Re: Facebook Image Privacy

[Alex Eckelberry <AlexE () sunbelt-software com>]

I agree.  I think this issue is overblown.

________________________________
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Dan Kaminsky
Sent: Sunday, January 17, 2010 3:13 PM
To: Larry Seltzer
Cc: funsec () linuxbox org
Subject: Re: [funsec] Facebook Image Privacy



On Sun, Jan 17, 2010 at 8:47 PM, Larry Seltzer <larry () larryseltzer com<mailto:larry () larryseltzer com>> wrote:
> > It's a password to a single asset, which is retrieved in its entirety.  If you allow "omg, somebody could share the 
> > link" to be considered a security hole, then I can see the stories now...

I've often thought that security through obscurity gets a bad rap. Perhaps this is one of those cases.

Obscurity is not secrecy.  A password is secret.  So are prime numbers at the heart of RSA private keys.  The 
difference is that analysis by an attacker will yield progress against an obscure system, but not a well chosen secret. 
 Or, put another way, *systems* have to do things, so they're behavior can't be as random as a password or a private 
key.



My real problem with it is that I've marked it for "Only Me." Why do they need to provide this link? And they only do 
it for images, not for plain text posts or videos where you mark it as "Only Me."
Clearly users wanted to know how to take a photo that was for "only me" and share it with a few others, out of band.  
As long as the photo isn't showing up in open galleries, I think it's pretty clear that user intent is actually being 
scrupulously respected.


Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer () ziffdavis com<mailto:larry_seltzer () ziffdavis com>
http://blogs.pcmag.com/securitywatch/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.