Redes sociales, interfaces y usabilidad

En Application Maps descubro el trabajo de Hagan Rivers sobre interfaces de usuario: diseña diagramas de navegación de las pantallas (de navegación en la web, o de un programa) y las dibuja en formato de grafo, lo que le permite analizar mejor si el flujo de la aplicación es adecuado:

Why do I make these maps? When I look at an application I look for it’s hubs. The hubs are the work areas – the place where the user creates things and does things to them. In this application the main hub is the List of Addresses and Groups. From there the user can add an address, edit an address, add a group, export – a whole host of activities. In the end, though, he always returns to the hub when he’s done. In complex applications (one with hundreds of screens, for example) there may be dozens of hubs and their relationships may be complicated. I use the Application Map to help me visualize these applications more clearly and to

En Application Maps se pueden verlos grafos de varias aplicaciones conocidas.

Ya habíamos hablado de grafos y representaciones gráficas en otras ocasiones, por ejemplo en Grafos de dependencias en paquetes de Debian.


Identificación cruzada

Lo vi en Obtención ilegítima de información personal en redes sociales. Cross Site Identification (CSID) y los detalles (aunque no muchos) están en Cross Site Identification – or – How your social network might expose you when you least expect it: cuando nos conectamos a un sitio y aprovechando que estamos identificados y autentificados en otro de los sitios habituales de redes sociales. Nos cuentan:

The targeted site will silently cause the victim’s browser to request the SN to share the user’s personal details with the hacker. These details might be publicly available (i.e on the user’s public profile), but their acquisition at this point, outside of the normal context of the SN causes the user’s anonymity to be breaches and her identity known in the context of the targeting site.

Sergio Hernando dice que encaja en el Cross Site Request Forgery (CSRF, utilizar un sitio web para hacer una petición a otro aprovechando que estaremos identificados) pero el autor dice que no es exactamente eso:

In my previous post, I dubbed the vulnerability in Facebook “CSRF personal information leakage vulnerability” but some thought and conversation (thanks A.D!) showed that it is neither a CSRF per se, nor a leakage of information. It’s not exactly a CSRF because the victim’s browser isn’t tricked into performing any action apart from visiting a page (a CSRF token won’t help here), and it’s not exactly leakage because the information is publicly available! Its the out-of-context access to it that constitutes the attack. Furthermore, the vulnerability in the identifying sites found seems very minuscule (sometimes it is a feature!) when not considering this attack, so it is logical to assume that many other instances of it are in the wild. For these reasons I realized it’s a new attack technique in its own right, and that was what motivated me to write this post. I suggest the name Cross-Site Identification (CSID).

En todo caso, las diferencias son muy sutiles y tampoco está muy claro. Hay detalles sobre el problema tal y como se encontraba en Facebook en Facebook CSRF attack – Full Disclosure.