AT&T Glitch Connects Users To Wrong Accounts 138
CAE guy writes "The Boston Globe is carrying an AP report which begins: 'A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information. The glitch — the result of a routing problem at the family's wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.' Who needs to worry about man-in-the-middle attacks when your service provider will hijack your session for you?"
But... what? (Score:3, Informative)
Facebook login information is stored on the phone, is it not?
Re:But... what? (Score:4, Insightful)
Re:But... what? (Score:4, Insightful)
That's my thought... but I still don't see how things like this get "crossed". Even if your IP address got switched with another during a request, at most I would expect you to wind up is receiving one page. When you load the next page, or make the next AJAX request, you wouldn't have the session cookie and it would kick you back to the login screen.
Unless of course Facebook sends the auth cookie in every response, or the "wires" got crossed just when the other person was making a login request.
Re:But... what? (Score:4, Insightful)
No, it still doesn't make any sense. If you made a port 80 request to the web site, your phone has to pick a SOURCE PORT to establish the TCP socket.
Someone else requesting a page would have a different Source IP Address and a different source port.
So if you suddenly got their IP address, your phone's TCP stack should drop the packet.
Something is amiss... I think they're intercepting your request with a transparent HTTP proxy (or something like that), and a bug in the proxy server sent the response to the wrong user.
Oh, and by the way.. how session cookies work.... a new cookie gets sent to the browser with every HTTP request, most likely, to extend their session (e.g. time-out idle period extended by issuing a new cookie).
Re: (Score:2)
I would find it very unlikely that the auth servers care about NAT. Putting the IP address in the session cookie is a recipe for disaster considering how widespread NAT, dynamic IPs, and proxies are.
Most likely, as another user has pointed out, it's a proxy disobeying the cache headers in the responses to Facebook's pages. It's also possible that Facebook is setting these headers incorrectly, though that seems less likely. There have also been reports of session cookies going to the wrong machines, which me
Re: (Score:3, Informative)
Putting the IP address in the session cookie is a recipe for disaster considering how widespread NAT, dynamic IPs, and proxies are.
Some recent testing of web sites on the iPhone and G1 phone have also shown that using the client's IP address as part of the "session" information simply doesn't work. With both of these phones, successive HTTP requests from a single phone often come from different IP addresses. In the tests I did, the set of IP addresses was small (2 to 4), and I suspect that it might have s
Re: (Score:1)
Holy shit. That makes me glad I persist in using a comparatively "dumb" but very robust phone (a Motorola Razr2 V9), since the majority of my contacts don't function in realms beyond voice calls and SMS.
I find it decidedly scary that people are so happy to conduct critical (e.g. banking) transactions via a device which by its highly stealable nature (if nothing else) is so obviously not secure. I have no obje
Re: (Score:2)
I find it decidedly scary that people are so happy to conduct critical (e.g. banking) transactions via a device which by its highly stealable nature (if nothing else) is so obviously not secure.
Stealing a phone does not also steal your bank password. And the iPhone (for example) has end-user secure remote wipe functionality.
I have no objection to being able to call up the occasional map or wikipedia entry on my phone (which I can), but I prefer to use a "real" computer, since I don't care for straining my comparatively poor eyesight on handheld devices or dealing with poor text entry methods.
Yes, poor eyesight, or lack of hands, etc., tend to make using a phone difficult. But for everyone else...?
I have yet to be convinced that the "there's an app for that" gimmmick will stand the test of time.
Oh, that's adorable. Over 3 billion apps have been downloaded for the iPhone (both paid and free, but this does not count updates). I don't foresee a mechanism whereby people will suddenly decide that they no longer want portable apps. Well, unless our eyes all go at once
Re: (Score:2, Interesting)
I doubt that. It's more likely they intercept the TCP request and pass it through a HTTP proxy farm (transparent connection hijacking)
I think many don't use NAT at all... Remember the iPhone SSH vulnerability? Can you explain how it is that jailbroken iPhones are being compromised by an SSH vulnerability, if carriers are using NAT?
The source port number field is only 16-bits: so there are only a certain number of connections that can be NAT'ed behind one IP address. Basically, 30k source ports per IP.
Re: (Score:2)
Some of the things you mention as requiring lots of connections could be handled by proxies or replacements inside the NAT. For example, DNS and HTTP can be inside the NAT. This would reduce the number of connections that need to actually cross the NAT boundary from the phone itself.
Re: (Score:2)
Re: (Score:2)
that's actually something completely different - it's meant for cases when somebody else has logged in using the same browser before (and thus cookies claim that person is still logged in)
Re: (Score:2)
Re: (Score:3, Funny)
Apparently not.
Re: (Score:2)
Information gets out, and people get access to information in ways of which you may be unaware. For example, based on your post I have determined the name of the OS you run!
Re:But... what? (Score:5, Informative)
Yes, but typically, the way you log in to one of these services requires that you have cookies enabled. There's a cookie in your local browser that has information derived from your password. For example, imagine facebook stores your password in its database as a sha1 hash of a salt and your password. E.g. the entry facebook has stored might look like this:
salt = string(rand64())
password_hash = sha1(salt + password)
Now, to authenticate, you send facebook your password and they use the saved salt to see if it matches the stored sha1 hash. What they send you back would be a token to put into your cookie like this:
token = (date, username, sha1(password_hash + date))
Now, they make the token good only for a certain amount of time after the date. Say three hours. When facebook gets another request, it checks to see if the token is valid by comparing the date and username and then looking up the password hash for that username. It then recomputes the sha1 hash in the token to make sure it's valid.
Using this model, it's completely impossible to log in to another account by "switching the wires". You can log in to an account simply by stealing the cookie, but that grants you log in access for only a single session.
Re: (Score:2)
It depends on what they mean by 'switching the wires'. There's nothing magic about cookies. They are just short strings that are sent with every HTTP request and response. A misconfigured HTTP proxy may forget to take them into account or ignore the nocache commands, so when you got to a URL you get back whatever the last person saw, irrespective of the fact that the cookie is different.
That's why you use end-to-end encryption for anything that contains personal information.
Re: (Score:2)
The "magic" about cookies is that they are stored in your browser. Therefore, once you've got your cookie, no amount of "wire switching" is going to give that cookie to someone else.
What could happen is that the response to the login session goes to the wrong browser, but that seems a lot less likely since you'd need two sessions logging in simultaneously.
Yes, it's possible that it's a cache control header being ignored by a proxy, in which case the site would most likely be read-only.
Re: (Score:2)
Replying to myself:
It seems that maybe it is that unlikely scenario. If you go to the second page of TFA:
Re: (Score:2)
A misconfigured proxy server (or web application with a front-end proxy that doesn't setup the Cache-Control header properly, for that matter) will store the cookies that were sent by the application server, and send copies of the same cookies along to the next requestor.
So, you go to the page http://facebook.com/profile [facebook.com] (for example, I'm not a fb user), your browser sends your cookie because you logged in yesterday, the application server sends the cookie back in the response. Then I come along, not logge
Re: (Score:2)
errr, proxies cache content, not the headers. Under your scenario, yeah, someone could receive someone elses "page" but they would NEVER get the cookie, so your POSTS would still fail
Re: (Score:2)
Why would the cookie have to be derived from your password? Isn't that generally a bad idea? I thought most web sites generated a completely random token for your cookie when you log in. On their end, they associate that random token with an authenticated session. They don't need the user to have any actual information in the cookie, just a unique ID that they can use to look up data on their end.
Re: (Score:2)
A strong hash of your password is, for all intents, random. The point of a hash is that it's very hard to go from the hash back to the input string to the hash.
Re: (Score:2)
But if what you're looking for is randomness why not just go out and get an actual random number? There's no reason to directly tie it to the password at all. All you're doing is opening yourself up to offline dictionary attacks and rainbow table lookups if someone gets a hold of the cookie, and hashes are being shown all the time to have various def
Re: (Score:2)
Yes, it is a generally bad idea. The use of any constant or predictable value in a cookie used for maintaining a session is a bad idea. You want the value to rotate periodically to a new value to defend against someone copying cookies off of another person's computer.
Re: (Score:2)
I read it as two sessions getting switched. I don't think of a proxy cache mixup as wires getting crossed, even though there apparently were two users who claim they got switched in just this fashion.
Funny coincidence considering gmail just switched to SSL a few days ago.
Re: (Score:2)
I have no inside knowledge. But that way works equally well as long as you are running a stateful service, anyway.
That is an extremely unlikely scenario, though it did appear to happen once, a
Re:But... what? (Score:5, Insightful)
What is almost certainly happening is that AT&T is using a proxy which implements HTTP Pipelining, but is screwing up and not correctly pairing the requests/responses from different sessions. It's probably just more likely to happen on a site like Facebook where many many users on the same proxy are going to the same non HTTPS site...
Re:But... what? (Score:5, Informative)
My guess is that it's as simple as this: the http returned by a request to "www.facebook.com" was cached by AT&T and delivered to other users who attempted to fetch that URL in an attempt to save bandwidth. The login credentials are irrelevant... once AT&T cached the page it thought of as "www.facebook.com" it would deliver it to anyone who asked for that URL. It probably only changed for the next person because someone insisted on logging out and back in, and the caching server detected the change then re-cached the NEW user's page.
This used to happen a lot on the internet to unencrypted streams that allowed log-ins. These days most caching servers are properly configured, but it's still an easy mistake to make if you're setting up a caching proxy.
There are still a lot of bad caches... (Score:3, Insightful)
Bad in-path caches are something we specifically check for on Netalyzr. Its suprising the number of BAD in-path caches still exist, which cache data that the HTTP server said "for the love of god, don't cache".
More, what has happened is that bandwidth has gotten cheap, so fewer people are DOING caches, and when they are caching, its more likely for latency not bandwidth savings (eg, we see a lot of caching for users from South Africa).
Re: (Score:2)
I'm not even going to bother testing this.
If it's a contest between facebook screwing up the correct settings of headers, and AT&T screwing up how they cope with such headers, I'd bet my arse on the latter.
In fact, if it was the former, we'd have heard this story a LONG time ago (how many companies allow facebook, but use proxy servers? Very many that even I can think of!
Re: (Score:2)
Obviously, he didn't RTFM... But are you new around here? This is slashdot!
Re: (Score:2)
If what you said was remotely true, none of the buttons or links would work. Dur.
Not true. The links and buttons simply take you to other URLs which would also have gotten cached by the caching proxy server. (The friends page on facebook is "http://www.facebook.com/friends", which is just another URL to cache.)
Dur indeed.
Re:But... what? (Score:5, Insightful)
I don't know how Facebook does it specifically, but many sites will give the user a session cookie after entering his/her username and password. All further requests use that session cookie to identify the user. It sounds like a proxy at AT&T served a cached response belonging to someone else and that included a session cookie that was still valid (not logged out or expired).
It may be a bug in the proxy or a bug in the HTTP headers set by Facebook that instruct how a response should be cached. It does show that it is a good idea to use HTTPS when accessing private data, not just for banking. If the site does not offer HTTPS, it is good practice to log out when you're done, so that the server will invalidate the session cookie.
Almost certainly (Score:3, Interesting)
Re: (Score:3, Insightful)
If the site does not offer HTTPS, it is good practice to assume the information you store there is not secure.
Fixed that for you. Data sent in the clear is not secure.
From this we can make another logical step: Therefore this is not a security issue. Data which is not secure cannot have a security issue. It is already public.
HTTPS won't necessarily fix this! (Score:1)
It's true that the HTTPS protocol would have prevented this, but it can only prevent this type of activity within the https connection! There's no reason why AT&T wouldn't have the phones set up to use an HTTPS proxy - meaning that the connection between the phone and the proxy is like any other http proxy, and the proxy server then initiates the HTTPS connection!
Take a look in your browser settings for "HTTPS proxy", virtually all browsers support this type of behavior, and if AT&T was "aggressivel
Re: (Score:2)
Using an untrusted proxy (and I assume you don't trust some third party corporation whose contract with you essentially says "all your base are belong to us") to handle your SSL connections is the same as not using SSL.
Re: (Score:2)
I'm not disagreeing with what you say, but pointing out that everything on facebook is public anyway.
In less you specifically set it, everything is visible to your 'friends' and this also means any application your friends have used... all those piddly quizzes etc. that people run once, and never de-authorise, have virtually as much information to stuff as that person does itself.
That includes photos, and notes and everything else.
If you use facebook, go to settings -> application settings and look at ho
Re: (Score:2)
Surely you troll, or are you simply being facetious? You must be capable of comprehending that my implication was that if you are intentionally using an insecure channel, considering the data which you send through that channel to be secure is folly. Please, do us all a favor, and attempt to grasp the intent without assuming that the poster is retarded. This community, including myself, deserves better.
Re: (Score:1)
It's not a GLITCH! It's AUTOMATIC HACKING! (Score:1, Funny)
It's a feature, NOT a flaw.
How half of all customer support calls begin (Score:4, Funny)
"I thought it was the phone -- 'Maybe this phone is just weird and does magical, horrible things and I have to get rid of it...'"
The feeling is mutual (Score:4, Funny)
Re: (Score:1, Funny)
Re: (Score:2)
Well, do you have any proof that it's not a magical phone???
The article specifically said it was a Nokia, not an iPhone.
the american response (Score:3, Funny)
SUE the hell out of them.
Re: (Score:2)
No no. The American response is:
Class action lawsuit.
Good thing that Gmail is all https now (Score:5, Insightful)
Probably will take Yahoo only another 15 years to catch up. Wish all other services with even a small chance of transmitting private data would do the same. Even if they charged for it (i.e. a premium account).
Re: (Score:2, Informative)
Gmail has supported HTTPS since it's release, only now are they making it standardized.
Re: (Score:3, Insightful)
Perhaps, one good thing about it being standardized is that if I send to someone on that service, I also know if's a bit more secure. (Although, if you're telling secrets to another human, there really isn't any hope of it staying one...)
Re: (Score:1)
(Although, if you're telling secrets to another human, there really isn't any hope of it staying one...)
Score:5, Truth.
Re: (Score:2)
Perhaps, one good thing about it being standardized is that if I send to someone on that service, I also know if's a bit more secure.
Except you're suggesting a browser-based email service, so all bets are off once the next browser vulnerability is discovered.
Re: (Score:2)
its
Re: (Score:1)
something that I was wondering about for a long ti... hey! Why am I suddenly finishing this sentence under someone else's account? I'm tsa dammit! Who the hell is The Wild Norseman anyway?!?
Re: (Score:1)
Re: (Score:1)
True, but don't forget that an iPhone can only do one... thing... at... a... time.
Article Comments (Score:2)
Reading the article's comments (Ya, I know ban me for RTFA lol) the issue appears to be quite widespread, and possibly on Facebook's end. They appear to not sue encryption once you log in, so that is definitely a weakness there. But that "costs" more bandwidth... but if Google can do it and switch to HTTPS... but of course this is email, not public humiliation we are talking about here.
Mod parent down (Score:2)
He readily admits to reading the article! Not only the article, but even the comments! We can't have that on Slashdot - we've got to nip this in the bud.
Re: (Score:2)
unless they have some sort of network cache at work
Like most every ISP in the world, to save bandwidth? Look at your server logs, if you have any. You'll see a lot of different users coming from a single IP address. That's a transparent proxy at their ISP.
Re: (Score:2)
It uses more bandwidth due to encrypted data being larger than unencrypted.... think about it (For the transmitter).
It uses more CPU (at the encrypter and decrypter ends).
However for the transmitter, the data is merely larger, its no harder to handle encrypted data than it is to handle unencrypted data.
Technical details please! (Score:2)
However, I'm wondering if it may be a problem with the Facebook login system. Perhaps there is something wrong with how they identify a browser who is currently logging in, and they confused handsets on the carrier (
Re: (Score:2)
Re: (Score:2)
Very likely could affect other sites, but one would hope they don't man-in-the-middle https.
Re: (Score:1, Insightful)
The article is poorly written and obviously is a hearsay of technical information loosely translated into something people might read.
The description of the potential scope of the problem (all of the internet, everybody, all of the time) is laughable. Of course if I get a flat tire from a nail, and if nails are used everywhere, then everyone's tires are at risk from nails all of the time. And we should all stay home. Better to find out why that nail was there and if there is someone dropping nails on
Caching (Score:5, Interesting)
I can't say for AT&T or Facebook what happened in this case, but I have seen similar things happening with poor-quality web caching proxies.
I am specifically talking of the horror that is Microsoft's ISA server.
At a previous job at an office powered by an MSDN subscription, there were cases where users would open websites for the first time and find themselves immediately logged in as someone who had already used and logged into that site on a nearby LAN computer.
Re: (Score:2)
... I have seen similar things happening with poor-quality web caching proxies. I am specifically talking of the horror that is Microsoft's ISA server.
Happened to Google, too. [googletutor.com]
Cool (Score:2)
Re: (Score:3, Interesting)
Wait, let me get this straight:
You used a connection, realised that it had a security hole that was disclosing login information to third parties, and then provided it with your login information.
Re: (Score:2)
NAT problem on ATT's WAP gateway? (Score:1)
Might have been a NAT problem on ATT's WAP gateway.
Hardly new in end effect... (Score:5, Interesting)
The article says:
But I, as a just random user of some commercial (read: mail-order, telephone company, etc.) websites have several times over the years requested information about my account and orders - and seen instead somebody else's information. In these cases the cause seems to have been non-unique cookies although that is purely a guess, maybe indeed there was some hijacking going on at the network level.
Some of these websites were supposedly "https" but some inspection of HTML source revealed this was just the frame, the actual information was frequently in non-secure inner frames. Poked around a tiny little bit and found that by altering the URL's in those frames I could see arbitrary customer's account info.
I didn't have the courage to tell anyone - after all, accessing somebody else's account information is a federal crime.
Re: (Score:2)
And here we have a nice summary of how the legal (and political) system gets it all wrong. They often set up laws that pun
It's not entirely new (Score:2)
In the pre-LAN days of the 1980s we used to use terminal servers to connect dumb terminals to the computers. Their purpose was to dish our point-to-point connections on demand.
Once in a while, perhaps due to a power glitch, the terminal servers would drop all connections and then immediately reconnect everyone at random. Users abruptly found themselves in the middle of someone else's session.
Old technology or new, connection errors are bound to happen once in a while.
The true risk here is misplaced conf
CLEARLY a web proxy problem... (Score:4, Insightful)
On the IP layer, this wouldn't happen, because there are cookies contained in the web traffic that are used to route things on the Facebook end, simply because there are NATS and the like.
Thus the problem is whatever in-path HTTP proxy AT&T is using for their phones that crossed things over.
In-path HTTP proxies and caches can be very hard to find and may produce all sorts of interesting subtle problems when there are bugs in them.
Similar problem on my facebook app (Score:1)
So packets can be mis-routed? (Score:1)
Really now? And people are just now realizing this?
...and AT&T strikes again. (Score:1)
Re: (Score:2)
First, we don't know for sure that this is not a Facebook problem (an organization not renowned for technical competence). Second, the company currently known as AT&T has no connection with the original AT&T other than the name.
> ...Lucent, nee Bell Labs...
Nee Western Electric.
Re: (Score:1)
T-Mobile (Score:1)
Showing, once again (Score:2)
....that if you really need data to be secure, end to end security is the only way to go. That way, no matter what happens in the network (short of man in the middle attacks by a trusted or very resourceful attacker), either only you get your data, or nobody does.
Of course I'm here on slashdot via a non-secure connection, but the worst that happens here is someone steals my account to post obnoxious shit. (and who would notice?)
Re: (Score:2)
If you dig around in any archives related to the topic of computer security, you'll find this comment all over the place, and in the earliest documents you can find. It's well understood that if you rely on a lower "comm" layer for security, the people in charge of that layer have full access to everything you send or receive.
This is why so many security people tend to just snicker at network-level security features.
MITM (Score:2)
What makes this "little known"? (Score:2)
What makes this "little known"?
This is the whole reason we have SSL(TLS) and happens all the time, except usually nobody notices.
Security flaws (Score:1, Offtopic)
It turns out that both of these women who use AT&T phones had both heard of Internet Explorer and Firefox. The nation of Liberia is now warning users who have ever heard of Internet Explorer or Firefox to switch to Liberia's own Liberexplorer for a limited time only. Supplies are running out fast and there is a strict limit of 2^10000th power per customer. Just five easy installments of $10.99 and you're in the clear. Act now!
cell phone internet uses a nat based system the hi (Score:2)
cell phone internet uses a nat based system the higher priced plan have real ip's. I think that media net is nat based.
How she knew it wasn't her account (Score:2)
Apparently the fact that the account holder was also male was not the first thing to cross her mind. I thought we had gotten farther than this.
Re: (Score:2)
Apparently the fact that the account holder was also male was not the first thing to cross her mind. I thought we had gotten farther than this.
The article says what tipped her off was a photo of the site's owner. I would think that skin color would stand out as much as gender when you first see a photo.
Plus, really, I'm a bit tired of all this pussy-footing around when it comes to race. We should be able to reach a place where we treat everyone else with respect, yet still are able to recognize our differences for what they are - not better than someone else's, nor worse; just different. A person's race is a legitimate part of their heritage and t
I can confirm this (Score:2)
Rates? (Score:2)
So, AT&T, tell us again what makes your service worth those outrageous rates? It seems you can't even assure that you won't deliver my data to a complete stranger.
Facebook also screwed up here with their auth! (Score:2)
The Sawyers experienced a different glitch. Coe said an investigation points to a "misdirected cookie." A cookie is a file some Web sites place on computers to store identifying information -- including the user name that Facebook members would enter to access their pages. Coe said technicians couldn't figure out how the cookie had been routed to the wrong phone, leading it into the wrong Facebook account.
I cannot understand why Facebook didn't add the ip address to the hash of the login; making it impossible to use the same cookie with another IP address.
I simply cannot understand. I even think mobiles generate their own UNIQUE identification code which can be used too for the mobile version of facebook.
I'd think BOTH are in error; facebook for having ratsass security and the phone company of making this possible.
Makes one wonder too; how safe we really are for MITM attacks; looking to this case...
Re: (Score:2)
I even think mobiles generate their own UNIQUE identification code which can be used too for the mobile version of facebook.
So where might my code find this?
I just checked what my apache server tells a CGI program of mine when I connect from my cell phone. The only ID string I see is
HTTP_USER_AGENT: "Mozilla/5.0 (Linux; U; Android 1.6; en-us; T-Mobile G1 Build/DRC83) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1"
I can easily tell what kind of phone this is. So can my code, whi
new Facebook exploit available for CEO's? :S (Score:2)
do these things remember cookies ? ...
As soon as that's possible, an unique id can be assigned
Add to the mix the useragent, ip, proxy info and (hash of an) internal identifier == unique id.
I've seen earlier some entries from Perl code around cpan about mobile authentication, possibly with a few brands only; but cannot remember the right module anymore. There is some Ericsson code available through the web.
I wonder if this "bug" is also possible through Facebook Connect, because that would mean an extreme pr
Re: (Score:2)
do these things remember cookies ?
The browser on my G1 has an explicit "Accept cookies" setting, so the answer is "sometimes". ;-) This is, of course, typical behavior in most browsers. There's also the usual "Clear all cookie data" item in the Settings menu. But it does mean that you can't simply rely on cookies working. As with things like javascript, the person running the browser can disable cookies.
Add to the mix the useragent, ip, proxy info and (hash of an) internal identifier == unique id.
Or you
It's not about safest but (Score:2)
This is no more difficult than a cookie to spoof by a man-in-the-middle such as an ISP.
If the IP and other environment variables are passed together with that id; it would be "more" locked to location and client.
For facebook with it's own security gateway (Facebook Connect), I've been expecting this session id to be at least that secure ...
Re:This makes no sense... (Score:4, Interesting)
How in the World can this be AT&T's fault ...
1) Alice and Bob are both logging in to facebook. They send the last message of the login at nearly the same time.
2) Facebook
3) AT&T gives Alice's cookie to Bob. (Several ways to do this.)
4) Because Bob's browser was expecting the reply with the cookie from Facebook it accepts it and continues with the login step. Except for having the wrong cookie everything is as it should be.
5) Bob's transactions are marked with Alice's cookie until he logs out, logs in again, or the session expires. He's logged in as Alice.
If you read the fine article, one of the examples is exactly that. In step 3) "Bob" and "Alice" had their replies-with-cookie swapped so they each ended logged in as the other.
Re: (Score:2)
Re: (Score:2)
Great, now you've leaked their names ...
Ho ho! B-)
(For those not familiar with academic crypto-speak: "Alice" and "Bob" are typically used rather than "user A" and "user B" for describing a communications security scenario. Usually Alice and Bob are the communicating parties but in this case I've (mis)used them for two people trying to communicate with Facebook nearly simultaneously. Another such name is "Eve", the canonical eavesdropper.)
Re: (Score:2)
Right. Also there is Cathy and Dave, but you never hear about them because they are Clueless and Disinterested ;-)