I had to go read the actual paper to figure out how it worked. It's "updating link previews without visible notifications while retaining social capital". So you do a redirect and then that changes what was originally liked.
I have thought about this before, even without the clever hack indicated here:
Likes ought to drop off after an edit, or be clearly pointing to the previous version after any edit. IE they need to reflect staleness, and posts must better reflect that there's version history. In this day and age we ought to be able to differentiate between grammar/spell checks and complete rewrites, and update ux accordingly.
Another one is the ability for someone to change privacy level of a post from private to public. So that risky like that you thought was a safe one among friends could then be opened for everyone to see.
> Another one is the ability for someone to change privacy level of a post from private to public. So that risky like that you thought was a safe one among friends could then be opened for everyone to see.
This seems like a difficult problem in general and reminds me of this episode of Hidden Brain (https://www.npr.org/2019/09/06/758281834/you-cant-hit-unsend...). Where sharing shocking/"inappropriate" memes in a private WhatsApp led to everybody involved losing their spots in university.
We’re the memes really that bad? I still differentiate between a tasteless joke said in private versus screaming for example the N word publicly. Private v public behavior still has meaning to me.
Why difficult? Just put the same permissions on the "like" as the parent object being liked, and leave those permissions alone if the parent object updates.
Likes could be counted on "what" they were given to. Liking a private post would only count when the post stays private while liking a public post would be counted/displayed either way.
Yep. But the more responsible option (for FB engineers) would be to never allow opening up the privacy level - users should only be allowed to restrict it!
If they really want to share same content with the whole world, then that should be a completely new post.
You seed this kind of thing used by spammers on reddit from time to time. They'll get an upvoted comment which is very visible to other users and then edit it to include a link to some shady website.
That's basically it, and this "attack" works perfectly when the web is just HTML and hyperlinks.
The remarkable thing is that it still works in the walled garden of social networks like Facebook, even though their main value-add is that they can stop people abusing the system like this.
I seem to remember doing some prank-ish thing like this in the early days of Facebook.
Create an activity or whatever that you "liked" (ex: camping) and friends would see that "soylentcola liked camping". They would also like camping and then eventually you would change the name of that tag/activity/whatever to something like getting kicked in the nuts so that now it tells people that "John Smith likes getting kicked in the nuts".
I honestly don't remember the specifics as it's been years since we got our laughs out of this for a few minutes (hell, for all I know this was on MySpace and not Facebook. Really don't remember).
Right! This can be done by changing the name of a page people like. Not just a post.
Seems like you can get really good amount of likes for a popular thing (like calls for impeaching Trump in 2017) before changing it to some thing you want to promote (like Tom Steyer for President) ... and you can even qualify for the Debate stage!
I haven't been on Facebook in a couple of years now, but I recall similar issues. People/groups would create pages for popular things (again, like "camping" or "sleeping in on the weekends") so that thousands and thousands of people would "like" that thing.
Then once those pages had enough followers, they could be sold off to whatever marketing group wanted access to lots of user data and an outlet to post sponsored content to a lot of viewers.
It wasn't just this bait-and-switch, though. Loads of "meme" pages and similar stuff built up a large enough following and then were either sold or just directly used for marketing.
I think it was bigger when companies/individuals could use Facebook to drive clicks to their sites but I have no idea if that's still a thing these days. Last I saw, most users/posts tended to stay within the Facebook "umbrella" rather than being linked to outside sites.
We did this too, all the time. Never thinking about the implications. Then suddenly it's 10 years later, social media has become one of the dominant global communications channels and it turns out this vulnerability can be used not just for funny pranks, but also to get people thrown in jail or even killed.
It's uncanny how young people have a razor-sharp nose for weaknesses in the fabric of society, often without even realizing it.
There's a lot of major challenges to creating decentralized, trustless systems, but this is very easy to solve in a trustless system. All you do is indicate "Like"s by signing an object like:
{post:"<cryptographic hash of post>",action:"like"}
That way if the post changes, your signed "like" no longer applies.
This trustless-ness can be introduced in centralized systems too, but the tendency in a centralized system is to trust the central authority, which is the whole problem with such systems.
This doesn't work if you're just linking to some dynamic content. People will like the link and the link itself is static but the content provided by clicking it can change without notice.
In this case a different ad on that page would change the hash and you’d have to hash the content periodically anyway.
When I was using FB I noticed I “liked” some FB pages that in he meantime changes hands and were posting all kinds of crap. The name of the page stayed the same so I didn’t get the usual warning. With dynamic websites it’s impossible to have any control over those changes.
I think you're misunderstanding the nature of what I'm proposing.
You don't sign a hash of the URL or the page. You sign a URL of the content. If the content changes, your signed hash will no longer match, and the like no longer validates, which is exactly the point--your like isn't intended to apply to all future things the page owner could possibly put on that page, it's intended to apply only to the content that is there.
And personally, I'd never intentionally like an ad anyway. In general, ads causing things to lose all likes if they inject them into the content would be a good thing, because it would force advertisers to differentiate dynamic ads from content.
EDIT: I see you edited to clarify your other post, so my post here doesn't really apply any more. I've responded to that post directly.
The content being a dynamic webpage where if you change a single byte (ads, page logo, anything) the hash changes? Try to load any webpage twice and see if you can get exactly the same bits.
And just imagine how much of the internet FB would have to periodically hash, and what impact it would have on those sites too.
That's a feature not a bug. Not only is it a feature, it's the feature. That's the entire point.
It doesn't have to be the entire page that's hashed, only the content being liked.
Facebook would probably never implement this, because their entire business model relies on them being a trusted authority, so trustless architectures would actively undermine them.
In general, if you see my name above a post, you can assume that the only thing I want Facebook to do is sell all their assets, give the money to charity, and shut down. :)
> It doesn't have to be the entire page that's hashed, only the content being liked.
I think there's a disconnect here... The page to which your posted link points is the content. Whatever loads when clicking the link is the content you hash, with ads, scripts, the main body, the comments, the everythings. If I link to the front page of HN it's guaranteed it will never ever have any likes. If I link to an article that says something like "posted 6 minutes ago" then every minute the page changes.
A FB robot loads the link, receives some data (the full page), hashes that, attaches it to your "Like". Then rehashes periodically.
But every time someone clicks the same link they load slightly different content. Simply because something on that page changes. A new comment in that page, an evolving story where the site puts updates, a live blog, or a different ad loaded on the page, which are all valid reasons for a page to change. They would all invalidate the like.
So what happens next time? FB robot loads page, gets data, hashes, new hash doesn't match. Your Like is removed because the page changed. You might as well remove the Like button for anything linking outside of FB.
Educating users is an option, big warning that the content behind the link may change but let's be honest, most people will be oblivious to the implications.
> The page to which your posted link points is the content.
I disagree, the page is not the content of the page. I hear where you're coming from though: what you're saying is a widely-accepted approximation because "semantic HTML" is not semantic, so we don't have a way to get the actual content from an HTML page. This is by design: lots of big websites have a vested interest in making it impossible to separate their content from their presentation. But I don't think future implementations have to be bound by previous bad decisions.
Responding to this post, since it looks like you edited it (to clarify) and I responded to my misunderstanding based on what your post previously said:
That comes down to making sure you like what you actually intend to like: you probably don't intend to like the literal bytes of the URL, you probably intend to like the content at the URL. UIs can aid in this[1] but ultimately I don't think people think that specifically, and there's not a perfect technical solution to that problem.
[1] WARNING: You're about to "Like" a URL. The content at the URL may change. Do you wish to continue? Y/N
34 comments
[ 4.1 ms ] story [ 80.4 ms ] threadLikes ought to drop off after an edit, or be clearly pointing to the previous version after any edit. IE they need to reflect staleness, and posts must better reflect that there's version history. In this day and age we ought to be able to differentiate between grammar/spell checks and complete rewrites, and update ux accordingly.
Another one is the ability for someone to change privacy level of a post from private to public. So that risky like that you thought was a safe one among friends could then be opened for everyone to see.
This seems like a difficult problem in general and reminds me of this episode of Hidden Brain (https://www.npr.org/2019/09/06/758281834/you-cant-hit-unsend...). Where sharing shocking/"inappropriate" memes in a private WhatsApp led to everybody involved losing their spots in university.
If they really want to share same content with the whole world, then that should be a completely new post.
But is it the author editing the post who change it or what?
- You upload an image of a cute cat to your webserver
- You post the link to the image on some social network (using a throwaway account)
- You send the link to the post to a friend, who likes the post
- You switch out the image on the server for a photo of hitler (url stays the same)
- You wait a day for all the caches involved to update
- You act disgusted and ask your friend wtf they were thinking when they liked that image
- Everyone shrugs, says "computers eh?" and moves on with their lives
This attack would only work for gaslighting or repeated targeting I think, and even then, I don't think it would be that convincing.
You forgot the step of
-take an image of the transgression and post it to Twitter
-50000 other people see you liked hitler.
-your next job sees this image on the internet, so actually no, you dont get that job.
The remarkable thing is that it still works in the walled garden of social networks like Facebook, even though their main value-add is that they can stop people abusing the system like this.
Create an activity or whatever that you "liked" (ex: camping) and friends would see that "soylentcola liked camping". They would also like camping and then eventually you would change the name of that tag/activity/whatever to something like getting kicked in the nuts so that now it tells people that "John Smith likes getting kicked in the nuts".
I honestly don't remember the specifics as it's been years since we got our laughs out of this for a few minutes (hell, for all I know this was on MySpace and not Facebook. Really don't remember).
Seems like you can get really good amount of likes for a popular thing (like calls for impeaching Trump in 2017) before changing it to some thing you want to promote (like Tom Steyer for President) ... and you can even qualify for the Debate stage!
Then once those pages had enough followers, they could be sold off to whatever marketing group wanted access to lots of user data and an outlet to post sponsored content to a lot of viewers.
It wasn't just this bait-and-switch, though. Loads of "meme" pages and similar stuff built up a large enough following and then were either sold or just directly used for marketing.
I think it was bigger when companies/individuals could use Facebook to drive clicks to their sites but I have no idea if that's still a thing these days. Last I saw, most users/posts tended to stay within the Facebook "umbrella" rather than being linked to outside sites.
It's uncanny how young people have a razor-sharp nose for weaknesses in the fabric of society, often without even realizing it.
This trustless-ness can be introduced in centralized systems too, but the tendency in a centralized system is to trust the central authority, which is the whole problem with such systems.
When I was using FB I noticed I “liked” some FB pages that in he meantime changes hands and were posting all kinds of crap. The name of the page stayed the same so I didn’t get the usual warning. With dynamic websites it’s impossible to have any control over those changes.
You don't sign a hash of the URL or the page. You sign a URL of the content. If the content changes, your signed hash will no longer match, and the like no longer validates, which is exactly the point--your like isn't intended to apply to all future things the page owner could possibly put on that page, it's intended to apply only to the content that is there.
And personally, I'd never intentionally like an ad anyway. In general, ads causing things to lose all likes if they inject them into the content would be a good thing, because it would force advertisers to differentiate dynamic ads from content.
EDIT: I see you edited to clarify your other post, so my post here doesn't really apply any more. I've responded to that post directly.
And just imagine how much of the internet FB would have to periodically hash, and what impact it would have on those sites too.
It doesn't have to be the entire page that's hashed, only the content being liked.
Facebook would probably never implement this, because their entire business model relies on them being a trusted authority, so trustless architectures would actively undermine them.
In general, if you see my name above a post, you can assume that the only thing I want Facebook to do is sell all their assets, give the money to charity, and shut down. :)
I think there's a disconnect here... The page to which your posted link points is the content. Whatever loads when clicking the link is the content you hash, with ads, scripts, the main body, the comments, the everythings. If I link to the front page of HN it's guaranteed it will never ever have any likes. If I link to an article that says something like "posted 6 minutes ago" then every minute the page changes.
A FB robot loads the link, receives some data (the full page), hashes that, attaches it to your "Like". Then rehashes periodically.
But every time someone clicks the same link they load slightly different content. Simply because something on that page changes. A new comment in that page, an evolving story where the site puts updates, a live blog, or a different ad loaded on the page, which are all valid reasons for a page to change. They would all invalidate the like.
So what happens next time? FB robot loads page, gets data, hashes, new hash doesn't match. Your Like is removed because the page changed. You might as well remove the Like button for anything linking outside of FB.
Educating users is an option, big warning that the content behind the link may change but let's be honest, most people will be oblivious to the implications.
I disagree, the page is not the content of the page. I hear where you're coming from though: what you're saying is a widely-accepted approximation because "semantic HTML" is not semantic, so we don't have a way to get the actual content from an HTML page. This is by design: lots of big websites have a vested interest in making it impossible to separate their content from their presentation. But I don't think future implementations have to be bound by previous bad decisions.
That comes down to making sure you like what you actually intend to like: you probably don't intend to like the literal bytes of the URL, you probably intend to like the content at the URL. UIs can aid in this[1] but ultimately I don't think people think that specifically, and there's not a perfect technical solution to that problem.
[1] WARNING: You're about to "Like" a URL. The content at the URL may change. Do you wish to continue? Y/N