epsalon is currently certified at Journeyer level.

Name: Alon Altman
Member since: 2003-01-14 20:04:14
Last Login: 2007-07-16 14:04:22

FOAF RDF Share This

Homepage: http://8ln.org


If you arrived here by searching for my blog, see http://blog.8ln.org/


Recent blog entries by epsalon

Syndication: RSS 2.0

Facebook FriendPhotoCaptcha Roadblock

Facebook has recently and silently introduced a new “security” feature, that does a lot to prevent legitimate users from accessing facebook, but almost nothing to deter determined scammers and hackers.

The security feature works as follows: Suppose you try to log in to Facebook from a location you don’t usually use, for example when traveling (which is usually when it’s most important for you to keep in touch with friends and family). Facebook asks you to verify your identity. And how would you do that? By identifying photos where your Facebook friends have been tagged. In order to regain access to your account you need to solve a CAPTCHA, then identify 7 out of 9 photos of friends. Even a single error fails the test but you do have two “skip”s. The photos are selected randomly from all photos in which any of your friends have been tagged. If you fail, you can try again within an hour. Returning to a “verified” location does not help once the roadblock has been triggered.

I guess the reasoning behind this: If you are really you, you should be able to identify your friends by their pictures. Right? Wrong! First of all, Facebook (and certain apps) keep pushing you to add more and more distant acquaintances as friends. People who you’re unlikely to even identify by seeing a clear picture of their face. Second of all, people tag each other in photos that are nothing like a clear portait. When I was faced with the challenge I had to tag pictures of feet, pictures of dogs, blurry pictures of people from behind, and “funny” drawings. I am not the only one. Many people have been locked out of their accounts for hours due to this impossible “security” challenge.

How did I eventually regain access to my account? The same way any attacker who isn’t me could have. The questions in the challenge are multiple-choice. One or two pictures and five names to choose from. Since my profile is relatively open to the public I could create a bogus Facebook account and see my friend list and their public pages. Most of these include a profile picture which allowed me to try and verify the person. Some have a more public profile where all pictures are available, and then I could find the actual picture from the challenge — just like anyone who isn’t me could have.

An attacker’s arsenal would also include creating a new account with my name and photo, and trying to “friend” all my Facebook friends. With enough people accepting this friendship (which many will), you can access all their photos and easily solve the challenge. In fact, this could be automated, and the only obstacle is several CAPTCHAs that need to be solved, a problem easily solved by spammers using outsourcing or fake “free porn” sites.

Finally, I would like to suggest several other security methods that could actually work:

  • Require a user to tag only photos he or she has uploaded, or that he or she appears in. Ask about where or when a picture was taken, and be more lenient.
  • Require a user to use an alternative method to contact a few of his or her friends (of the user’s choice) and have them log in can confirm they are OK (for example by giving them some kind of key).
  • Get security questions or challenges from the users in advance — something the user knows he or she can solve. Make it clear that these questions are not ONLY for the case of lost passwords.
  • Make a phone call or send a text message to a phone number that is in the user’s profile with a key to access the site.

Better still, allow several of these methods at once. Besides, Facebook is not a bank. Just let go of the stupid security.

Syndicated 2010-07-25 08:11:43 from Alon's Blog

Delays, Downgrades, Dress Shoes – My visit in Toronto

I haven’t blogged here for a long time, opting to tweet short cryptic messages, if at all. Well, my trip to and from Toronto was eventful enough to warrant a full post or two.

Being the mileage optimizer I am, instead of flying direct to Toronto, I had a stopover in Houston, a Continental hub. Due to differences in price, I flew from San Jose airport instead of SFO, and parked my car in a hotel near the airport. This minor fact will prove crucial later.

The outwards flight went well, except that I did not get an upgrade on the flight to Houston (I was 2nd on the waiting list). I arrived in Toronto, and took the cool wifi enabled bus to my hotel. Upon arrival, I checked the conference schedule and was somewhat surprised to see that the main part of the conference starts the next evening, which meant I had a whole day to tour the city.

Since the banquet was to be held in the CN tower, Toronto’s primary attraction, I decided to use my free day to visit the Royal Ontario Museum. That day I walked several kilometers to the conference venue, then to the museum, inside the museum, and finally back home. During all that time I wore dress shoes I usually wear for interviews — I packed my best clothes for the conference.

What I did not realize, is that dress shoes can severely hurt your feet. By the next day my feet started to develop painful blisters and abrasions, which made it painful to walk. I used taxis for my travel to and from the conference venue since.

Academically, the conference was very fruitful. I got to meet many colleagues from institutions around the world, including Michael Wooldridge from the university of Liverpool, where I am about to interview soon. My students’ talks went well and there were many interesting posters, some with the potential to lead to further research.

The conference banquet was held in the revolving restaurant on the top of the CN tower. This was the first time ever I’ve been to such a restaurant. Dinner was edible (not a trivial thing for a fancy restaurant) and the view was beautiful. Having the restrooms in the non-revolving part proved a challenge when I was trying to return to my seat. Sitting right next to the windows, I have attempted to send clever messages by writing them on paper and putting them on the non-revolving part of the restaurant. Few of these came back to me.

On the final day, I rushed to pack all my things and check out of the hotel. Then I took a taxi to the conference venue, attended the final talks and demos, and took the wifi bus back to the airport. At this point my feet were still in pain and it was difficult to walk.

At the airport, I found out that my flight to Houston was delayed by about an hour, which meant I was going to miss my tight 1-hour connection to my flight to San Jose. The Continental agents at Toronto had two options for me: Fly direct to SFO on Air Canada, or stay in a hotel in Toronto and fly via Houston the next day. In either case, my confirmed first class upgrade will be canceled since there was no first class availability.

Since my car was parked near San Jose airport, and they were not willing to pay for ground transportation to San Jose, I decided to go for the next day flight. However, since the flight was pretty early, I asked if it was possible to take the delayed flight to Houston and spend the night there. The agents agreed. This had the added benefit of being able to make the connecting flight in case the other flight happens to also be delayed.

By the time I made it through US customs and immigration at Toronto airport, the flight had been pushed back even more. The reason: Delayed incoming aircraft — the plane from Houston departed late. With the flight two hours late, there was little hope in making the connection. By the time I was ready to leave toronto the plane I was supposed to board to San Jose was already en route and on time from San Juan Puerto Rico.

Upon hitting the ground in Houston, I decided to check the flight status to San Jose in a last-ditch effort to make that flight. To my astonishment, the flight was severely delayed and I would be able to make the flight! As it turned out, the plane fron San Juan (SJU) had to be diverted to Baton Rouge (BTR) due to weather in Houston. By the time I landed, the diverted plane was en route from BTR to Houston (IAH).

As it turned out, I had to spend a few additional hours waiting in Houston. The plane had to be maintained and was even further delayed. I finally landed in SJC 3 hours late. I still had the upgraded first class seat so I was able to sleep for most of that flight until finally returning home, going straight to sleep. Until now.

Syndicated 2010-05-16 00:58:49 from Alon's Blog

Twitter Weekly Updates for 2010-03-21

  • Just arrived at TLV. Will stay in Israel till the end of March. #
  • Arrived at parents' house. Wifi again at last! #

Syndicated 2010-03-22 06:34:00 from Alon's Blog

Blog update, forum crash.

Some have you may have noticed that my blog has a new look. Others may have noticed that the Israeli polyamory forum that I’m hosting has crashed, losing all information. Both of these events have to do with my (paid) hosting account at bluehost.com.

It all started when I wanted to upgrade my ancient wordpress install (with some custom modifications) to a more modern and standard install. So, I backed up my blog and database and proceeded to install the new version. This required a few iterations, each requiring to delete the old instance of the blog.

My major mistake was during one of those installations, I have misclicked and deleted the wrong site — the active poly forum. The delete action did create a backup, but since the database was exported using the wrong encoding, all Hebrew data (including the entire forum) was lost.

I immediately called my hosting provider, but they did not have backups of my account. I never set up a backup script for my hosting account, so the entire contents were lost.

I did reinstall a new forum and the blog. I am now working on a backup solution for my account.

The new blog has several nifty features: On the right sidebar you may find my current exact location. Also, the subscription system should work better and replies could be verified by OpenID.

Syndicated 2010-03-17 21:42:04 from Alon's Blog

Happy π day!

Today is March 14th, aka pi day, a day celebrating one of the most important numbers in mathematics - π.

Since I happened to be in Germany today, I celebrated π day with my brother and his wife by making 2π — a yummy beef pie for dinner and a chocolate pie for dessert.

 Beef pie for pi day

For dessert we decided to make the pie even more meaningful and decorate the pie with the first few digits of π, resulting in a delicious, and informative pie:

Chocolate pi with digits!

More photos are available on Flickr and Facebook.

In other news, I’ll be arriving in Israel on Tuesday. If you want to meet me, let me know…

Syndicated 2010-03-14 18:29:11 from Alon's Blog

109 older entries...


epsalon certified others as follows:

  • epsalon certified epsalon as Journeyer
  • epsalon certified kilmo as Journeyer
  • epsalon certified shlomif as Apprentice
  • epsalon certified mulix as Master
  • epsalon certified ladypine as Journeyer

Others have certified epsalon as follows:

  • epsalon certified epsalon as Journeyer
  • mulix certified epsalon as Journeyer
  • ladypine certified epsalon as Journeyer
  • kilmo certified epsalon as Journeyer
  • helcio certified epsalon as Apprentice
  • nyh certified epsalon as Journeyer
  • shlomif certified epsalon as Journeyer
  • wet certified epsalon as Journeyer
  • mazurek certified epsalon as Journeyer

[ Certification disabled because you're not logged in. ]

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page