Facebook, this is not alright!

For months I have been receiving Facebook email notifications that are not related to my personal account. They are bounded to someone else’s Facebook profile, a namesake of myself. This person’s email registered on Facebook is quite similar to mine. The only difference is a dot between the first name and the surname in the username part of our Gmail addresses. Probably he does not know that Gmail treats name.surname@gmail.com and namesurname@gmail.com as the same address as I also did not before running into this issue.

facebugBut how bad is that? Many times I tried to prevent Facebook from sending me those emails by using the “not my account” link they provide on them. It was not enough and I kept receiving them. So today I decided to investigate how far this issue could go and used the “Forgot my password” link instead, then Facebook sent me an email with a code for setting up a new password. You can see where this is going. The password was reset without any further verification and I was logged in! I was logged into an account that is not remotely related to me due to an email typo! It seems that the account was active but it was not fully enabled. The owner might have not received the confirmation email, since it was being sent to me. Then I decided to deactivate the account anyway in order to avoid further confusions and told Facebook what was happening by leaving them a message on the deactivation form. I thought that the two email addresses were from different Gmail accounts but investing further I discovered that it does not matter if your email has a dot or not. If you send messages to name.surname@gmail.com, namesurname@gmail.com and na.mesur.name@gmail.com all of them will be directed to the same mailbox.

Anyway, this is a big security flaw. It is not ok that someone can access an account only because other person made a mistake while typing the email address. If the email address is not verified right after the registration then the Facebook account should be deactivated or should expire after some time. I have been receiving this guy’s friends notifications, friendship requests and suggestions for a long time. They should not have sent emails to me at all, besides the first one confirming the email address.

If you feel insecure about this, the best thing you can do is enabling the two factor authentication feature. Facebook will send a text message to your cell phone in order to confirm your identity. This at least will prevent unauthorized access if someone resets your password.

Brazil x U.S.A.: the real absurdities about the espionage

The information disclosed by Edward Snowden to the world created a diplomatic incident between Washington and Brasilia. The Brazilian government is fed up with the United States because it seems that our friends from the north are spying on us. We don’t know the real extent of the espionage endeavors, but the press – notably The Guardian’s reporter Glen Greenwald – is saying that Americans are lurking President Dilma Rouseff, her closest interlocutors and Petrobras, the Brazilian state oil company. But why is it so absurd and what can be done to prevent it?

Itamaraty Palace - the headquarters of the Ministry of External Relations of Brazil.
Itamaraty Palace – the headquarters of the Ministry of External Relations of Brazil.

Let me start by explaining what is not absurd: countries spying on each other. Well, that is just how reality is. All countries have intelligence agencies that, among other things, are responsible for gathering information that can be used to take security measures and also to make economic decisions. The diplomats will deny it, specially the economic espionage. The ones who were spied on will pretend to complain. The spies will pretend to change their methods. It is the diplomacy game. It is well known that states naturally tend to expand behavior and control to outside their boundaries. That is basic lateral pressure theory, commonly used on International Relation studies.

The first real absurd about this story is the fact that an employee, in the position of Snowden, could have access to that kind of piece of information. This is just bad information management and security. It is obvious that the United States government is not protecting highly classified information in a proper way. The second point is that they are not using this information effectively. The huge amount of data the NSA collects doesn’t seem enough to prevent attacks like the unfortunate incident in Boston earlier this year. The last absurdity, and more important in my opinion, is what governments didn’t do to prevent espionage as well as information leaks. The open source software community has been ringing this alarm for years. Jon Hall wrote a nice open letter to President Rousseff about this. Open source should be a crucial element for information and technological sovereignty. States as well as its citizens must know how the software used by public administration works exactly. The code must be auditable. Otherwise we are just asking for trouble. Otherwise we are blind.

I have been working with information security for a while now and I am under the impression that people in general don’t care about security until something really bad happens. Don’t do like our governments. Don’t wait until someone steel your data. Of course there isn’t a system or method 100% secure but risks can be minimized in great degree. We live in an information age and we need to take care of our data, and so does the governments.

And please… stop disabling SELinux!