Spoofing inside a walled garden

Microsoft chairman Bill Gates has described Facebook as a walled garden, that is to say, inside is very nice but only certain people can get in.  Facebook is based on trust, only friends can view your profile and not just any old person can talk to you.  They first have to acquire your trust.  This is actually a lot like challenge/response email filtering (which many in the antispam community have great disdain for... you guys know who you are).  This contrasts from MySpace where anyone can add you to their friends list.  This is similar to email with no spam filtering.

This Facebook security model works only so far as users implement it.  By that, I mean that so long as you are screening the people who try to add you as friends, you should be immune from people sending you random messages or cluttering up your inbox since only people you trust are allowed to talk to you.  However, if you start adding people who you don't know to your friends list, you risk opening up your walled garden to people you wouldn't normally communicate with.

And this brings me to my recent Facebook experience.  I have had one person get in contact with me who knows me through this blog and when they requested to add me, they said that they know me from the blog.  I granted this request.  However, in the past few weeks, I have had two people (girls in their twenties, from the looks of their profiles) request to add me as friends even though I don't know who they are.

So I'm in a bit of a dilemma.  Now, I know I'm pretty awesome and everyone wants to be my friend, but do I open up the risk of allowing these people into my walled garden?  Perhaps they know me from my blog... but perhaps (probably) it is a mistake of mistaken identity.  What do I do?  I could add the person to my profile and check out theirs to see if I know them, and if not, remove them.  The weakness of this is that I'm kind of lazy and might just forget about actually taking the time to do this.  On the other hand, I could simply refuse the request.  Maybe I've been in security for too long but I'm kind of paranoid about these kinds of things (particularly since I know people who will troll my Friends list in order to pull pranks on me... I banned those people from my profile).

So really, my point is this: if you're going to add someone to your Facebook Friends list, if you're not sure your potential friend knows who you are, at least send them a message explaining who you are to jog their memory.

Comments (4)

  1. JasonG says:

    Hmmm, maybe that used to be true, but on Myspace, users have to request to be your friend.  Further, it can be set so that to even make a request, the requester must know either your last name or email address

  2. Sam says:

    Terry — Your inbox appears to be full. I tried sending the message below through your contact form on this site:

    Terry —

    I am starting a blog focused on the poetic, humorous, shocking, absurd and random nature of some spam e-mails called Robot Garbage. (http://www.robotgarbage.com) Obviously, as your blog points, spam is not always so innocuous. But I think, if we take a moment to step back, the spam that bounces harmlessly off our blockers, filters and firewalls can be viewed in different lights.

    I’m seeking submissions for my site, both guest posts about the nature of spam, the meaning and origin of spam’s content and, most simply, interesting spam e-mails you’ve received. If you could take a moment to address any of these and shoot me a response at robotgarbage@gmail.com, I would appreciate it.



  3. harel.amir1 says:

    I guess that the natural thing to do is to implement a users reputation score.

Skip to main content