By: Jerry

Jerry — Thu, 09 Feb 2012 11:26:05 +0000

Since the e-mail areddss for the above comment didn’t work, I’m pasting here the message I tried to send tonight.Dear “Busted Laptop”:I saw your comment on my blog and wanted to get in touch. I may not change your mind about my motivations or methods, but I did feel that you deserved an explanation as to why I put up that post about “how to write a Facebook virus.”But first, I also want to say that I truly am very sorry for the situation you’ve ended up in. I’ve been on the receiving end of viruses and data loss before, and while I certainly can’t know what your situation is like, I know such events can be extremely stressful and frustrating.When it comes to my post, I can assure you that neither I nor any other security researchers have seen any viruses in the wild which use the method of attack I described. Most of the current Facebook viruses I’m aware of, such as Koobface, have been spreading long before my post was written and use very different techniques. If someone actually wanted to write a malicious virus, they would have plenty of resources without ever checking my blog. I have been contacted a few times by people looking for help hacking various aspects of Facebook, but the only people I communicate with are ones I believe to be legitimate security researchers who are trying to help users, not harm them.So why publish a post about writing viruses? It’s been my experience watching and working with Facebook on a variety of issues over the last two years that the company will move quickly to protect its reputation – but only when users stand up and call for action. All of the techniques I described in my post had been previously published and demonstrated at various times, but had not been put together in one list before. Prior to that post, I had tried several times to bring people’s attention to the seriousness of such flaws in the Facebook Platform, but was often met with dismissals that the effects weren’t so serious. I finally wrote the post you saw to prove the point that these issues were worth taking seriously.Also, as I said, the techniques described deal with flaws in the Facebook Platform itself. What I outlined was not an unstoppable bag of tricks to exploit. I have reiterated on my blog several times that Facebook could take actions which would stop such exploits cold. The main reason I published that post was that users would see the gravity of the situation and call for Facebook to implement better protection for their users. I’ve discussed several times technical solutions that Facebook could issue for prevent the attacks I’ve described, but so far they’ve done little to nothing. I could have withheld the post and simply tried to convince Facebook myself, but I’ve never found that route very successful (and I do have a security contact at Facebook that I’ve been in touch with many times).Anyway, as I said, none of this may change your mind, and I don’t blame you for being upset. But I can assure you that if Facebook patches the vulnerabilities I described, no one will be more excited than me.>theharmonyguy.

Comments on: Viacom to get my You Tube viewing stats by order of a US Judge?

By: Jerry