Re: Facebook Image Privacy

[Dan Kaminsky <dan () doxpara com>]

On Sun, Jan 17, 2010 at 8:47 PM, Larry Seltzer <larry () larryseltzer com>wrote:

>  >> It's a password to a single asset, which is retrieved in its
> entirety.  If you allow "omg, somebody could share the link" to be
> considered a security hole, then I can see the stories now...
>
>  I’ve often thought that security through obscurity gets a bad rap.
> Perhaps this is one of those cases.
Obscurity is not secrecy.  A password is secret.  So are prime numbers at
the heart of RSA private keys.  The difference is that analysis by an
attacker will yield progress against an obscure system, but not a well
chosen secret.  Or, put another way, *systems* have to do things, so they're
behavior can't be as random as a password or a private key.



> My real problem with it is that I’ve marked it for “Only Me.” Why do they
> need to provide this link? And they only do it for images, not for plain
> text posts or videos where you mark it as “Only Me.”
Clearly users wanted to know how to take a photo that was for "only me" and
share it with a few others, out of band.  As long as the photo isn't showing
up in open galleries, I think it's pretty clear that user intent is actually
being scrupulously respected.



> Larry Seltzer
> Contributing Editor, PC Magazine
>
> larry_seltzer () ziffdavis com
>
> http://blogs.pcmag.com/securitywatch/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.