I am not going to specifically address the topic of scripted attacks (such as click-jacking, like-jacking, using tools like Selenium, etc) used to game contests. There are just too many variations, and frankly, many of the data analysis concepts here would apply to that scenario as well.

Understand that I Am Not a Lawyer, and am NOT giving you legal advice here. The intended audience for this article is application developers, database architects and product directors, as we discuss some fundamental concepts that must be integrated into your contest application before even a single line of code is written. Many of these concepts can be applied to non-Facebook online contests, but some are Facebook specific.

Also, if you got to this article because you’re trying to learn how to game a Facebook contest, please die in a fucking fire. You are a useless piece of shit, and people like you are what is wrong with the world.

First things first, and a little bit off-topic, if you’re planning on creating a Facebook contest, be sure your contest abides by Facebook’s promotional policy guidelines. They’re a pretty quick read, but failing to read them before deploying a contest on Facebook may result in Facebook disabling your contest for policy violation. You can (and should) read the whole set of guidelines here, but since we’re about to discuss planning your contest app, the ones you really need to be mindful of are:

1. You must not use Facebook features or functionality as a promotion’s registration or entry mechanism. For example, the act of liking a Page or checking in to a Place cannot automatically register or enter a promotion participant.
2. You must not condition registration or entry upon the user taking any action using any Facebook features or functionality other than liking a Page, checking in to a Place, or connecting to your app. For example, you must not condition registration or entry upon the user liking a Wall post, or commenting or uploading a photo on a Wall.
3. You must not use Facebook features or functionality, such as the Like button, as a voting mechanism for a promotion.
4. You must not notify winners through Facebook, such as through Facebook messages, chat, or posts on profiles (timelines) or Pages.

Basically, this means that you can’t use any of the native Facebook platform tools as voting or winning mechanics. You can like-gate an app, requiring the user to like an app or page before being shown the contest sign-up form, but you cannot use the act of liking the app or page as the registration itself. You cannot award points or incentives on a Facebook share, but you CAN award points or incent the conversion. So if your app lets me invite people to your app, you can award me points for every one of my friends that allows the app and participates, but you cannot award me points based on how many people I invite that do not convert to app users or clickthroughs or what have you.

There’s a little bit of nuance to it, but the general rule is just to avoid using the platform for stuff that determines who wins or loses, period. That part has nothing specifically to do with gaming a Facebook contest (or the prevention of gaming a Facebook contest), but it’s pretty important, and will influence some pretty core mechanics in your contest, so don’t gloss over them.

Rule #1 of running a contest: LOG EVERYTHING

Log absolutely everything possible. Require that the user is logged in, and always log their FBID *and* their IP address. Your legal counsel will thank you for it.

You need to be able to run an audit on every action related to potential winning or losing of the contest for your own liability, but also because it is the foundation of putting yourself in a good spot to detect suspicious or fraudulent activity. Seriously.

If ass-wiping influences the contest outcome, you had better be logging every single time the user wipes their ass, complete with IP address, user agent, timestamp, and anything else you can think of that would be specific to that action+session combination. I simply cannot emphasize this enough.

Without extensive logging, you will be left absolutely helpless when a user (or their lawyer) challenges your winner decisions, or when other users claim a specific user is cheating.

Make sure your web server is logging access correctly as well. You may need to correlate your Apache access log to a specific transaction and IP address as well. Test this before your app goes live.

As you analyse your logs, look for inconsistencies in user agent and/or IP address. If their user agent is logged as “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7″ in one log entry and “Mozilla/5.0 (Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7″ in the next, something is up. The differences between those two user agent strings is subtle, but it’s there, and there is no legitimate reason for it to change from action to action in the same session.

Rule #2: Get their email address

It seems intrusive, but if your loot is decent, people won’t mind giving it to you. Once they have allowed your application and granted you email permission through the app allow dialog, you can pre-populate the email address field so they don’t even have to type anything in. You’ll need their email address anyway, to notify them if they won, since Facebook doesn’t allow you to use FB Messages to do that.

You want their email address because users creating fake Facebook profiles (each of which requires a unique email address) to generate bogus votes/points/whatever will generally not be terribly creative (or may be using an automated script or service to do it), so you can use the email addresses as a way to detect patterns in participating users that could imply fraudulent activity. If you see 100 new entries, all with the email pattern of firstname1234lastname@hotmail.com, there’s an excellent chance that those entries are bogus.

Brace yourself for the truth

The cost of winning a Facebook contest by cheating is much lower than you probably imagine – and unsurprisingly, there are businesses online that exist for the sole purpose of helping people win online contests. Right now, on a casual Google search, I can find services that will sell me 10 PVA (Phone Verified Account) Facebook accounts for $20. I can buy 100 non-PVA Facebook accounts for $20, if I think the contest won’t do that much checking for fraudulent activity. If you do a search for “facebook contest” on sites like freelancers and microworkers (I will not link to them), you’ll find hundreds of people with Facebook accounts just itching to get paid to help your potential contestants game your contest.

If you’re giving away a trip worth $3,000 and because of the number of participants, it would cost me $20 to win your contest, you are *going* to get gamed. My risk-to-reward-ratio is just too good for me not to do it. I spend $20 and I get $3,000 worth of prizes? Hell yeah.

In one investigation I performed, I saw bids of $30 accepted for people to get 200 people (real people or fake-but-look-real accounts) to vote x times. That means each one of those Facebook accounts is worth $0.15 to the person renting them out. Consider creating accounts at these microjob sites before your contest is over and check it for openings related to your contest.

Additionally, since there are people and services out there that have created Facebook profiles for exactly this purpose, you can’t rely on Facebook profile creation date as a reliable measure. Many of the fraudulent accounts I’ve come across have been around for over a year prior to the contest. They’re also smart enough to make sure these profiles have friends that look legitimate, so it won’t be as easy as looking for FB accounts that are new and have no friend connections.

It gets worse. There are also online sites that encourage users to do like/vote exchanges. “Vote for me for blah, and I’ll vote for you.” This method tends to be slower than simply buying accounts, but it’s also free. Search Facebook for terms like “vote exchange” and you’ll find pages and groups for the sole purpose of gaming contests.

It’s up to you to decide whether a vote/contest exchange falls under your definition of cheating. It absolutely does in my book, but it really depends on how your contest works. Either way, you need to set the definitions of what exactly qualifies as cheating before your contest even starts, because you’re going to run into more gray areas than you probably would have thought.

Rule #3: NOTHING GETS DELETED. EVER.

If users can submit content as part of the contest, make sure you architect your application in such a way that nothing ever gets deleted, either by moderator or by the users themselves. Instead use a database flag to toggle visibility in the app. Log the deletion (timestamp, IP, user agent, who took the action, etc) and tuck it away, but never, ever delete the data.

Doing so insulates you from users saying “I didn’t delete it!” You will have proof that they did, including all the particulars such as what browser they were using and when. This also allows you to recover from content that is accidentally deleted by a moderator. If “deleting” content is simply toggling that boolean database field, it’s easy to toggle it back on if it gets toggled off by mistake.

Rule #4: Know what counts as cheating up-front

This sounds like a no-brainer. Cheating is cheating, right? But if someone didn’t actually pay for votes, and did a vote exchange or spammed forums and Facebook groups to get votes from people who don’t actually care about the program, is that cheating?

What if the Facebook account that’s participating is “real”, but the person only ever uses it for entering contests? Is that a legitimate user to you, or a cheater? You should figure that out ahead of time.

It’s going to be your choice as to what level of detail you disclose your policies on cheating. My recommendation is to be a little vague. While this goes against my standard policy of transparency in everything, if you give the bad guys an explicit set of rules on how you define cheating, they will be sure to tailor their cheating to specifically avoid the things you outline. If you tell me (as a bad guy) that my votes will be disqualified if too many votes come in from the same IP address, I will be sure to use different IP addresses for each vote to make sure I avoid your detection.

Rule #4: Audit, audit, audit and audit some more

Auditing by eyeball isn’t really going to cut it, but if it’s all you’ve got, it’s better than nothing. A better idea would be to set up a series of heuristics programmatically that flag user activity as being suspicious and requiring additional review. Things like the number of unique users coming from a specific IP address, the time of day that you see the most activity, the kinds of email addresses you see associated with the participating users, etc.

Look for patterns that don’t make sense. Examine the Facebook pages of the folks you suspect of cheating. Do they have any wall posts? Any photos? Do they have friends? Click on their friends profiles – do their profiles also have no wall posts and no photos? Look for generic “hot babe” profile photos. Look at the pages and topics the user has “liked”. Do they seem a little too demographically on-point, as if they were created to appeal to a specific contest demographic? Is there a pattern in the things they’re liking? (All contest pages, etc.) This part can’t be automated.

Give yourself the time between the end of the contest and the announcement of the winner to be thorough and audit all of your top contenders. Hold off notifying anyone that they won until you’ve had a chance to comb through this data and you feel confident that it’s legitimate.

You have a cheater. Now what?

When you find someone cheating, how are you going to handle it? Revoke their points/votes/etc? Disqualify them? Whatever your decision, know what you’re going to say to them in advance, because if the stakes are high enough, there’s a good chance they will be loud and public about how you wronged them. Once again I advise not showing too much of your hand.

If you decide to confront them and allow them to offer explanations, hold specifics back. If you user claims, for example, that they got most of their votes from their friends at a high school using their own computer (which would explain the same IP address), but the timestamps on the votes are at 1AM, 2AM, etc, that should raise some eyebrows. If you tell them too much about what you’re basing your decision on, a decent cheater will come up with excuses to explain them that they would have mentioned earlier if the story was legitimate.

It’s rare to find a smoking gun in these cases. Instead, it’s going to require a some judgement calls and a preponderance of evidence. It’s very like you won’t find *one* thing that makes you *sure* someone is cheating. Instead you’ll find a half-dozen things that, when combined, form an equation that just doesn’t add up.

One option, upon finding a cheater, is to disqualify just the votes that seem fraudulent. In the case of a contest where the user submits an entry and other people vote on it to determine a winner, be cautious of disqualifying the entry based on fraudulent activity. Knowing how inexpensive it is to buy Facebook profiles, if I were a particularly bad guy who had also submitted an entry, I might consider spending some money to game my opponent’s entry in a way that was obviously fraudulent to get their entry disqualified.

If I knew you would kick anyone out if you detected any fraudulent behavior on their entry, I might go out of my way to make sure you found some on the other guy’s entry to increase my chances of winning by kicking them out of the running. This technique, similar to joe jobbing in the spam world, isn’t one I’ve seen often, but it’s only a matter of time.

Make a decision and be prepared to stick with it. Feel confident that your decision was the right one, and don’t back down. The bad PR from the folks you disqualify will be better than the bad PR from the rest of the contestants claiming that your contest is rigged or allowed fraud. Your legal department will make sure you have a TOS that basically says that you don’t owe anyone an explanation, and it’s up to your discretion to disqualify anyone for any reason.

Running a (good) contest is an incredibly laborious process. The technical aspects of creating the app are honestly the least complicated, least time-consuming part of the whole thing. Make sure you have the appropriate resources to handle it. If you half-ass it, you will regret it.

Nailed it.

Not quite. Honestly, there is almost no fool-proof way of detecting all fraud activities – partly because some of this fraud is being conducted by actual people, not machines. They’ve invested the time into creating profiles that look real.

You’ll be able to find the ones that do a crap job of it, but a few of the more sophisticated folks will have profiles that have current wall posts about things other than contest spamming. They’ll have photos uploaded, lots of friends, and profiles that weren’t recently created. Fortunately for you, those kinds of profiles tend to be more expensive to buy, since they require more work to upkeep to look legitimate.

Maintaining believability in a friend network that large requires a lot of time, so examining the friend profiles associated with your top contestants is absolutely critical. If you poke around enough, you’re bound to find something that doesn’t fit. Examining their entire footprint on the social graph will give you a much clearer picture than a specific profile.

Also check out:

So the user gets a notification “John Smith has made you an administrator of XYZ page”. The user clicks on the page to see what they’ve just been made an admin of, and the poisoned default page tab kicks on, busting them out of the Facebook site and into a standalone page offering promises of free iPads and various other too-good-to-be-true freebies.

In this particular case, the scammers were using the extremely popular – and from what I can tell, legitimate – application Static HTML IFRAME, which simply allows people to create their own IFRAME tabs to add to their Facebook page without the hassle of creating their own application, hosting content, etc.

The IFRAME page that loads in the Facebook page points to s3.amazonaws.com/statichtmlplus/page/160281910702810.html – so it seems that the Static HTML IFRAME app just saves the content that their users add to their custom IFRAMEs into a static HTML file and serve it accordingly.

In the case of this scam, the IFRAME page hosted by the Static HTML IFRAME app contains another, hidden IFRAME inside of it that forces the browser to redirect to the scam website.

This is a combination of social engineering (taking advantage of the fact that the new administrator will obviously want to know what it is they’ve been made an admin of, thus getting them to look at a page they would otherwise never have found or cared about), and very basic technical jiggery pokery to bust out of the frames and take the unsuspecting admin to a third-party site.

The third party site in this case was a survey/iPad 2 giveaway scam (ipad2-test-and-keep.com), but this method could just as easily be used to serve malware or phishing pages.

Imagine how easily this would flow if if the frame-buster page instead took the user to a page that looks just like the Facebook login page. They think they’ve somehow been logged out, they fill in the login form to log back in, and now the bad guys have their Facebook credentials – which statistically are likely to be the same credentials they use for banking and other things.

The IP address of the scam site the IFRAME sends the user to, 92.241.169.80, tracks back to a Russian web hosting company, 2×4.ru.

We’ve already reported this scam page to Facebook using the normal routes and through the Preferred Developer Consultant avenues, but I’d be willing to bet we’re going to start to see a lot more of this kind of thing because it’s incredibly effective and very simple to execute.

Thanks to @uberbrady for seeing this for what it was when it happened to him, and bringing it to our attention.

Don’t forget to “like” our special Social Media Scam Alert page on Facebook and follow @scamdb on Twitter for more updates like this.

Also check out:

On Facebook, “like” the Social Media Scam Alerts page to get updates as new Facebook scams and rogue applications are identified. The posts will be short, without a lot of technical jargon to make them easy to share with your less brainy friends and family.

On Twitter, follow @scamdb for tweets about the latest scams, phishing and rogue apps affecting Twitter users.

Social Media Security Tips

In addition to staying informed about bad applications, some better practices and common sense will go a long way here.

We have become completely desensitized to clicking on things in websites, our social networks, on our smartphones and in email – and this is why these types of attacks are so wildly successful, often garnering tends of thousands of “likes” before they are detected and banned by Facebook or Twitter. More often than not on social media websites, the attack is not a technical attack, it’s a social engineering attack, tricking you into clicking on something because what they are offering is something you want and you found the link through a reasonably trusted source (your friends twitter stream or Facebook news feed.)

Be skeptical. If something looks too good to be true, it probably is, even if you trust the person it came from.

Confirm before you click. If you’re not sure, take a moment to email or (gasp!) call your friend and confirm they actually intentionally posted that message. If they didn’t, you’ll be doing them (and all of *their* friends) a favor by bringing it to their attention quickly.

If your friend posted to their Facebook wall that they are stuck in London and need money for passport/plan home/etc – resist the urge to immediately send cash. Be rational, contact them using a different method (email, phone) and confirm that it’s really them. Use common sense. Did your friend even mention they were going to London?

That “stuck in London” scam has made its rounds for several years through email and social networks. I don’t know why it seems to always be London, but that’s almost always the city I’ve seen in these scams.

Use the SSL version of social networking websites when you’re surfing on public or unsecured wifi. As Ashton Kutcher learned this week at TED, non-encrypted sessions + a little Firefox addon called Firesheep = getting pwned in front of your six-and-a-half-million Twitter followers.

Facebook offers a clunky (and currently unreliable) way to switch to HTTPS for your Facebook sessions, but that method resets back to HTTP if you access a non-SSL application. My understanding is that Facebook security is aware of the bug that resets the default preference back to non-SSL, but I don’t think it’s been fixed yet.

An alternative is using something like the Electronic Frontier Foundation’s HTTPS Everywhere addon. The first release of this addon was a little buggy, but the second release seems more stable. (The first version rendered Amazon.Com effectively useless.) You can select which sites you want to use HTTPS Everywhere on, and it will always force the HTTPS (versus the plain HTTP) connection.

Ideally, you should try to avoid public or unsecured wifi connections whenever possible. Make sure your computer and smartphone preferences are to NOT automatically join wifi networks. If you have to be on public wifi, your best bet will be to tunnel your traffic over VPN, but not everyone is going to have that as an option.

In the big, scary internet, there are countless ways your personal information and login credential are at risk. Some of these are technical vulnerabilities in the websites you trust your information to, but the social engineering approach is gaining tremendous momentum. It’s cheap, it’s fast, and it works. Remember that even if you think you have nothing of value, when you are careless with your security, you are also putting your friends and family at risk.

Take a moment to check out the security presentation I posted a few weeks back that covers important information on privacy and password security, and consider joining the new Facebook and Twitter resources.

Also check out:

According to the blog entry, this feature would be opt-in, and canvas application developers would need to provide an SSL url for the “Secure Canvas URL”.

If a user who has opted into the SSL-only version of Facebook attempts to access a Facebook Application that doesn’t have a Secure Canvas URL set, the user will evidently be shown a message (which will likely be confusing and scary, not because Facebook will purposefully make it so, but because most users don’t really understand SSL) that will give them the option to switch from HTTPS to HTTP. From the post:

If you do not provide a secure Canvas URL, we will display a confirmation page to let HTTPS users switch to HTTP and continue to your app.

This currently affects CANVAS apps only – not application tabs – although that may very well change once Facebook pushes the IFRAME version of tabs out some time in Q1.

HTTPS is slower and more server intense than HTTP, and it’s one more cost/timeline issue that has to be factored in. For some clients, I set up the hosting environment (which would include DNS, SSL, etc) – for others, their IT department provisions web space and handles DNS, and they often require a mountain of paperwork and a week to process.

For the latter scenario, the cost of the certificate is negligible, but for a highly-trafficked app, the increase in server load could have serious financial impact. It could mean the difference between needing one server and several.

For smaller companies, stepping up to SSL would mean buying a certificate and potentially paying extra for the dedicated IP address it will need, and if the app takes off, a much heftier hosting bill for running everything over SSL.

If the above would actually, truly improve the safety of the users in some significant way, I’d probably still be on-board.

Security is something I take very seriously, and in 2010, Firesheep showed the world how easy it was to hijack a user’s Facebook session and essentially pwn their account because the session data was being transmitted unencrypted and was sniffable over public wifi. To be fair, it wasn’t just Facebook that was affected, but if you’re logging into websites on an unencrypted public wifi, odds are your email accounts and everything else are at risk too.

That said, this seems like it will give naive users a false sense of security and not actually provide that much value for the effort involved by the app developers.

“Oh, this application must be safe – I’m using HTTPS, and the S stands for *secure*!”

Phishing, rogue apps and malware are already horrendous problems on social media websites, Facebook especially. I would much rather see Facebook (and others) improve their session handling before going in this direction. Reputable companies who are collecting any kind of PII are already running data submission over HTTPS, and non-reputable companies aren’t going to become more honest just by forcing them to encrypt the data they’re mining from your profile.

The net result is a lot of extra work for developers and companies for not a lot of benefit to not a lot of users, with the side effect of confusing people into thinking that SSL = trustworthy, or that a non-SSL app is malicious and trying to eat their souls.

IMHO, the much bigger threat to Facebook users is their own poor judgment on what to click on. Social engineering rules social networks, and no amount of encryption is going to fix that. As the fabulous shirt from Jinx says “there is no patch for human stupidity”.

Until people start being more critical of what they’re clicking on and what apps they’re allowing access to their profile, they’ve got a lot more to worry about than SSL. It’s the same false sense of security that users running antivirus programs often suffer from.

“I don’t need to worry about what I click on – I’m running antivirus! My virus definitions are up to date, so I am safe and protected and nothing can harm me.”

In 2008, Symantec had to write new virus signatures every 20 seconds to keep up with the onslaught of malware that was released. This was increased to every 8 seconds by 2009. [Source: Gray Hat Hacking The Ethical Hackers Handbook, 3rd Edition]

To prove my point, I’ve created FB Profile Spy. It’s still a work in progress, but it’s a better-security-through-humiliation project, similar to my better-behavior-through-humiliation project socialmediadouchebag.net. It’s completely safe – and not even hooked up to the Facebook API at all (but of course please feel free to use NoScript and check it out thoroughly before interacting with the links. I have nothing to hide.) Click through and “allow” the “app”. I need to tighten up the javascript slideshow lecture at the end and I need to sync up the layout with the new profile design, but it’s coming along.

What do you think? Am I just being a whine-ass lazy developer? Am I being a slacker security pundit? Let me know in the comments.

NOTE: This article first appeared on FBMHell.Com.

Also check out:

Note: This will be a quick one long and rambling, because my Macbook Pro is in the shop and I’m using an old 13″ Macbook to write this, and it makes me want to punch babies that’s how I roll.

RockMelt is a new browser that puts more emphasis on your own social network of friends, backed by the some of the guys behind the Netscape browser. If you’ve been living under a rock and haven’t heard of it, watch their promo video below:

That video is pretty much all their website has to offer curious onlookers right now, and it sure makes you feel good watching it. Until you realize that the warm fuzzies Toby is talking about have more to do with his involvement in social networks and being connected to his friends in general than they do with those connections being integrated into your browsing experience.

Personally, I think the toolbars of your Facebook friends and applications looks nice, but after using it for five minutes, I wanted to hide them. I like my screen real-estate, and it’s creepy to have a dozen of my friends and family staring at me from the sidebar while I’m spanking it to my favorite Brazilian transvestite pr0n.

If I hide that toolbar, I’m hiding the very feature that sets RockMelt apart from other browsers, so while it’s great that you can hide it, what you’re left with at that point is a very vanilla browser that is exactly the same as every other browser.

One thing that actually really pissed me me off is that when I connected RockMelt to my Facebook account (which it prompts you to do immediately upon first-time launch), it set my online status to “online” automatically. I never show myself as online, because if you don’t have my real chat client names (Gtalk, AIM, etc), I probably don’t want to talk to you anyway. It took me a minute or two to figure out how to turn it back to “offline”. I don’t know if that’s RockMelt’s fault or Facebook’s, but given how creepy-uncle Facebook has been over the last year, that did not make a stellar first impression.

Speaking of Facebook – am I the only one that’s creeped out by the fact that Facebook is one of the backbones of this browser? For all they have done to betray my trust over the past year, the LAST thing I want to do is facilitate them knowing what I’m doing online more than they already do.

Do I think RockMelt has formed an unholy union with Facebook to spy on me? No – but RockMelt doesn’t tell you much of anything right now (and Facebook never does), so my lack of understanding about what data is being collected and stored by Facebook by way of RockMelt makes me very uncomfortable.

Also, it’s pretty clear by the way Facebook integration stands apart from the other social networks like Twitter that RockMelt is focusing primarily on Facebook. Considering how often Facebook’s API changes (read: breaks) and how much they are moving forward with their own agendas, I’m not sure this is a good long-term plan. One article on TechReview comments: “It’s not a generic ‘social browser.’ It’s a Facebook browser.”

Considering how Facebook is already trying to re-invent the web, I don’t know what that means for RockMelt in the future.

There are some nice features to RockMelt though. The right-side sidebar gives easy access to twitter with a simple but elegant UI, however it doesn’t really seem to be optimized for people with a large number of followers/following.

Also in that right sidebar, you can add RSS feeds to keep track of your favorite websites. They’re displayed beautifully, with a square site icon (based on the site’s favicon) and an unread count badge. If you’re on a site that has a detectable RSS feed, the “add feed” button turns green.

I think this could actually work to help people who don’t know or care what RSS feeds are learn to use them more. The one-click nature of subscribing when you’re on a page with an RSS feed makes the whole process cleaner and more clear than traditional RSS subscriptions, where the process is slightly more technical and deliberate.

On other browsers, even if a non-technical user can decipher what “Subscribe to RSS” means, they still have to do some work to access those feeds. RockMelt makes it a no-brainer – the user doesn’t need to know what RSS is for them to immediately see the benefit of subscribing – however it also simplifies it to the point where it could potentially be useless for people who already know and love RSS, and are subscribed to many feeds.

I subscribe to over 100 RSS feeds, so RockMelt is clearly not going to be of much help there. Maybe one solution would be to sync with Google Reader (please?) and let you pick your top five that you want to have in your sidebar.

That right-side toolbar references “Apps and Feeds”. I wonder if some sort of Facebook application integration is on their roadmap, which would be great, because then the useless jackholes that spend all day playing Farmville at the office won’t even need to switch browser windows to annoy the living shit out of everyone they know.

Another nice feature is the “Share” button built into the browser, that puts Twitter and Facebook sharing just a click away.

Of course there are already bookmarklets for all that already, and most websites now have share functionality built into their content, but for the less tech-savvy who might not know they exist, this makes it easy for people to share what they’re looking at in a way that uses a consistent UI on every single page they visit.

One UI irritation I ran across is that if you have the share pop-up activated and switch apps, it can be easy to forget that it has focus, so when you switch back to RockMelt, and go to type something in the url bar, the comments box in the share popup still has focus, which could lead to some embarrassing moments when you meant to pull up your favorite pr0n site but ended up accidentally sharing it with your Facebook wall. (I only accidentally shared the RockMelt website. This time.)

Ultimately, other than perhaps a morbid sense of curiosity, whenever a new browser comes out, I’m more worried than excited. If it becomes remotely popular, that’s one more browser I have to test on, one more variable thrown into the standards mix.

It’s not as bad these days as it used to be. Most current browsers have some semblance of standards-compliance, and display differences are minimal. (If you don’t believe me, you haven’t been in the industry as long as I have. Trust me on this one. It used to be so, so much worse.)

I’m pleased to say that RockMelt’s rendering seems fine, and while I haven’t had a chance to do any complicated DOM-tomfoolery with it yet, all of my initial tests showed layout and javascript working exactly as expected, and exactly as it would appear in any other browser. So that’s good news.

It may seem like I’m hating on RockMelt – I’m actually not.

Is it a browser for the power user? I’d say not.

Is there a market for it? I think so.

Most of the tech site reviews have been neutral at best, or condemning this browser to failure before it’s even open to the public, but I think that’s a symptom of who has been given access to review it. Naturally, the techies are going to be the ones with the first-look. In fact, they’re normally the only ones that care about a first-look. And techies are exactly the audience this browser will not fly for. At least not at this point.

But it’s important to remember that there people out there that aren’t as tech savvy – who wouldn’t know a Firefox addon if it bit them in the ass, and have no desire to know more. I look at my biological father, who only recently got an email account and joined Facebook. He doesn’t know or care about computers, and the only reason he finally broke down and got an email account was to stay in touch with my sister and I. As he uses the internet more, I expect him to find more things he likes (pr0n), but he just doesn’t care about how or why it works, and won’t go to great lengths to figure stuff out.

To techies, Facebook may be an aggravation – something we put up with because it’s part of our jobs or because it’s so ubiquitous that it’s hard to leave. But people spend more time on Facebook than on any other site on the web, so clearly, there are plenty of folks (and by plenty, I mean *millions*) that love it and use it constantly.

RockMelt’s tagline is “Your browser. Re-imagined.” So far, it’s more like “Your browser. With some integration that’s already totally possible with plugins, for people not savvy enough to use plugins.” But it’s early yet, and I’m curious to see where it goes.

Also? Dumbest name ever. Seriously guys. WTF.

Also check out:

Every time Facebook does something else awful with their privacy settings, I get all fired up and want to write a blog post (or six) about it, but the sheer magnitude of problems is so overwhelming, it makes me physically exhausted just thinking about breaking them down one by one.

That’s not what I’m trying to do in this post.

There is an option in your Facebook privacy settings that I don’t remember seeing before. I don’t know when it was added, or if it’s been there forever and I just somehow didn’t notice it, but if you want more of your privacy but like the ability to stay in touch with friends on Facebook, you can turn off API access altogether.

That means that games, quizzes and other applications will no longer have access to your profile. That does not mean that any data you may have already shared with applications previously will be deleted from the original application developer’s databases, but its a start.

If you turn off platform, you’ll be disconnected from all applications and websites. That means friends won’t be able to use applications to interact with you, and information and settings you’ve saved may be permanently deleted.

To turn off the API, go to your privacy settings, and then click on Applications and Websites:

Turning off API access will disconnect you from ALL previously allowed applications and websites, and may actually delete settings, so you should review all of the applications listed to make sure there really are none you don’t want to keep. If there are, a better bet will be to take the time to go through all of the apps you’ve authorized and remove or block one by one.

Also keep in mind that if you’re a Facebook developer, meaning you create apps or pages for yourself or for clients, you DO NOT WANT to turn this off. You run the risk of biffing all of your hard work. I haven’t tried it on a developer account, but there’s a good chance you would lose the ability to access your pages and apps, and those pages and apps might stop working altogether. You’ve been warned.

Also check out:

It’s literally just been launched, so I’m looking for your help. I’ll be going through some older posts and rounding up the questions that seem to come up often and writing up answers for the new site, but if there’s a burning question you’ve had for a while and haven’t been able to find an answer for, let me know in the comments.

One that comes up often is whether or not you can include an IFRAME in a tab, so don’t ask that one It’s already on deck.

I’m looking for all kinds of questions, ranging from the complicated to the more basic, so don’t be afraid to ask. More complicated tutorials (similar to what I’ve posted in the past regarding app development and complex mini-sites on tabs) will take a little longer, so be patient, and remember to subscribe to the RSS feed so you’ll get all the latest posts.

Categories will be added as content demands, of course.

I really want this site to be a great resource for everyone (including myself, as a repository of stuff I know works), so I’m looking forward to your feedback!

Also keep your eyes peeled for the launch of FBMLWizard, a drag+drop Facebook fan page tab builder.  I’ll update you here when it’s ready.

Also check out:

UPDATE May 20, 10:45AM: Facebook has actually apologized and done a complete 180 in the last 12 hours and they have reversed this decision. I’m leaving the original post up for reference, but as of right now, they have reverted back to the original way it worked, where any page admin can set default tabs, regardless of the size of their fan base.

From their developer forums:

As of last night, we’ve removed the recently-added authentication requirement for setting custom landing tabs on Pages. The requirement was instituted as part of a Pages quality initiative, and we apologize for the inconvenience this caused to our developer and business community. We are re-investigating the situation, and will not make any further changes without first giving our community standard notice and lead-time.

Thanks for all your feedback,
Matt Trainer

The Facebook platform is known for being exceptionally buggy, so most “me too”ers assumed it was a bug and patiently awaited a bug fix confirmation from Facebook. The question went unanswered for a day, until finally a Facebook employee dropped this bombshell.

Hello all,

We apologize for not messaging this earlier. Facebook recently made a change requiring that Pages be authenticated before enabling the ability to set a landing tab beyond Wall or Info. To be eligible for authentication, a Page must have greater than 10k fans or the Page admin must work with their ads account manager. If you are already working with an account representative, please contact that representative to begin the authentication process. If you do not work with an account representative, you can use this contact form to inquire about working with an account representative.

Also, for advertisers who don’t have a representative or 10k fans, and want to run ads and land users on a specific tab, you can still do so with standard Facebook ads by making their Destination URL as the URL incl. your tab. Unfortunately, this currently will not work with “Fan” ads.

Thanks,
Matt Trainer

What this means is that Facebook Fan Page admins can no longer specify a default landing tab for their fan page UNLESS they have 10k or more fans, OR they “have an account manager”. Having an account manager sounds great, right? The thing is, you have to spend at least $10k in Facebook advertising before they’ll even talk to you, let alone give you an account manager. That contact form leads to the “how much money are you willing to spend with us” form, and if your answer is less than $10k, don’t expect them to help you.

So once again, the little guy gets screwed. It started in November with their charges to their contest/promotional guidelines, which were also rolled out quietly with little or no notification to developers or users, which dictated something very similar. Certain types of promotions now have to be approved by an account manager. Only you don’t get an account manager unless you spend upwards of $10k in media buys.

Note that it appears as though this is only effective moving forward. If you’ve already set a default tab on your Facebook Fan page, they’re not going to take it away from you. At least not at this point. But as of yesterday, if you hadn’t already set a default tab, you won’t be able to do so without meeting one of the 10k requirements mentioned above.

I’m not even going to talk about the recent Facebook privacy issues. This isn’t the post for it, and honestly, I don’t have the energy to open that gigantic can of worms right now. But with those recent changes on top of this, I have to ask WTF they are thinking over there. Fuck you, Facebook.

Also check out:

The previous tutorial, I walked you through how to use clicktohide and clicktoshow to enhance your Facebook Fan Page tab. By utilizing these built-in Facebook functions, we can get creative and make image galleries, slide shows, or micro-sites within a single Facebook Fan Page tab. This is especially handy if you’re trying to fit a lot of content into a single tab, but don’t want to have one long scrolling mess of a tab. While hand-written FBJS is always an option, Facebook makes it really easy to accomplish this with only the most basic coding skills.

(That said, if you haven’t read the first tutorial, it will probably be helpful for you to read that one first before continuing with this one – I assume you understand the concept of clicktohide and clicktoshow here.)

So what you’ll end up with is a single Facebook Fan Page tab that has a “main” navigation that switches content within that single tab, and an additional subnavigation menu that switches content within that one section of the tabbed content. It sounds more confusing than it actually is – click here for a demo.

This is what we created in the previous tutorial:

And this is what we’re going to create in this one:

Similar to the example in the first tutorial, we’re going to do all of this magic simply by using CSS, HTML and the clicktohide and clicktoshow functions. In fact, what we’re doing here isn’t that different at all from what we did the first time, but I get a metric-assload of emails asking me how to to it, so here it is.

[sourcecode lang='html']
Home
Demo Tab
Locations

[/sourcecode]

And that’s it. That’s the whole code snippet. For clarity, I have stripped out all of the extra styling, text and fancy button treatments. If you want the exact code used for the demo, scroll down further in the page – I’ve included that as well.

I’ve commented the code pretty liberally, but just to recap what we’ve done, we created the normal main microsite divs, nav1, nav2, and nav3. These are the “buckets” that contain the top-level “tabs”, same as we did in the first tutorial. What we’ve added is a second, smaller set of buckets and corresponding nav. We use the exact same method of clicktohide and clicktoshow – the only different is what we’ve name the smaller bucket divs, and where they live. The div structure works out to be something like this:

[nav1 div]
– nav 1 content
[/nav1 div]

[nav 2 div]
– [subnav 1 div]
– subnav 1 content
– [/subnav 1 div]

– [subnav 2 div]
– subnav 2 content
– [/subnav 2 div]

– [subnav 3 div]
– subnav 3 content
– [/subnav 3 div]

[nav3 div]
– nav 3 content
[/nav3 div]

As promised, here’s the exact code snippet, line by line, that was used to create the demo page.

[sourcecode lang='html']

Home
Demo Tab
Locations

Default Content

Click on the “Demo Tab” above to see an example of
multi-level tabbing in a purely FBML microsite.
With a little practice and patience, you could
recreate a fairly large website using this method.
(The content of these subnavs are quotes from
Monty Python and the Holy Grail, for your entertainment.)

Locations

This is the locations “page”. You can put text, images, even video here.

[/sourcecode]

The above is the exact code snippet I used to create that demo page, specifically. (In other words, please don’t email or comment asking me for the source. This is ALL there is, including the yummy button styling.)

As long as you properly nest your divs (and use valid HTML with no wonky or open tags), this will work every single time. The names of the divs don’t matter, as long as they match the clicktohide/clicktoshow div names you’re specifying in the nav.

If it doesn’t work when you try it, and you’re 100% sure you copy+pasted exactly from this tutorial, try again later. Sometimes Facebook has issues, and the only way to work around it is to wait until they’re not having issues.

I’d like to once again remind you that you’re not at all restricted to using the clicktohide and clicktoshow functions in the way I’ve outlined them here. My goal isn’t to show you the only things that are possible , but rather to get you familiar with the concepts so that you can use your own imagination and apply them in unique and exciting ways.

If you’ve done something cool with clcicktohide/clicktoshow (and let’s not forget clicktotoggle from the last tutorial), make sure you drop a link in the comments. I love to see what other people are working on. It makes my own raging Facebook development Hell a little easier to bear.

Also check out:

If you’ve ever created a Facebook fan page, you’ve probably realized that the “reporting” that Facebook provides is basically useless. Because Facebook limits the Javascript you can use on Fan Pages, you cannot implement your own analytics packages on fan pages. Or at least, that’s what they want you to believe.

For Facebook applications, there is an FBML tag that will allow you place your Google Analytics code on the canvas page – but this FBML will not work on fan pages, application tabs, or anywhere other than the canvas page.

Fortunately, implementing Google Analytics on your Facebook fan page is possible, with a little PHP trickery. The basic gist of the workaround is to include your Google Analytics code as an image instead of placing the javascript into the FBML code.

Rather than writing something from scratch, it makes more sense to direct you to a post on the Webdigi blog that offers a free set of PHP scripts that will let you do exactly that.

The long and short of what the guys over at Webdigi are doing with their scripts is simply to call a PHP script instead of an actual image file in the <img src> code. This is not unlike the “tracking pixels” that are often used in email newsletters, since Javascript is not an option there either. So the concept isn’t new, but it’s not common knowledge that it works on Facebook.

The PHP script they are calling contains the Google Analytics code, and accepts parameters so that you can re-use the script on multiple fan pages (or different pages in an application) simply by setting different parameters.

When your Static FBML tab, application tab or non-canvas app page loads, it loads that “image” as part of the page. That “image” then pings the PHP script, which pings Google Analytics. This could be adapted for other reporting systems as well, using the same concepts.

The guys do a nice job with their script, and they even offer a wizard that helps you figure out what you need to put where.

I had rigged up a script a few months ago, but I never really had the time to package it for the general public, make it easy to configure, and so on, so go ahead and check out their script package.

Using this method, you’ll even be able to set up funnels and goals for your Facebook fan page stats, and Webdigi offers a great breakdown on how to tell the difference between fan and non-fan activity on your fan pages in your reporting.

Enjoy!

Also check out: