information is confidential and intended only for its recipients. I’m sure a good lawyer could develop the same kind of language to post in the descriptions of secret Facebook groups.
  • A secret Facebook group will be even more secure if you keep it, well… SECRET. For someone to hack into your secret group, they first need to know it exists! I put out a challenge to the world, saying that if anyone could find out what was in the recent news section of my secret group, I would give them $100. Then I published not just the name of the group, but its URL. No one was successful, although one person talked big about being willing to do it for $1,000. If you don’t tell anyone other than your intended participants about your secret group, it would be that much harder to hack.
  • Be Smart. If information is truly critical, so that disclosure would have serious negative ramifications, don’t put it in a secret Facebook group. You wouldn’t put your Social Security number, your bank account PIN, credit card numbers or the launch codes for nuclear missiles in an e-mail. Don’t put them in Facebook, either. But lots of less-critical information could be shared within Facebook secret groups with relatively low risk.
  • The calculation should always be risks vs. rewards. If a Facebook group enables you to collaborate more effectively than you can using your current methods, and if an information leak wouldn’t bring financial ruin or global thermonuclear war, the reward probably makes the risk worth taking.

I’ve done my own calculation of risks vs. rewards based on Erik’s comment and Robert Scoble’s experience in being kicked off Facebook, and that has led me to declare that the SMUG challenge has ended, as of 12:01 a.m. CST on Wednesday, Feb. 20, 2008. I am not encouraging anyone to hack Facebook’s security. The $100 offer to get into my secret group, and the $200 offer for posting a photo to it, is withdrawn.

I find Facebook too valuable that I would not want to risk an account suspension on the grounds that I had encouraged others to violate the Facebook TOS. A rock star like Scoble can get his Facebook reinstated quickly. For the rest of us, it might take longer.

My challenge was meant to be supportive of Facebook as a place for business interactions. And I think it has accomplished its purpose, if it has helped to banish the FUD.

SMUG $100 Facebook Hacker Challenge

hackerchallengegrouplist.jpg

Note: Please read this post to learn what this challenge is about, but there is an update at the bottom.

When Paul Lewis interviewed me about Facebook last week, I said Facebook has lots of promise as a way for businesses to collaborate with key stakeholders without giving non-employees access behind the corporate firewall.Paul asked a common question about whether that would potentially put sensitive information at risk. I said I probably wouldn’t put my bank account and Social Security numbers out in a Facebook group (and certainly no information that would lead to civil legal liability or criminal penalties if disclosed), but that for ordinary business interactions I think the security is strong enough.

So I’m putting my money where my mouth is.

I’ve created a secret group in Facebook, and named it $100 Facebook Hacker Challenge. Here are some screen shots from when I set up the group:

hackerchallengepage.jpg

secretgroup.jpg

facebookgroupsetup.jpg

I’m offering $100 to the first person who can find this group and discover what it says in the “Recent News” section.

But wait, let’s make it really easy. Not only am I telling you the name of the group. I’m also giving you its URL:http://www.facebook.com/group.php?gid=29804935857

And if you can upload a picture to the $100 Facebook Hacker Challenge group, I’ll double your payout, to $200.

Post your answer in the comments below.Meanwhile, if you want to join a group that isn’t secret, and that can help you learn about Facebook and other social media and how they can be practically used in your professional life, enroll in Social Media University, Global (SMUG).

Update: See the latest on the Facebook Hacker Challenge, including your chance to participate in SMUG’s quest for knowledge, here.

Update: No one was successful in meeting the challenge in the first five days. I have now closed this challenge, for reasons that I explain here.