No, this is a post about why you should ignore Facebook. Turn a blind eye and let it pass. It will, in time, fade away, like Yahoo, MSN and others before those. It may have a huge number of users, but then so did MySpace. People will move on, and Facebook is already worrying about growth figures. But that’s not why you should be ignoring it.

You should be ignoring it because all of the things that you try and promote can be just as easily undone, and using Facebook as a solution to problems that your organization faces will only lead to more problems in the long run- not least of all when Facebook finally goes the way of MySpace and people move on. But that’s not all.

First off, some disclosure about myself. I don’t have a Facebook account. I nuked my account after my exams ended, before the holidays started, months ago. I’m an active member of the Royal Holloway Students’ Union. I attend numerous events and work with various media outlets on campus. At no point in doing all of this have I actually needed to visit Facebook.com, much less log in. The last stored login details in my browser aren’t even mine- they’re a friend’s left over from when she borrowed my PC to check some messages. I’ve written apps for Facebook before, and have worked with the APIs and tools that Facebook gives developers to let them access what they describe as ‘the social graph’- that is, your data. And I spend a lot of time working on computer security and, specifically, web security and analysis. I wouldn’t call myself an expert or even a specialist, but I have half a clue about this stuff.

So- your organization is organizing an event. You’ve got a website, and you’ve got someone (or a company) maintaining it. What do you do- put the event information on your website, or on Facebook? Unfortunately, lots of people will answer “Facebook” to this question. The correct answer is your website first, Facebook to raise awareness, but the information and (if appropriate) booking/RSVP information should be on your website. The Student Radio Awards are the latest in a long line of offenders to reach my inbox, informing me gleefully of a page on their website which promptly takes you to Facebook so you can RSVP to their nomination parties. As a person who chooses not to use Facebook, I now cannot interact with these events, and if I want to RSVP I’d have to reactivate my account, which I’m not doing for an SRA party. I emailed back, and got the response “But you can still see the information without joining Facebook”. True enough- but here’s the rub.

• Your organization does not control access to that data any more. Facebook does.
• Your organization is specifically endorsing Facebook at this stage. Do you really want to do that, with all the privacy and security issues flaring up right now?
• Your organization is specifically blocking people who do not want to use Facebook from using your services.
• To view your data, users are forced to interact with Facebook servers. Users with privacy or security concerns can now not use your service.
• Facebook is not your server. It’s unlikely that your server is blocked from any workplace networks- how about Facebook?

Some of my other brethren in the webdevel community (SEO and marketing experts particularly) will be flaunting the positive aspects – reaching more people, less operational costs for your own site and infrastructure, being seen to be ‘social’ (which is a big deal for some organizations who have talked themselves into it thanks to overzealous marketing gurus wanting to be seen to keep up with emergent trends- come on, guys, it’s just a fancy way of sending email newsletters). Do they balance up? Actually, no. The enhanced reach that comes with getting on Facebook’s timeline/front page for people is a big deal. There’s no hiding from that, especially in a university environment where people just don’t seem to understand that Facebook is optional. There’s no harm in using Facebook to link to things on your site, of course- there’s no such thing as bad publicity. But the second you start putting information on Facebook that isn’t on your own infrastructure, you’re damaging yourself. In severe cases you can piss users off in droves.

Facebook is not infrastructure for your organization. Build your own infrastructure- everyone on the web will be better off for it, and your users will thank you.

The privacy issues flaring up at Facebook are serious, and in some states in Germany, sites are being fined for using the Like button as it violates German law. Do you really want to be supporting, encouraging and endorsing the sort of company that supports this degree of invasion of privacy?

If the pile of (in my mind very compelling) reasons why you shouldn’t be using Facebook as infrastructure listed above don’t get you, okay, well let’s look at this another way. Facebook is a company that exists to make money off your data. You, as a company, help them, as a company, get more money (through advertising) in return for some page views. But it wasn’t always this way. In the past, people built interesting and engaging websites, and people actually visited them of their own volition. You didn’t need social engagement to get page hits, because people would visit your site anyway. And you know what? They still do, Facebook or no. And you own it. What you make, you own, you can control precisely as you desire. Facebook you can control however they decide you can control it all one week to the next- everything changes so often that forming solid policies or organizational structures on how to use Facebook is next to impossible. The page views to your site that are effectively the sole reason why organizations started using Facebook meanwhile dwindle as you put more on Facebook and less on your site. In extreme cases you stop updating your site, and get confused as to why people ask why your site’s entirely empty and has no information on it- “oh, it’s on the Facebook page”. More damage to your organization’s reputation and web presence.

Organizations should be proud of their web presence, and shouldn’t just say “Okay, our website’s rubbish, let’s just use Facebook instead”. Fix your website. Build your own infrastructure. If you want to be social, at least use Twitter, which is simple, straightforward, open and easy. It’s hugely popular, has far fewer privacy and data retention concerns and issues inherent to its nature, and is massively more powerful in terms of engagement and potential page hits.

It’s not your infrastructure, though, just as much as Google Plus or Diaspora aren’t. Look at NASA’s tweets- they all link to a NASA website. The Guardian doesn’t link to Facebook. You shouldn’t either.

Recently, CCP decided to ditch their old forums (ASP, around 10 years old with little to no updates in that time) and started work on a new forum system. They’d just launched EVE Gate, which is a fairly minimal but working social network for EVE, and allows you to view some in-game features out of game. Many people decried EVE Gate, saying CCP should have just focused on building a better API first- then making their own CCP-owned apps on top of the API. Still, EVE Gate was done and launched to a minor fanfare. Some people use it a lot (in-game email is a handy thing to have at work), but many people ignore it outright.

What was shouted about most on the forums was the investment of time and effort from CCP to produce a very minimal site, features-wise. EVE has a stellar (no pun intended) community, with some very bright minds in it, who have built some fantastic apps on top of a fairly limiting API, and done so in their own time as a hobby project. Sites like EVE Metrics, EVE Commander, and such were all cited as examples of this- people were whipping up massively more complex and powerful sites than EVE Gate in their spare time in a matter of months, so what took CCP so long?

Well, the same people who developed EVE Gate (to my knowledge) were applied again to a web based problem; new forums. Now, a logical thing to do would have been to build on EVE Gate, and to add forums directly to that. This means you’d have only one core framework of software to debug and worry about, your authentication (a huge consideration for games like EVE) is all in one place, and in terms of validation and security testing there’s less to go wrong and fewer places to look when the shit hits the fan.

But CCP’s Web Cell did not. They sank a colossal amount of time into the project; the number being thrown around is 72,000 man-hours, which sounds about right to me given when they started and how many people are working on it. 72,000 man-hours is huge. Months and months and months and months. Forums are not complicated beasts; they’re essentially a simple relational DB application. You have to apply some thought about formatting (implementing bbcode or something like Markdown/Textile), accounts, profiles, all that sort of thing, but everything boils down to very simple structures, and simple code. There’s nothing complex, really.

CCP has one extra thing to think about atop of most forums: Integration of EVE accounts and characters. You have to be able to log in, and select a character to post as. But with EVE Gate, they had all that already done and dusted. And, crucially, fairly well tested- exposed to the world for a good long while. But again, this is all quite simple stuff.

But the web cell still managed to botch the job. And not just a half-arsed botch. Oh no.

They didn’t decide to integrate with EVE Gate. They completely ignored it, in fact. They took an existing ASP.NET forum software package, Yet Another Forum, and then skinned it. They just made a CCP skin for it. But that’s not all they did- they also gutted parts of it to tie in the authentication system, filling massive chunks with serious security flaws.

At approximately 21:00 UTC on Friday, April 8 we were made aware of some security issues with the new EVE forums which needed to be addressed. These issues were as follows:

• We discovered that it was possible to access some forums which certain users should not have been able to access
• Users could make and edit posts as another user’s character
• It was possible to inject some HTML code into signatures

At this stage the competent web developers (and software developers in general) are staring blank-faced in incomprehensible confusion. How could a 600-man industry-leading corporation like CCP let this sort of thing slip?

Authentication was done by cookies. That means there was a client-side cookie which stored your character ID. Change that, and you could appear to be logged in as anyone. And act like it, too- this wasn’t just a display bug. Change yourself to the CEO of CCP’s character, and you could see all the private internal forums. And the admin panel. And you could ban people! Handy.

Editing posts was unauthenticated. You could be logged in as you, edit your post but then change the post ID in the edit URL to the post you wanted to edit. And hey, no questions asked – go right ahead!

And finally, at least one HTML injection flaw. Why? Because HTML is used for formatting.

Now, these are all mind-blowingly simple ‘My First Website’ cock-ups. Any competent developer who had knowledge of programming web applications would never have made any of these mistakes. So why are there no competent developers in the web cell?

Here’s a clue. CCP Games hf is based in Iceland. Chances are, you’re relocating to take a job, and that relocation is putting you in a country far, far away from wherever you used to live. That’s a massive downer for potential employees. Next, the other part of the puzzle: I currently do freelancing. With a few clients on the go at once, doing roughly 20 hours of work a week during holidays as a student, per year I earn well in excess of what full time employees of CCP’s web cell get paid. I’m not even out of university yet. There’s one other thing to consider, especially now: CCP is not the sort of company that looks good on your CV any more. There’s some incredibly smart people working at CCP on some incredible stuff. But their reputation is tarnished, almost beyond repair, by this sort of fuck-up. Having CCP on your CV is something you want to think twice about. And working somewhere that triggers that sort of thinking is not looking great, is it?

And last but not least, have a look at the CCP Jobs website. Check out the requirements for a web developer:

Required Experience/Background/Skills:

• B.Sc. in Computer Science or related field, or equivalent training and professional experience
• 2+ years of experience developing & implementing .NET based web solutions
• JQuery, JSON, JavaScript, ASP.NET, MVC, C#, Visual Studio 2010, HTML/DHTML, MS SQL Server 2008, T-SQL
• Strong communication skills – verbal and written
• Strong technical and analytical ability
• Ability to complete projects on a timely basis with an attention to detail with minimal supervision

Now, there’s a bunch of problems here. Firstly, their HR people clearly do not know what makes a good web developer. Listing DHTML is cause for concern – it’s a buzzword from the 90s, nothing more. Personally speaking I have great concern for people who have only been using Microsoft toolsets, particularly for websites, and I’ll go into this a bit more in a second. The other problem with the above list is that, BSc aside, if they were willing to overlook my lack of experience with things that didn’t exist back then, I’d have been qualified at age 15 or so. And then the last bit: “attention to detail with minimal supervision”. That’s very worrying.

It’s worrying because it implies that these underqualified, fresh-out-of-school/university undergraduates who have potentially never written a public-facing website are not going to have their work checked. That’s a clear, utterly obvious problem. That’s saying “You’re confident you’re good enough to not need a supervisor keeping track of your output” to someone who probably has a healthy ego on them but in reality could be utterly useless.

The all-Microsoft toolchain that CCP uses and requires people to know is all well and good, but security has never been in the forefront of Microsoft’s brain. Specifically, tools like Visual Studio and ASP.NET for web developers focus on making life easier. Reducing the amount of work you have to do and increasing the amount of bolting together existing bits and pieces. This hides the underlying reality somewhat, though, and can lead to people just not being aware of things like client-side cookie tampering or cross-site scripting. Malformed HTML just isn’t something most MS web devs really think about- not till they’ve had a few rounds of learning the hard way, at least.

This is just my personal experience, based on people I’ve worked with and projects I’ve had to work with in the past. If you hire people who did their first major websites using a text editor, you’re likely going to get people with more knowledge about why things work, and can better understand how people can attack their nice shiny working things. And that makes you a better programmer. It’s one of the reasons I prefer working with Django/Rails/Sinatra- none of these things hide code from you. They may let you generate code with helpers, but even that is merely convenience- you have to know what the helpers to do to be able to use them, at a code level. Dragging text boxes onto forms does not give you the same experience of interacting with the code directly, and abstracts a lot of important stuff away from you. The result? Worse code.

CCP was very proud at fanfest of the fact they’ve now got over 600 people in the organization. But what sort of people? And why so many? Sure, a goodly number of those people will be DUST and Incarna developers and artists and so on. And you’ve got admin people to go with that all. But CCP’s first website was done by far fewer people than are currently on the web cell. And say what you like about 10-year-old forums, they work, a point made loudly by many forum users. CCP could perhaps do better by hiring fewer people, but people with better real-world experience.

So, the real screw-up here was not a purely technical one; it’s much more about the people who are behind the tech. And CCP is going to find themselves in a bad place on that front in very short order, because nobody except fresh-faced undergraduates is stupid enough to want to work for CCP right now. And I hate myself a bit for saying that, but it’s true. CCP is becoming a liability to itself through its own actions. And like all bittervets, I only whine and complain and point out this sort of thing because I fundamentally love EVE. It remains the only MMORPG that transcends being an actual game and takes on a life of its own. But with CCP at the helm, the world is in perilous danger of being torn to shreds by the very entity that created it. Which would be a terrible shame.

I’ve spent most of my time working on EVE Metrics. There’s some very cool, very powerful changes coming up soon; early Feb saw the introduction of much more accurate prices and indexes, with a newly improved algorithm for calculating the average prices of items. But even better is some of the new stuff coming in the next few weeks- notably the implementation of a fully-fledged OLAP warehouse for EVE Metrics, which will open up some very awesome possibilities in the long run.

Also under the scalpel this month has been the API system. EVE Metrics will support full and limited keys when it comes to the API. However, there will be a quirk; if you want to make use of other people’s API data, for example to see more detailed market analysis with transactions hooked in and so on, then you’ll have to share your data. This means if you want to benefit from other people’s data, you must reciprocate and share your data for the benefit of others. Your data will, in all cases, be used for global averages, but entirely anonymously; for example, the number of transactions per day on a given item may include data from your API, but nobody would know it. This system will hopefully encourage users to share data more often than hide it. I’m planning to make this an opt-out system, with the choice to opt-out given on the API key page as part of the form. It’ll be really hard to miss, and those who are paranoid or wish to hide their activity completely can check the box to opt out.

I released accVIEW a few days ago, and it’s had quite rapid takeup from corporations. It’s a service that lets you perform background checks on prospective new members to your corporation- the basic tool lets you view skills, characters on an account, and various bits of information like their corp details, CEO, and so on. The premium version (For the low cost of 150mISK) lets you see the applicant’s wallet journal (with tools to show suspcious transactions and filter the results), as well as their recent kills/losses.

EVE’s M10 expansion, Apocrypha, should be awesome. Tech 3 is going to be great- lots of people complain about the skill loss and the fact that it’ll make FCing a nightmare. Well, no. The skill loss makes sense, and provides an interesting new dynamic to EVE. FCing- well, those who complain about T3 making FCing impossible are evidently not up to scratch as FCs. It’ll give FCs a real change and challenge for the first time in years. The wormhole stuff will be an interesting thing to watch pan out- there’s lots ot potential there, and it could end up being a lot of fun…

Nexus is progressing slowly but surely; the large amount of data we’re gleaning via an API-scraping installation for Sc0rched Earth is helping no end with development, and we’re busy tidying things up behind the scenes and refining some of the interface to make more sense. Once I’ve gotten ActiveWarehouse’s ETL library working properly, my next step will be to break out Photoshop and my text editor- EVE Metrics, ISKsense, maybe accVIEW, and the new MMMetrics site (Which will be launched soon) are all going under the knife and getting a serious facelift. And then it’s on to even more awesome stuff for EVE Metrics!