Pluses and Minuses

Facebook Vs Google, Round 2

The whole world seems to be going gaga over the new kid on the block, Google’s Facebook Killer, Google+. I have tried it, since I hardly every like verdicts (they sound good in retrospect, but most people eat their own words when they don’t go right), I would just share some thoughts.

Overall, Google has delivered a kickass product. It’s a great bit of engineering. For the first time in its life, Google seems to have come out of its engineering style product development and has delivered something that is quite well polished. There are hardly any kinks, the product has been thought through well, including deep integration across all google services. It’s even gone ahead and published Google+ like themes for Gmail and Gcalendar. It takes a lot to introduce a new product across all your properties (the top bar in Gmail, Google Search etc.) on day one, and I commend Google on its confidence. And its welcome change from half dash efforts earlier (Buzz, and Orkut while well done was abandoned).

At the same time, however, the product lacks any irresistible feature that will make me switch. The usual: wall/stream, notifications, @/+ etc. have been added. Circle’s is great UI but not something facebook won’t have in two weeks. Sparks and Hangout are cool, but not at the core of social networking. I don’t think I will ever have the time or inclination to “hangout” on the web with friends, unless its work. And if its work, I would rather keep out of Google+. Sparks is something that I have still not understood, and it seems something Google News should have added.

Moving the Social Web is a Mountain. I don’t imagine people suddenly switching to the new kid on the block. There are pictures, friends and family on facebook which people wouldn’t switch on day one, and I doubt given the way facebook is so deeply integrated in most people’s lives (its the first website I open after email), I doubt making the switch will be that easy. I also don’t expect my mom, my dad and so many other people to just jump on Google+, also because of its (slightly) geeky interface.

Getting rid of baggage is also a good thing.  That said, I do want a place where my new social life is better mirrored. Facebook seems to have so much baggage now – people I may not even interact with, that having a place where I can interact with a fewer people is actually better. I have heard horror stories of people meeting you after years and still knowing what you are upto (and you knowing nothing about them!). In a world where your friendships become limited to what you know from your facebook newsfeeds, having a new place to locate new content is a welcome change. I also want a place where I can interact with people with whom I share some interests and keep it distinct from the rest of the world.

Is Google trying too many things? An obvious question comes to mind. Google is planning to fight Facebook & Twitter in social, Groupon in local offers, Microsoft in enterprise and search, and everybody else in Silicon Valley somewhere or the other. Suddenly, the company that started with “Don’t be Evil” has enemies all over and is fighting all fronts.

Competition is good for Facebook. I think its going to keep it on its toes as it has suddenly in the last few months become the monopoly on your social connections. It needs to think of quite a few things – helping us keep our friends graph better organized, surfacing new and better content (I hate the spam on facebook!), and figuring out ways to become more pervasive (are we going to see facebook browser toolbars soon?).

Bad news for Twitter. The one to lose out the most may just be Twitter. What works for twitter is the one way friendship that geeks love, and celebrities take recluse in. If Google is able to capture these well (circles is in some way one way relationship – the friend connection in G+ is quite complex), it will mean people won’t mind moving to it. In this three way world of Twitter/Facebook/Google, it will be Twitter which has the least stickiness, most spam, and no way of monetizing. The dollars twitter would have hoped to get, would now get split even more. If twitter has to stay afloat, it will definitely need to start thinking quickly.

StalkDaily worm hits Twitter

Found a full post mortem of the latest worm to hit the Social Media scene – StalkDaily. Very interestingly, twitter allowed to add script tags in their profile, and 17-year old Mickeyy Mooney employed a cross-site scripting attack to not just post an update promoting his own site, but also added the same malicious javascript on the profile pages of who-ever visited an infected page. The modus operandi of the attack is described in more detail here.

This of course, made use of the authentication tokens that are present when you are logged into twitter – and while it couldn’t scrape passwords, it did its harm. Twitter is kinda more open than all others, since it reveals pretty much all its functionality through its API – it even gives the users the ability to even update their profiles. This, along with the fact that they allow Javascript inclusion in the profile (extremely surprising! why would they allow this!), makes it easy to do cross-scripting attacks here.

I was wondering what means can be employed to control this — and there are a few strategies that can be used here:

  1. Input Cleanup – Always clean up inputs when you are accepting anything from a foreign agent (user, website, api). This should include cleaning up script tags, cleaning up for SQL injection, etc.
  2. Secure Account Settings – Ensure that before changing account settings, users are at least made to put in their password once again, or it’s on a separate location (https) that prevents the same authentication tokens to be used. Yahoo/Google do that for all important account settings
  3. Sandbox External Code – If you do have to run any custom code that the user sends your way, run it in a sandbox. Rather than giving it access to all your data structures, create a new datstructure, populate it appropriately and let it spit out the results in some predefined format (say, XML). You can parse the results and display it again. Showing users’ code directly can be quite dangerous.
  4. Extra authentication for APIs – Give the API an extra authentication token, say an api key, that prevents the users to access your api’s without it. The challenge here would be distribution of this extra information. This can either be done by asking users to put in an extra api key when they give api access to somebody, or to make the software pass through a API validation step (a la OpenID, or Vista UAC) that only gives out the api key, after correctly informing the user.

Do you have any other tips?

%d bloggers like this: