Tag Archives: Facebook

Facebook is in More Hot Water

Glad I am not Mark Zuckerberg,

Well, maybe.¬† I think I would like to have his bank account ūüôā

Facebook is making some efforts to rehabilitate it’s image within the fundamental constraint that it is selling your data for a living.¬† While pretending that it is all for your benefit.

As part of this rehab effort, Facebook is reviewing tens of thousands (or more) of apps to find ones that are misusing data.

So far, they have “suspended” about 200 apps.

One app, myPersonality, has likely misused large amounts of data on millions of users over the last 3-4 years.  It, too, is now suspended.

To quote someone (there is a debate as to who) :  With Great Power Comes Great Responsibility.

This may be a defining moment for Facebook.

So what should you do?

The greatest power is the power wielded by the Internet user.  Facebook can only collect information that you provide it. Same for Google.  Sometimes the information is provided willingly.  Other times it is much less obvious, like when Google collects information about what web pages you visit and for how long.

Hopefully, for most people, it is becoming painfully obvious that YOU are the product.

So be careful about what apps you install, what data you provide and to whom.  Or not.  But, if not, understand the implications.  

One thing you should assume.¬† If you provide information to an app or a public web site, it could become public.¬† ¬†If that is a problem, don’t provide the information.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Friday News for May 11th, 2018

Irish High Court Deals Blow to Facebook

In yet another case that could deal a blow to the way that Facebook and others transfer data between the EU and the US, the Irish High Court told Facebook that it would not stay it’s “referral” to the European Court of Justice.¬† The case in question is a ruling about whether “Standard Contract Clauses” and the U.S. Privacy Shield provide sufficient protections for E.U. residents private data.¬† Facebook wants to appeal the decision to turn the question over to the ECJ to the Irish Supreme Court because the last place they want to be is at the ECJ – who ruled against them in their last privacy suit that destroyed the predecessor to Privacy Shield,¬† Safe Harbor (Source: Reuters).

Georgia Governor Vetos Cybersecurity Bill

The Georgia legislature recently passed a cybersecurity bill that would have likely criminalized cybersecurity research and allowed so-called hack back attacks where victims can hack the hackers (what could possibly go wrong when security novices go after professional hackers?).  The law, written by lawyers, was so vague that it might have made reporting a vulnerability a crime.  Equally likely, the large cybersecurity firms with offices in Georgia would have left the state and security researchers at Georgia Universities would have likely found more understanding states to do their research in.  Faced with a horribly drafted bill and the prospect of losing hundreds or maybe thousands of high paying jobs, the governor did the expedient thing Рhe vetoed the bill and told the legislature to find someone who knows something about security before they wrote the next version (Source: CSO Online).

IBM Bans All Removable Storage

IBM has issued a new company-wide policy that bans ALL FORMS OF REMOVABLE STORAGE from the company.¬† IBM’s Global Chief Information Security Officer made the announcement saying “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBM isn’t saying “Why now?” , but likely someone screwed up big time.

That being said, it is relatively easy to technically implement this ban and, if done along side a policy on the appropriate use of services like Dropbox, Box, One Drive and others, it likely will reduce the certain types of information leakage.

What is or should be your company’s policy?¬† (Source: Gizmodo)

Beware of those Browser Extensions

Social engineering is still a very popular way to get you to load malware.¬† Researchers are warning people of a campaign, said to have already infected a hundred thousand users, where people are lured to click on a link on social media which redirects them to a page that tells them that they have to install a plugin or browser extention to continue reading the page.¬† DON’T!¬† Once the software is invited in by the user,¬†¬†it steals passwords for a variety of accounts.¬† Other variants of this type of attack could empty your bank account when you log in to your bank or forward all of your email to the hacker, as other examples.

If you think you need a plugin or browser extension to view a page and¬† it is not already installed, independently find that extension and install it from the vendor’s site.¬† Make sure that the site is not one with a name similar to the real site (think App1e is not Apple, for example) that hackers have set up to fool you (source:¬†The Hacker News).

The Dangers Of Government Surveillance

The conversation often comes up about trusting the government with all of the data that they have of ours.¬† ¬†Some people say there is nothing to worry about if you didn’t do anything wrong.

And then reality creeps in.

Sheriff Cory Hutcheson of Mississippi County, MO, used a service sold by Securus Technologies that is used to record and track phone calls to and from prisoners,

Unfortunately, he used it to track calls of a Judge and members of the State Highway Patrol.  This would allow him to track the location and obtain call data of these people. And anyone else he wanted to.

Securus requires someone to upload a document authorizing the request and certify that the activity was legal – basically, pinky swearing.

When the sheriff was arrested and the media went to Securus to ask about their practices, they claimed that they weren’t judges or lawyers, so, basically, they just trust people.

Sometimes trust is good, but verifying usually better.

How much of this activity goes on – who knows (Source: NY Times)?

Facebooktwitterredditlinkedinmailby feather

Logon Using Facebook ID? Understand the Devil’s Bargain You Made

Security.  Convenience.  Pick one!  That is my forever mantra.

Now we are finding out that when you login to your favorite site using “Login with Facebook” your data is exposed to third parties.¬† Nice.

According to research from “Freedom to Tinker” at Princeton, when a user logs in using Facebook’s API, Javascript on the site is able to grab your profile data and email address and maybe more.

Facebook, currently in a world of hurt (worldwide) over the Cambridge Analytica mess is magically very sensitive to people – other than them – stealing your data.

As of right now, they have suspending the ability to link Userids to Facebook profile pages and are looking at what else they are willing to do to contain the damage while not damaging their business model of allowing everyone to capture and sell your data.

If all of a sudden web site operators and advertisers can no longer scrape your data, ad revenue may be flushed down the toilet.

Information for this post came from CNBC.

So, given the above, what should you do?

First I want to make one thing clear.  Facebook is only one culprit in this game and while it is fun beating Facebook up, we should not lose track of the bigger picture.

Anytime you login to website “B”¬† using the userid and password from website “A” (such as using your Facebook ID to log into BandsInTown), you run the risk of exposing yourself.

While right now we are only talking about your profile and email being exposed, the developer API documentation on Facebook’s web site says:

To ask for any other permission, your app will need to be¬†reviewed by Facebook¬†before these permission become visible in the Login Dialog to the public who’re logging into your app with Facebook.

I gather this means that other apps may have more of your information than we are talking about in this situation based on how well the app developer has conned Facebook (think Cambridge Analytica) or even how much they paid Facebook.

Also, the site that you are using your Facebook ID to login to with could compromise your ID and password and then all other sites that you also login to with your Facebook ID will also be exposed.

The best solution to this is log in to each site with its own userid and password.  

Use a password manager to track this for you .¬† Most password managers will pick crazy passwords for you and since they enter them in the login page automatically for you, you don’t have to remember them.¬† Win-Win – better passwords and easier for you.

If you are not willing to do this, then, at least, only do this for accounts that you don’t care about – what I call throw away accounts.¬† Don’t do it for any account that has access to your credit card information (any e-commerce site) or bank account information.

Ultimately, the choice is yours.  Security or convenience, pick one.

And Facebook is only one site that does this shared login thing.  The problem is the same with all of them.  The list of OAuth providers (which is the technical term for what this process is) is long including Google, Etsy, Flickr, Instragram and many more Рsee a list of them here.

Facebooktwitterredditlinkedinmailby feather

Facebook Continues it’s Damage Control Program

Facebook is used to riding high.  Not so much lately.

First they said that Cambridge Analytica inappropriately captured the data of 47 million users after 250,000 or so users completed a survey and they captured the information of all of those people’s friends without their permission.

Now they are saying that their arithmetic wasn’t so good and it wasn’t 47 million but rather 87 million users (Source: National Review).

Facebook is also saying that “malicious actors” took advantage of the search tools on Facebook and captured public information on most of all 2 billion users.¬† The attack was very creative.¬† Take email addresses or phone numbers compromised in one of many breaches and pop them into Facebook’s search box.¬† Until yesterday, that would retrieve any information you marked as public including photos, job history, friends and other information.¬† Yesterday, as part of their¬† “rehabilitation”, they disabled the feature, but not before bad guys stole terabytes of data (Source: Washington Post).

Then there was the memo by Facebook exec “Boz” who said that anything that we do to connect more people is good, even if it is used by terrorists.¬† Now that the memo has become public, he claims that he didn’t really believe that. (Source: CNBC).

Finally, after first saying that while he liked the EU’s new privacy regulation, GDPR, Facebook had no plans to make that the rule in places where they were not being forced to do that by law, they are now saying, just kidding (Source: Ars Technica).

Okay, given that Facebook seems to be acting like the twin of Mr. Robot’s Evil Corp., what should you do?

First, be a conscious user.  Even today Facebook allows you to make information private or visible to just friends.  My posts are public, intentionally, but nothing else is public Рonly visible to friends.

Given that Facebook makes all of its money from selling your data, the default is always going to be share (or steal) your data.  You need to proactively change the defaults.

As Facebook makes changes in response to the current PR disaster it is in the middle of, see what new capabilities they offer and take advantage of them.

Finally, don’t post so much.¬† Do you really need to post everything that you do?¬† Once you post it, it is out there.¬† At least one insurance company is denying burglary claims if people posted their vacation plans prior to returning home.¬† Be smart;¬† post less.

Social media is wonderful, but with wonderfulness comes problems, so be smart.

Facebooktwitterredditlinkedinmailby feather

Facebook Caught Mining User Data Again

This time, the data that Facebook is mining is your call data and your text message data.  But there is a difference.  In this case, Facebook says that it asked permission when you installed Messenger or Facebook Lite.  However, the default was to collect the data and it was not very clear to users that the data was being collected.

They have been doing this from both Android and iPhone users.

If you download your Facebook data (to download your data, go to http://www.facebook.com/settings  and click on the tiny little link at the bottom that says download a copy of my facebook data), you can see what data Facebook has.

Roughly a year ago, Facebook made it more obvious that they were collecting the data when you install the app.

Facebook says that they never sell this data (probably true) and it’s purpose is to let friends find each other on Facebook and help them create a better experience for everyone (more doubtful).

OK; lets say you are a FB Messenger user, what can you do?

1.  Check if your contacts are being synced with Facebook.  The instructions are different between iPhone and Android users, but the instructions can be found at https://www.facebook.com/mobile/messenger/contacts/ .

2. You can turn off syncing contacts by following the instructions at https://www.facebook.com/help/838237596230667 .  Again, the instructions are different between the iPhone and Android.

3. You can delete your call history from Messenger also.  Instructions can be found at https://www.facebook.com/help/messenger-app/870177389760756?helpref=hc_fnav .

Suffice it to say, Facebook is going to try real hard to capture the data.  After all, the name of the game for them is to harvest your data to increase your use and dependence on Facebook and to use that data to sell you stuff.

However, you can disable it.  Just not easily.


Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather


Why do people usually use a VPN connection over the Internet?  Usually it is for added security and privacy.  What if a VPN offered security, but even less privacy than without it Рwould you use it?

Well some people are and probably do not even know it.

In 2013 Facebook bought an Israeli company, Onavo.  Onavo bills itself as a data analytics company Рwhich makes perfect sense why Facebook would purchase it.

But where do they get the data that they want to analyze?

Well that’s easy.¬† They also make a VPN software product – a virtual private network – that creates a secure tunnel for you to send your Internet traffic over.

However, unlike reputable VPNs which work very hard to collect as little data about you as possible, hence aiding your privacy, Onavo collects as much data as possible about it – to aid Facebook’s mission of shoving more ads down your digital throat.

According to a Wikipedia article (here), Facebook is also using Onavo to internally monitor competitors, influence acquisitions and make other business decisions.

If you have the Facebook iPhone app installed and you click on the menu item for Protect, it will direct you to download Onavo.

It also has an Android app available in the Google Play store.

Facebook says that by collecting as much data as possible about your use of the Internet they can protect you better.  Hmmm, interesting thought.  Other companies seem to do that without having to track what sites you visit.

Many anti-virus products have a browser plugin that looks at the site you want to visit and see if it is malicious.¬† They don’t need to store the history of what sites you have visited nor do they need to associate those sites with your advertising ID in order to tell if the site is malicious.

Unlike most VPN products that only run when you ask them to run, Onavo tries to stay in your browsing stream all the time.  After all, it cannot collect data on your browsing habits if it is not running.

Onavo says that it may retain your data for as long as you have an account.¬† Or beyond.¬† I somehow don’t think that is required to protect you either.

So, if you are looking for more targeted Facebook ads (and ads on those other web sites that use the Facebook ad platform), this is the software for you.

If you are looking for privacy, I am thinking there are probably better alternatives.

Information for this post came from Wired.




Facebooktwitterredditlinkedinmailby feather