Thursday, November 17, 2011

96. Common Damn Sense: Does the Facebook Spam Wave Reflect Deeper Issues with User Habits?


[Article first published as Does the Facebook Spam Wave Reflect Deeper Issues with User Habits? on Blogcritics.]

It’s been a while since I jumped into a good old-fashioned rant.  As there is, as the kids say these days, no time like the present, I figure now would be a good time.  On the morning news as well as all over the internet were reports of a massive Facebook spam attack that flooded users’ profiles with violenct and pornographic images.  So I thought to myself, “That’s kind of messed up.  Let me go to my account and make sure I’m good.”

And of course I was.  And there was nothing in my friends’ feeds either.  Not because we did anything special or have security settings configured in a certain way, but because there are still some of us left who have some common damn sense.  After reading about how this attack was executed, it became clear to me that, while it was through trickery, the exploitation was invited by the affected users themselves.
The attack tricked Facebook users into pasting a malicious snippet of javascript into their web browsers and running it, which then exploited a browser vulnerability causing them to “share” and “like” the malicious content without even knowing it.

That’s when I stopped reading for a while.  I had to weigh my feelings on this one – on the one hand we as tech people have a responsibility to educate our friends and the public at large as to how to protect themselves in the digital age.  On the other hand, we’ve been doing that forever and no one seems to care.  And while attacks and malware have evolved, the method for preventing this type hasn’t, as it’s one of the big ones we’ve been advocating for years – don’t click on crap that looks suspect.  This case takes it a step further – now someone’s telling you, “Hey, stick this code in your browser and run it.  Cool stuff to follow,” and users mindlessly do it.  Then the public end result is a number of Facebook users on Twitter expressing their disgust and delivering empty threats to close their accounts, as if the internet is a magical and safe place where nothing bad has ever happened and people honestly just want to give you free stuff.

While spam on Facebook is nothing new, it’s never been this bad or spread at such a rapid pace before.  But at the time I’m writing this, Facebook has already claimed to have eliminated the malicious pages and identified the users responsible.  “Our team responded quickly and we have eliminated most of the spam caused by this attack,” a Facebook statement said. “We are now working to improve our systems to better defend against similar attacks in the future.”  This must have been a tough one for them to counter, seeing as the spread not only was user-generated, but exploited vulnerabilities in browsers, not actually Facebook itself.  I didn’t see any info on which browsers were the ones jacked, but I can guarantee that it affected the people who don’t follow their tech friends’ advice to “make sure everything’s always updated.”

Standard advice: Keep your software updated, keep your antivirus updated, don’t click links from people you don’t know, and be suspicious of people sending you links about free iPads, trips, or naked BeyoncĂ© videos, no matter how hopeful you are to see all the single ladies.

So let’s consider the world to be “techs” and “users.”  Techs’ responsibility has to end at some point and users’ responsibility has to begin.  We do all we can to make sure people are educated and browsing safely.  Some onus has to be put on the users, because you’ve been informed of how things work.  It makes me wonder how we’re still in the age of “I wonder what this button does?” 

Computers, the internet, smartphones and mobile devices – these are the things we use in our everyday lives now.  They govern a large percentage of what we do – which is why it’s infuriating that it’s so easy for people to throw their hands up in the air and say “Oh, it’s tech, I don’t understand it and I don’t want to.”  That attitude makes people not take steps to protect themselves, and complain and whine when they get hit.  So don’t tell me things like how you forgot to install antivirus on your computer because you’re not a tech or you clicked a link because “how could I know” without being a tech person.

You’re not a mechanic either, but you still know you need gas in the damn tank to drive your car to work.