The social captcha idea is neat, but sometimes my friends tag each other in pictures that aren't of them (cartoons - or places) sometimes to joke around with each other or get a friend's attention. I can see someone getting locked out of their account for being shown a picture which Facebook thinks has a given friend in it but in reality does not.
They already have the faces annotated via the tagging system. To be really sneaky they could inject faces which have been detected but NOT tagged. However they probably have enough data anyway - enough being the largest facial recognition training data set in the world.
The tagging made by users in their photos and face recognition is different.
When a user has to tag someone they are given standard sized box to drag over the person you want to tag while the face recognition systems selects only the face of the person no matter how big or small it is on the picture.
Quite a few people seem to have thousands of "friends" on their list, most of which they don't actually know personally; they are there because they both play some kind of game (Mafia Wars, Farmville, etc). So the social captcha idea wouldn't work in that case either...
How exactly does social captcha slow down someone who has hacked into your friends' accounts and has seen a lot of tags on photos of friends in your friend network?
One feature I've always wanted for any site with a login, is the ability to send a text message to my cell phone whenever my login/pw is used, with an option to text back 'no' to deny the login and kick off the user.
This way, when I know it's me logging in, I can just ignore the text, but if it isn't me (some hacker in Germany, for instance), I can immediately bump them off, and I don't have to wait for the damage to be done to reclaim my account.
Facebook already supports this (as another commenter says) but you can also send a text to FBOOK with the next "otp" to get a one-time password that expires after a few minutes.
If you're in a place where it's likely your computer could be compromised then this keeps your regular password secure.
You can kinda do this, but the current implementation is cleverer and only triggers for logins from new computers. The option is in the same place where you enable https.
Except they're not really doing that yet. Read the full section: some facebook sections, and most applications aren't yet HTTPS. And it's off by default. And the setting is hidden deep inside your advanced security settings.
They do say it will be default at some point in the future, which is exciting. But for the moment, this HTTPS step is just a small one.
I've seen the social captchas before, usually when I first logged in from a different city or tunneled through a VPN that exited somewhere other than my hometown.
The social captcha idea is really clever, but doesn't it just mean that the first thing a serious hacker will do will be to download your friends list and at least their main profile pictures?
With profile pictures of them it could be an issue; if the friends' photos are public then it certainly is an issue. There's a bit of irony regarding Facebook's privacy settings.
I'm reproducing the comment I left on their blog post below:
My biggest privacy complaint is my inability to change my application/privacy settings to keep other people from changing MY profile page by tagging me in pictures.
I do not want people tagging me in photos, and while I explicitly tell people not to, they still do. I can remove the tag once Facebook notifies me, but I don't hover around my computer waiting for notices, so there is a period during which these pictures appear in my status, my albums, my wall, and I have no ability to keep people from seeing them. This is a violation of my privacy, to which the only solution is deleting my account to make myself untaggable; something I don't want to do, because I truly enjoy using Facebook.
This really needs to change. Please add a privacy/application setting that either makes you "untaggable", or at least prevents tagged pictures from being automatically put into your status feed / wall / albums.
Facebook is obviously showing only one gender at a time for their social authentication capchas, but I wonder if the correlation between last name and ethnicity is enough to collapse the space of possible answers pretty significantly.
This social captcha is the stupidest idea ever. When I was travelling, I got locked out of facebook so many times and was unable to get back in because I could not figure out who my friends are.
People tag themselves wrongly. A lot of my friends are people from when I was young - I don't know how they look anymore.
And in Africa for example, you are often using Satellite connections, so depending on the internet Cafe, you log in from Israel, then Kenya, then South Africa, all in one day. And you get locked out each time.
What use is the social captcha if your friends list is public? Many people had this set because it was the new default when the settings switched some half-year ago. A lot of them probably don't even realize it.
3: Look at the first photo of a friend, then examine every one of your friends (the average user has a couple hundred) and match them up, assuming that their profile photo is similar to the randomly-selected photo from the social captcha
4: Repeat this whole process two more times
Social captchas protect you against somebody from Nigeria hacking your account, and makes this process more computationally intensive. Even if they did login to your account after all this work you'd end up getting an email and SMS saying that there was a login from an unrecognized computer.
Look at the first photo of a friend, then examine every one of your friends (the average user has a couple hundred) and match them up, assuming that their profile photo is similar to the randomly-selected photo from the social captcha
The example posted on the FB site looked like a multiple-choice selection was to be made, so the putative hacker would only have to look up those six friends, not look through all of your connections.
The purpose of captcha isn't to keep the bad guys out, it is to make sure that a person, rather than a program, is logging in. I'm not sure this new social captcha is better than traditional captcha at that, but if it is equal but easier for the legitimate user, then it's a win.
I don't see what has taken the HTTPS implementation so long, and why is it user opt in? Most of the user base doesn't even know you can have privacy settings let alone what the benefits of a HTTPS connection actually are.
Can anyone answer me how it is safe to have the advertising accounts which require credit card information to make payments, not be HTTPS like they are currently? How has there not been a serious breach with all the kiddies running around with fire sheep and the like?
Fuck the social captcha, how about Facebook nationalizes the best non obtrusive apps (I don't know of any, but maybe there are some) and eliminates third party shit from the site entirely. Third party crap apps will destroy the site if not kept in check.
So, they're enabling HTTPS, but telling people that it's an account setting and adding an authentication system that will lock out Farmville players. Why am I not impressed?
