Facebook Security

Secure your Facebook Account with Two Easy Steps

Step 1. Enable Two Factor Authentication via an anonymous Security App.

Enabling two factor authentication (2FA) is one of the best ways to secure your account. Facebook provides two methods.

  1. SMS via your phone – requires service
  2. App based codes via your phone (or tablet) – this does not require an active data connection

If you’re not a fan of Facebook knowing your phone number and don’t want to enable two factor authentication using that method, then you’re in luck! Simply go to the two factor settings page and select “add an app”.

Facebook 2 Factor Settings

You can download the Google Authentication application to your phone and enable it using the steps provided on Facebook’s page. This code generator is 100% anonymous and based on an open standard called “Time-based One Time Password” algorithm.

Once enabled, anyone who attempts to login with your account with a correct password will be required to enter a generated number. This number changes every 30 seconds. Facebook will generally ask you to use the 2FA code when you attempt to sign in to an unknown computer or device.

Step 2. Remove Those Old Apps

If you’ve ever been a “victim” of spam posts, it’s likely an old rogue app posting on your behalf and tagging your friends.

You’ve probably added a lot of apps in your life time. Some may be dead, and some may be harvesting your data as you sleep. Head on over to the applications and websites settings and you’ll be able to see them all.

Just review and edit ones you think you no longer use. You can remove them outright by checking the box and clicking “Remove.”

You can also use this to report bad apps that you may have.

Hopefully this helps you out.


Allowing the Facebook Debugger through nginx’s auth_basic

In my prior post, Allowing the Facebook Debugger through .htaccess, I showed how you could do just that. But, as time goes on, I spend more and more time with nginx and I need to adapt my rules.

So, today, I decided I should do the exact same thing with nginx. All of the dev sites I work on are generally password protected with a standard auth_basic setup. This is great, keeps the robots out and prying eyes away. But it’s always an issue when you need to test sharing and other external scrapers.  As it turns out, doing so with nginx is just as simple as it was with Apache.

My initial ‘location’ block was a simple configuration:

location  /  {
  auth_basic            "Restricted";
  auth_basic_user_file  htpasswd;

  if (!-e $request_filename) {
    rewrite ^(.+)$ /index.php last;

To allow Facebook debugger through the simple auth_basic was as easy as adding an if check and a secondary ‘location’ rule.

location  /  {
  error_page 418 = @allowed;

 if ($http_user_agent ~* facebookexternalhit) {
         # bypass httpauth.
        return 418;
  auth_basic            "Restricted";
  auth_basic_user_file  htpasswd;

  if (!-e $request_filename) {
    rewrite ^(.+)$ /index.php last;

location @allowed {
if (!-e $request_filename) {
              rewrite ^(.+)$ /index.php last;

The first thing added was a rule for nginx to understand what I mean when I say ‘return 418’ – this is the http response code for “I’m a teapot” The if block simply checks if it’s a known facebook agent, and the third block is a custom location that strips out the authentication requirements.

It’s generally fairly simple the concept and can be applied to any other external scrapers that you may need.


Allowing the Facebook Debugger Through .htaccess

Here’s a short story; When I develop Facebook web apps, I do it under a password protected development site. Facebook hates this. It complains that it can’t reach urls, it can’t get meta data, it can’t do this, it can’t do that. The downside to not having a password is the fact that anybody can hit the site. (sandboxing is almost useless, these days.)

So, the quick solution: Allow Facebook to hit it, but only via their external meta data scraper.

A quick edit (well, not so quick, it was something obscure.) of my .htaccess rules, and voila! Facebook can debug and people still can’t hit it (easily)

SetEnvIf User-Agent ^facebookexternalhit.*$ Facebook=1

AuthType Basic
AuthName "Art & Science DEV Server"
AuthUserFile /home/dclarke/www/dev/.htpasswd
Require valid-user

order allow,deny
Allow from env=Facebook
Satisfy Any

First, set an environment variable based on if it is the Facebook user agent. Then, allow access. The key here is the ‘satisfy any’ line, which means you can get in if you have a user and password, or that environment flag is set. The downside is now you all know you can just set your user agent to Facebook and get access to my dev sites. 😉

Randomness Socially Inept

I Dislike Like Gates So Much…

I dislike a “like gate” so much, I’ve conditioned myself to do battle against them. Here’s what I do:

  • Like the page.
  • Go to my profile, remove the announcement that “Darryl Likes [insert like-gate here]”
  • Do what I need to on the page.
  • Unlike the page.

What is a “Like-Gate”?

A like-gate is effectively a gate on Facebook pages that force you to “like” them before you can see the page contents.  Fortunately a like-gate is stuck to only a tab on a page, so you can typically view the wall, photos, and other media without having to like the page.  And, in recent changes, you can now write on the wall and interact with other posts without having to like the page at all, ever.

Like-gates are typically stuck in front of “premium” (aka mostly useless) extra content and contests.

Why I Dislike Them?

It’s pretty simple.  When you use a like-gate, you certainly benefit from the influx of people who are forced to like you.  But it’s just that, they’re forced.  You have absolutely no metric as to how many people genuinely like your product/page.  You only have an inflated number of people that “don’t give a shit” and really, that can’t be good.

I for one would rather have 100 fans that really like me than 10,000 that don’t give a shit.  But hey, I’m crazy.

Randomness Socially Inept

Facebook Timeline isn’t “New” #f8

This timeline feature isn’t the first timeline that Facebook will have attempted to use. Once upon a time, at least 4 years ago, when you joined Facebook and added friends it always asked “How do you know this person?” and “When did you meet?”

Those questions as well as many other little things within Facebook lead to a social timeline that was tucked away in it’s depths. It filled gaps in time in with witty things like “Darryl was underground this year.” and “Darryl wasn’t very active.”

Now they’ve just got more data to make the timeline more interesting. I suspect that this old data will resurface in some way. I’ll be interested in seeing how else they fill in holes this time. It will be interesting to see the mass reaction to it. It will be interesting to see how much I can control.

It will also be interesting to see how many times my statuses show up as “looking for a hottie.”

Socially Inept

Facebook, Twitter, Google+ And The Future…

There’s a few things that have been swirling around inside my cavernous mind since the initial launch of Google+ which all relates to the future of social networks.

I’ve already noticed a fracture forming in the camps of Facebook, Twitter and Google+ users.  I’ve already seen the behaviour of cross posting to each and even selective posting on one or the other. In fact, I’m guilty (if it’s a crime) of doing such a thing.  And it’s happening purely based on how people behave on each network.

About a month ago I disconnected my Twitter account from auto-posting to my Facebook account.  Why? It’s simple, I got sick of the way Facebook treated my own and everybody else’s Twitter posts.  I got sick of seeing “XX More posts from Twitter.” — A link that nobody ever clicks.  All of my friends who use Twitter to post to Facebook would get bunched into one clump. And in most cases, unless you were the one single tweet (last one in) to be on top, you were likely to just get lost in the ether.   Ever since I disabled the connection and started updating my status directly on Facebook I’ve seen a much greater response to the inane things I say.

Facebook hates Twitter, that’s why they did this.  It wasn’t always this way. Once upon a time Twitter updated your status directly and as such it never got grouped.  Which brings me to my next point.