Simon Willison’s Weblog

Why Facebook open-sourced its datacenters. Jon Stokes speculates that Facebook plan to use open source hardware to compete with Google at datacenter efficiency . This isn’t a new pattern. Years ago when I worked at Yahoo! I was furiously jealous of the secret sauce technologies that allowed Google to build big applications faster than anyone else, such as BigTable and map/reduce. Today, the open source world has created better, free alternatives—sponsored in part by Facebook, Yahoo! and other Google competitors. 9th April 2011, 7:54 am

The Inside Story of How Facebook Responded to Tunisian Hacks (via) “By January 5, it was clear that an entire country’s worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades.”—which is why you shouldn’t serve your login form over HTTP even though it POSTs over HTTPS. 24th January 2011, 6:06 pm

Facebook’s Instant Personalization: An Analysis of Fundamental Privacy Flaws (via) Oh FFS. “Instant Personalization” means you visit one of Facebook’s “partner websites” and Facebook instantly tells them your full identity and gives them access to full Facebook connect functionality—without you performing any action other than visiting the site. This will not end well. 2nd October 2010, 11:53 pm

“Likejacking” Takes Off on Facebook. The Facebook Like button is vulnerable to Clickjacking, and is being widely exploited. Since Likes show up in your Facebook stream, it’s an easy attack to make viral. The button is implemented on third party sites as an iframe, which would seem to me to be exploitable by design (just make the iframe transparent in the parent document and trick the user in to clicking in the right place). I can’t think of any way they could support the embedded Like button without being vulnerable to clickjacking, since clickjacking prevention relies on not allowing your UI elements to be embedded in a hostile site while the Like button’s functionality depends on exactly that. 3rd June 2010, 10:01 am

The Evolution of Privacy on Facebook. Brilliant infographic showing exactly how the visibility of different aspects of your Facebook profile has changed in increments since 2005. Also a nice example of Processing.js in action. 9th May 2010, 11:53 am

Facebook’s Open Graph Protocol from a Web Developer’s Perspective. Best explanation I’ve seen yet of what the Open Graph protocol actually does. Add the RDFa-inspired metadata and a Like button to a standard web page representing a place, group, product, website or one of another limited set of object types and people can “Like” it just like they might join a fan page within Facebook itself. You can then send news feed updates to all of that page’s subscribers. The bootstrapped metadata can then benefit other services as well. 26th April 2010, 1:21 pm

The new Facebook API exposes the events you attend to anyone on the Internet. I’m generally impressed by the new set of Facebook APIs—they’re a whole lot easier to work with than the older stuff—but they’re also clearly a bit half-baked and the privacy model needs some urgent work. The Graph API allows to to see all “open” events that any user has attended or is attending, which can exposes things like their friend’s home addresses. Yes, this means you can stalk Mark Zuckerberg. 26th April 2010, 12:08 pm

Fear and Loathing in Farmville. “At multiple times during the conference, [Daniel] James expressed his serious ethical qualms over the path social gaming was laying for the industry. So many of the methods for making money are thinly-veiled scams that simply exploit psychological flaws in the human brain.” 21st March 2010, 10:13 am

Facebook Adds Code for Clickjacking Prevention. Clever technique: Facebook pages check to see if they are being framed (using window.top) and, if they are, add a div covering the whole page which causes a top level reload should anything be clicked on. They also log framing attempts using an image bug. 13th March 2010, 10:42 am

Some People Can’t Read URLs. Commentary on the recent “facebook login” incident from Jono at Mozilla Labs. I’d guess that most people can’t read URLs, and it worries me more than any other aspect of today’s web. If you want to stay safe from phishing and other forms of online fraud you need at least a basic understanding of a bewildering array of technologies—URLs, paths, domains, subdomains, ports, DNS, SSL as well as fundamental concepts like browsers, web sites and web servers. Misunderstand any of those concepts and you’ll be an easy target for even the most basic phishing attempts. It almost makes me uncomfortable encouraging regular people to use the web because I know they’ll be at massive risk to online fraud. 2nd March 2010, 10:16 am

Making Facebook 2x Faster. Facebook have a system called BigPipe which allows them to progressively send their pages to the browser as the server-side processing completes to optimise client loading time. Anyone reverse engineered this yet to figure out how they actually do it? 19th February 2010, 9:14 am

HipHop for PHP: Move Fast. Facebook have open-sourced their internally developed PHP to C++ compiler. They serve 400 billion PHP pages a month (that’s more than 150,000 a second) so any performance improvement dramatically reduces their hardware costs, and HipHop drops the CPU usage on their web servers by an average of 50%. “We are serving over 90% of our Web traffic using HipHop, all only six months after deployment”. 2nd February 2010, 6:59 pm

tipsy. Simple Facebook-style tooltip plugin for jQuery. 30th December 2009, 6:21 pm

The Dangers of Clickjacking with Facebook. theharmonyguy compiled a list of actions that can be triggered on Facebook by a single click, and hence are vulnerable to clickjacking attacks. The list includes authorising malicious applications, posting links to profiles, sending friend requests and sending messages to other users. Why don’t Facebook include frame busting JavaScript on every page? 23rd December 2009, 10:20 am

New Facebook clickjacking attack in the wild. I’m not sure why Facebook don’t use frame-busting JavaScript to avoid this kind of thing. The attack is pretty crafty—a Facebook page is positioned with everything obscured bar part of the blue “share this” button, and a fake “Human Test” asks the user to find and click the blue button to continue. 22nd December 2009, 6:52 pm

FT.com: The rise and fall of MySpace (via) Lots of stuff about the internal politics at News Corporation. Of particular interest: MySpace have to take feature proposals to News Corp for approval. Meanwhile, Facebook are leading the industry in their use of A/B testing to figure out exactly what features their users will respond well to. 5th December 2009, 5:09 pm

Facebook and MySpace security: backdoor wide open, millions of accounts exploitable (via) Amazingly, both services had wide open holes in their crossdomain.xml files. Facebook were serving allow-access-from-domain=“*” in the crossdomain.xml file on one of their subdomains (a subdomain that still had access to the user’s profile information) while MySpace were opting in farm.sproutbuilder.com, a service which allowed anyone to upload arbitrary SWF files. 5th November 2009, 9:47 am

Facebook Hacked By 4chan, Accounts Compromised. It wasn’t Facebook that got hacked: 4chan members got hold of a list of usernames and passwords from an insecure Christian dating site and started using them to raise complete hell. Yet another demonstration that storing your user’s passwords in the clear is extremely irresponsible, and also a handy reminder that regular users who “don’t have anything worth securing” actually have a great deal to lose if their password gets out. 23rd August 2009, 10:02 am

Up and running with Cassandra. Twitter are beginning to use Cassandra, the open source branch of Facebook’s BigTable-like non-relational database. Evan Weaver explains how to get started with it, but warns that it’s not yet a good idea to trust data to it without having a full backup in an unrelated storage engine. 7th July 2009, 11:18 am

Exclusive: The Future of Facebook Usernames. I have to admit I was planning to just let Facebook get on with it, assuming that the OpenID provider part would show up of its own accord—but maybe I should write a thoughtful and persuasive essay about it after all. 11th June 2009, 9:46 am

Streams, affordances, Facebook, and rounding errors. I asked Kellan about scaling activity streams the other day. Here he suggests the best technique is not to promise a perfect stream (like Twitter does)—Facebook used to get away with 80% loss of update messages, but their new redesign has changed the contract with their users. 19th March 2009, 2:02 pm

Parallel merge sort in Erlang. Thoughts on an Erlang-y way of implementing a combined activity stream (e.g. Facebook and Twitter). Activity streams are a Really Hard Problem—as far as I know there’s no best practise for implementing them yet. 15th March 2009, 1:36 pm

Plaxo sees 92% success rate with OpenID/OAuth hybrid method. Really wish I could have been at the OpenID UX Summit hosted by Facebook yesterday—sounds like an awful lot of important problems are being solved. 11th February 2009, 5:20 pm

Four reasons why public Facebook status updates won’t kill Twitter. Mike Butcher highlights the importance of “follow” rather than “friend” in social software. 9th February 2009, 7:04 pm

Integrating Facebook Connect with Django in 15 minutes. Django authentication middleware that calls the Facebook REST API using a cookie set by Facebook Connect and checks if that person is your Facebook friend. Despite most of the magic happening on the server you still need Facebook’s JavaScript to set that cookie in the first place. 17th December 2008, 1:18 pm

Scaling memcached at Facebook. Fascinating techie details on how Facebook forked memcache to use UDP and increase performance from 50,000 requests a second to 200,000. Now running on 800 servers with 28 TB of memory, and their code is on GitHub. (They may scale like crazy, but they can’t put their blog entry title in the title element?) 13th December 2008, 10:08 am

Facebook’s new signup process. It looks like they’ve dropped the “enter your password twice” pattern. Is this really a good idea? I suppose if people mis-type it they can always use forgotten password to set a new one. 12th December 2008, 11:43 am

Yahoo! Releases OpenID Research. Extremely valuable research, conducted with a group of typical Yahoo! users. OpenIDs usability remains bad, and if we don’t get it right soon something centralised like Facebook Connect will take over and the Web will stop being open. 14th October 2008, 4:59 pm

FB App Canvas Pages: I Think I’d Use IFrames. Facebook’s Charlie Cheever explains the difference between FBML canvas pages, iframe pages and XFBML when building Facebook apps. I’m always surprised at APIs that load untrusted content in an iframe, as it seems like an invitation for frame-busting phishing attacks. 2nd October 2008, 2:39 pm

Mark Zuckerberg speaking at FOWA. The Future of Web Apps Expo is just a few weeks away, and Mark Zuckerberg is the surprise keynote. I’m chairing the developer track again this year. 24th September 2008, 1:11 pm

Facebook engineering notes on Scaling Out. Jason Sobel explains a couple of tricks Facebook use to deal with consistency between their California and Virginia data centres. The first is to hijack the MySQL replication stream to include information about memcached records to invalidate; the second is to use Layer 7 load balancers which inspect a “last modification time” cookie and send users to the masters in California if they have updated their profile in the past 20 seconds. 20th August 2008, 11:51 pm

Facebook Security Advice: Never Ever Enter Your Passwords On Another Site, Unless We Ask You To. Nice to see TechCrunch highlighting the hypocrisy of Facebook advising their users to never enter their Facebook credentials on another site, then asking them for their webmail provider password so they can scrape their address book. 9th August 2008, 10:18 am

simple-thrift-queue (via) Phillip Pearson’s surprisingly concise in-memory message queue written in Python using Facebook’s Thrift library (which is similar to Protocol Buffers, but was open sourced much earlier on). Handles 4,000 requests per second on a laptop. 4th August 2008, 12:27 pm

Dark Launches, Gradual Ramps and Isolation: Testing the Scalability of New Features on your Web Site. Smart advice from Dare Obasanjo that extend the “dark launch” idea illustrated by Facebook chat a few weeks ago. 29th June 2008, 2:22 pm

He/She/They: Grammar and Facebook. Facebook are going to start requiring gender information because foreign language translations wind up being too confusing when that information is not available. Aside: I wish they’d implement proper title elements on their blog posts. 27th June 2008, 9:06 am

Google Trends for Websites: myspace.com,facebook.com. New fun tool from Google Trends. 20th June 2008, 8:50 pm

Facebook Open Platform. Facebook have open-sourced (under a modified MPL, does it still fit the OSI definition?) the code for the Facebook Platform, including their implementations of FBML, FQL and FBJS. This is no small release; the tarball weighs in at 40MB and includes libfbml, which depends on Firefox 2.0.0.4 for its HTML parser! 3rd June 2008, 12:21 am

Engineering @ Facebook: Facebook Chat. The new Facebook Chat uses Comet (long polling with a hidden iframe) against a custom web / chat server written in Erlang, designed to handle a launch to all 70 million users at once. It was tested using a “dark launch” period where live pages simulated chat request traffic without showing any visible UI. 15th May 2008, 7:55 am

The real roadblocks to data portability on social networks. A bunch of smart questions posed by Facebook’s Dave Morin. This is why I think data portability is the wrong framing—moving data between sites is really hard. Importing social relationships between sites is much more viable (hence my interest in social network portability). Also, the complaints about systems sharing e-mail addresses are neatly addressed by using OpenID as the GUID for a user instead. OpenIDs can’t be spammed. 26th March 2008, 7:53 pm

The GigaOM Interview: Mark Zuckerberg. Some interesting titbits on Facebook’s architecture. 11th March 2008, 5:41 am

Two-Faced Django. Excellent Django tutorial by Will Larson that shows how to build a polling application with an interface both on the Web and in Facebook. Also touches on unit testing and Ajax using jQuery. 14th December 2007, 2:44 pm

Deconstructing Facebook Beacon JavaScript. How Facebook’s new Beacon service (also known as “Facebook ruined Christmas”) actually works. 25th November 2007, 9:20 pm

Is Facebook Really Censoring Search When It Suits Them? Apparently MoveOn’s group “Petition: Facebook, stop invading my privacy!” stopped showing up in search results for “privacy”—the search claimed 17 results but suspiciously only showed 16. 23rd November 2007, 7:50 am

New on Dopplr: The Past (with Pictures). Dopplr’s trip pages automatically display your Flickr/Facebook photos that were taken during the duration of the trip—simple and smart integration of third party sites. 20th October 2007, 11:25 am

identity-matcher. Dopplr’s social network importing code (for Gmail, Twitter, Facebook and sites supporting Microformats), implemented as a Rails ActiveRecord plugin. 4th October 2007, 2:53 pm

Announcing the Dopplr 100. Similar to how Facebook used to only allow college e-mail addresses, Dopplr is now open to holders of e-mail accounts from 100 large corporations. The blog release doesn’t specify if each corporation gets its own special “group” within the application; that would be a neat touch. 26th September 2007, 4:34 pm

Facebook Bankruptcy. I have exactly the same problem. 29th July 2007, 9:11 pm

Washington Post and Facebook. Deryck Hodge on hacking against Facebook API using Django. 19th June 2007, 10:33 am

iLike: Holy cow... 6mm users and growing 300k/day! (via) Facebook platform offers a viral distribution mechanism for free. Downside: you have to double your capacity every few days. 13th June 2007, 9:02 am

The Facebook Platform wiki (via) Not very well promoted yet. 13th June 2007, 8:52 am

Top XSS exploits by PageRank. Yahoo!, MSN, Google, YouTube, MySpace, FaceBook all feature. 29th May 2007, 10:07 pm

phpsh. An interactive shell for PHP, developed at Facebook and written mostly in Python. Facebook are really pushing their open-source stuff at the moment. 3rd April 2007, 9:43 am

Facebook Query Language. The Facebook API now lets you run SQL-like queries. You can’t do joins but you can perform very simple subselects. 25th February 2007, 12:06 pm