« A just-about-five-minute intro to the Kindle and Sony PRS-700 | Main | Web-Based Calendar Services »

Facebook is not your Friend

Hi, my name is Greg Barniskis. I've worked for SCLS for almost two decades now in various roles. My current title is Computer Systems Integrator, a job that involves making sure that all the different parts that make up LINK and SCLS network services can connect and play nice together.

The topic for today is not so much Facebook, or even social networking. It's about playing nice together, or rather it's about sites that don't play nice. Recent incidents specific to Facebook can highlight a problem that is deep and wide and spreading: rotten scripting in a web of trust.

Did you know that when you visit a site like Facebook, it is often presenting you with much more than just pictures, text, sound or video? Almost every major Web site today makes some use of browser scripting to tie those other elements together in a dynamic way. The real problem: not all scripts are safe for you to run.

Take the Facebook problem for example. Recently, scripts delivered via Facebook pages have been implicated in injecting malware onto LINK staff computers. Malware that was so new that it was not instantly clobbered by antivirus software. Malware that was able to sink its teeth into the hard disk and start doing who knows what. This degree of infection requires SCLS to take the stricken PCs off the network and wipe their disks completely clean, greatly inconveniencing the library staff.

At the heart of the problem is an implicit web of trust. Facebook trusts its users. Facebook trusts its affiliates. Facebook trusts its advertising sponsors. In turn, the users and affiliates and sponsors may trust others, and so on. And if you like Facebook, you will in turn just have to blindly trust all of these parties too... Or will you?

Firefox is your Friend

The Firefox browser can help you examine the web of trust that dominates much of the modern Internet. Using a Firefox extension called NoScript, you can declare that you will not blindly trust third parties to program your Web browser. The great benefit of this stance is that malware scripts will be stopped cold. The great cost is that most Web sites (including our very own LINKcat Web) will completely stop working because you don't trust their scripts.

Doh! You just can't win, can you? Sure you can! Whenever NoScript suppresses the script elements of a Web page, it tells you so. If that scripting is essential for the site to operate, and you really need the site to work, you can tell NoScript that you do want to allow this site's scripts. NoScript will remember your selections so that everything "just works" the next time you browse that site.

As with most security measures, NoScript makes things a bit less convenient as a side effect of making you safer. But because it learns as you go along, it becomes less and less inconvenient every day until it eventually sort of fades into the background. I recommend NoScript, and personally I won't surf without it.

To learn more about script security and try it out for yourself, start by reading more about the features of NoScript.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Hi Greg, now that I'm using FB regularly at home, I re-read your entry. I thought all LINK PC's would have "NoScript" enabled, as a preventative feature. I seem to remember not being able to download certain sites in IE because of a scripting issue (sorry, but I can't recall the details, except that I couldn't install templates from MS Word). But it sounds like what you're suggesting is different than what happened in IE. Can you shed light on this? Thanks, Mary

Hi Mary, I think your IE issue probably had to do with a combination of security improvements and other changes with IE version 7, and/or Office 2007 changes. For Firefox, the NoScript extension is not automatically loaded on every LINK PC for several reasons. Mainly, because that would be intrusive in a way that would stop a lot of legitimate work from being done efficiently. It is recommended, but must be optional or it could easily be more pain than gain.

Post a comment