Underscoring the permanence of data published on the internet, a security researcher has compiled the names and URLs of more than 100 million Facebook users and made them available as a BitTorrent download. Ron Bowles, who describes himself as a certified penetration tester, said he used some hastily written code to harvest the …
I came here for news
Not reprinting of the moronic rantings of a shameless self-publicist. It really doesn't take much effort in computer security to come up with the dumbest story known to man and get big in the mainstream press does it?
*shrug* For the life of me I can't see the interest of this story. It puzzled me when it hit the big media. Exgirlfriends, colleagues, bosses, neighbours and mostly everybody have been stalked this way via google->facebook since the dawn of time.
And you guys are putting this on "Top stories"?
The only point that's marginally interesting about this is the "Internet is forever" thing. Which, sadly, is far from the truth. I browse the web archive more than I would like, and many thigs aren't there anymore.
Not even a story - when the BBC played this "news" on loop all day yesterday, I was thinking "well done the reg for not even mentioning it" - however, it just seems that the reg were a day late in reporting on IT...
Wow there's some serious harrumphing going on here.
Do you not think the scale of this at all news worthy?
OK, so they've basically just automated a process that could be done manually. Except that they've then used it to mine data from 100 million people.
Also, having not heard of this through the mainstream media, this seemed to be a well written, un-biased, informative piece on something that is certainly IT related.
Well done El Reg.
Boo angry people.
Cue much flapping of wings, clucking, looking brainless and other chicken-like behaviour as those on the list discover that "exposing your details" really did mean them too. i can only hope Faecebook really aren't enjoying the attendant publicity.
Actually im quite interested in this....
Whilst i have all of my security settings set to private and dont allow anyone but friends to view my stuff and dont post moronic messages etc, im still interested to see just how much stuff this trawl picked up. I'll probably download this tonight and do a search for my name to make sure that the level of privacy i THINK i have is the same as the level of privacy i ACTUALLY have.
I will probably also search for members of my family (who arent the most tech saavy of individuals) so i can show them exactly how much theyre making available online and get them to improve their security and start taking this seriously.
Yes its a non-story for anyone who is the remotest bit tech-saavy, if this story makes those for whom a breadboard is the thing in the kitchen you slice your loaf on, a tiny bit more aware of their privacy (or lack thereof) on thie internet this can only be a good thing...
Facebook != Privacy
Which is why my Facebook privacy measures are 100% secure as I don't have a Facebook account!
I've never bought into the whole Facebook culture fad. I use "old fashioned" forms of communications like email, IM, phones, letters, talking to people etc... They all do the job without having to leak so much about myself to the Facebook company and that is the real privacy issue. Because even when you are using Facebook privacy settings to the max, Facebook are still able to access and exploit your data and they do exploit it and they are not the only ones with access to Facebook data.
(Anyone who doesn't believe the kind of privacy issues Facebook presents, just try this as an experiment. If you live in the UK, and are on facebook then just for a laugh add binladin as a friend so you can tell all your friends you have finally found him, when no one else could. Think its just a joke, yeah right, then wait for the interesting worrying phone call that most definitely isn't from a marketing company. The question this raises is how does state security associate facebook to your phone number and directly to you? They clearly can because I now know for a fact this happens as its happened to someone I know. State security has no sense of humour, to them its not a joke because to them, that friend link is a honey pot trap to try to identify potential sympathizers. I think its profoundly ignorant in the extreme, but there you go, that’s the kind of twisted stupid games they are increasingly playing to identify people. So it shows the state is profiling Facebook all the time and they are increasingly trying to link people together and they have ever more reasons to try to link like minded people together. So even if you have never done anything wrong then just through association you can move higher up their watch list. Score enough points (even if they are false positives) and you win the coveted Domestic Extremist award which entitles you to have your liberty withheld whenever the state chooses while they rummage through your car, your house, your life, what ever they want. Evil Domestic Extremists like 2 million UK RSPB bird watching members, environmental protesters and airport expansion (destroying their homes) protesters. You know, the kind of people the police want to watch if they are going anywhere near potentially large protest meetings.
That’s just a glimpse of the insanely stupid ways Facebook data is being increasingly being exploited by the state. So behind the facade of a Facebook cultural fad, its getting very Orwellian very fast.
Which is why I said Facebook != Privacy … and that's just a glimpse of where we are at now!
Not entirely true
Remember Geocities? Most of those sites are long lost and never to be seen again...
I see you haven't heard of the Internet Archive and similar projects.
When I search for the site running on my lab's computer I get:
"We're sorry, access to http://xxxxxxxxxxxxxxxxxx has been blocked by the site owner via robots.txt."
And no, my site's URL is not xxxxxxxxxxxxxxxx.
Or go here to see El Reg in 1998 (instead of annoying Flash you get annoying animated GIFs, yay):
@Nader, Re: Geocities
Do you *REALLY* think that Yahoo! doesn't still have access to all that data?
If you provide details to multi-billion-dollar multi-national corporations, you'll never be able to sweep the cats through the barn door into the worm can again ...
Now ask me why I don't use BingMyGooFaceYouTwit! & the like ...
 "tin", to you Brits.
And nothing of value was lost
while the top million most hideous web pages now reside on Myspace
Not quite, www.archive.org
You forget ...
... thewaybackmachine most of it is archived there.
Re: Remeber Geocities...
Despite abandoning it years ago, I found my old Geocities now being hosted at oocities.com so they may not be all gone.
As for this story, this is such a non-event story. The files told me that they had found a couple of thousand people who had the same name as me, and didn't find the link to my url. And so what if they did, it's not as if it's not available from Google anyway.
Unless you look in the Internet Archive and/or the projects which specifically targeted archiving Geocities before its closing.
Not strictly true... there's at least two domains out there that archived Geocities sites wholesale and make it available. And you have forgottom about the Wayback Machine too.
@barn door worms
To this Brit you're opening up a whole can of tins!
 "tin", to you Brits.
yeah, we know.
Driving a double-decker bus through
the stable door after it's bolted.
There's not enough room to swing a horse in here
Ok Zuckerburger ...
.... your move.
If the info was pulled from Google
What can Suckerburger say? It was Facebook that decided to spray everyone's info all over the net.
Facebook gave users the choice: Reveal your profile to search engines or not ? Some users said: "Sure, let google, et al" see my profile.
They gave the users the choice, and the users made their choice. So why is this Facebook's/Zuckerburger's problem ?
RE: Er, No
Well, yes actually, this is Facebook and Zuckerburger's problem, in that the default security settings have always been the lowest possible, and whenever they change settings, they get reverted to the lowest possible, not to mention that only in the last year have they actually started to bother adding some real security settings at all....
F is for Facebook ...
The amount of personal information people put put in Facebook about themselves AND OTHERS boggles the mind. This information id a treasure trove for skip tracers, police and potential employers.
Such people can be described as fools.
"You won't get it!"
It all depends on what info is put on Facebook and what the level of access has been set to.
Plus, most people seem to have some really odd pictures as profile pics.
Then there are those with (against Facebook's T&C) more than one account where everything is fictitious.
I guess it's just the difference between someone scraping the publicly accessable side of Facebook and someone else getting in the backdoor of a bank or insurance company. I know which I feel safer with.
I'm going to create a Facebook page about this right now!
I've set my facebook page up to open because I really couldn't care less if people see my name and who I'm friends with.
I use it to upload photos and share with family and friends mainly and have it open so friends of friends etc can also view them.
I don't post anything up there that I wouldn't be happy with the world+dog seeing so no security issues are ever going to bother me short of someone getting access to my account and sending friends/familly obscene emails or spam =p.
I register a SPAM email address, fake address, no phone number, no problem.
That's Probably THE Best Solution
But there's a whole planet full of people who simply don't understand the only security that counts is that which is between your ears and within your skull. For them, taking care of security is somebody elses task and is thereby never what it needs to be. Not that it ever will be.
Sheep were made to be fleeced, there's a sucker born every minute and if you're going to be dumb, you better be tough.
If you get the thrust of the article...
Mine's the trenchcoat, I'm going in deep, deep, deep undercover.
I was that in high school ...
... and college and it had nothing to do witrh any computer program. But it did deal with "hard" ware.
Paris because Paris has already dealt with hardware and is certified.
Whoopee, he can use google
Surprised he didn't publish 'the details of a billion websites'
Spending 5 minutes writing a script to google facebook accounts = lots of publicity. Nice little earner too once the tabloids come around waving their chequebooks.
I am a tiny bit more famous now!
Nothing on my FB site I care about having exposed - I always assumed the security was crap and always would be and behaved accordingly.
Then again, I don't even assume what is on my home box behind a NAT and two firewalls is 'safe'. ....well, while it is on the encrypted external drive and said drive is unplugged, I tentatively make the assumption of reasonable content security.
Facebook bashing is getting old
If this guys a "certified penetration tester" where is his work effics gone when he makes all of this available via bittorrent?????? why didn't he just let them know?
Sounds very dodge to me!!
Nawww, Nor Really
Like old bubble gum ... just add a bit of spit and you can chew all over again.
...no-one hears about it. No point being a penetration tester if no-one knows you do it. This is how to get your story more exposure - instead of 3 people reading about it, a few million. I'm not saying it's right, ethical or whatever. I am saying it's exactly what I'd have done.
Seriously, who cares? The answer is easy - don't put anything on your Facebook pages that you don't want on your Facebook pages. The whole point of Facebook is that it's for sharing. If you want to keep things private you don't put it on the internet anywhere let alone a site that's specifically designed to share data with many people.
I'm bored with the whole Facebook-privacy thing.
Can't we just leave the following advice as a sticky on the Reg frontpage and not bother with any more Facebook stories?
"Facebook is a web site. Your data might be visible to people you didn't intend. If you're that concerned about data security and privacy, don't join Facebook. If you want to join anyway, only put things on there you'd be happy for anyone to see. Otherwise, keep calm and carry on."
"certified penetration tester"??? Now that's something to have on your business card.
"You can't do it" doesn't cut much ice, really. After all, those with naughtiness on their mind aren't going to look at the Ts & Cs and quake in their boots, are they?
someone create a better alternative that people will move to, and i hope it doesnt turn out to be a Betamax vs. VHS
i am sure thats already happened though.
Obvious experts state obvious is obvious
And still people don't get it.
Once information is made public, it's Out There. That's nothing specifically to do with the internet, though it'll rub your face in it if you try and make things unpublic again ("Streisand effect").
It is also why privacy protection is important, and why "we'll store your data first and maybe perhaps remove it later" is not an acceptable answer from, oh, companies (nokia), the government (preventive storing on dna databases, fingerprinting 6yo children, others) or whoever else. Plenty of people don't get that, including people in government, corporations, or generally supposedly IT savvy readers of el reg.
Really, the only way to protect privacy in any meaningful way is to stop requiring full identity at the drop of a hat. Instead we'll have to find ways to reduce the information that needs handing over to the absolute minimum. If disposable credit cards aren't enough, well, maybe we'll have to come up with disposable "identity proofs". Yes, most people won't get that either, at first. They'll have to get their heads around it later or sooner. They'd better.
The ICO will not consider a name, photograph, unique URL, and list of friends to be in any way, personally identifiable information.
Facebook strictly forbids the scraping of its content
you missed out the '... bitch'
Certified Penetration Tester
Sounds like fun work, where do I sign up.... Paris because, well...
What a lame script kiddie.
So if I am on that site...
...they'll have my name, a graphic of Haruhi Suzumiya, and a disposable Yahoo email address.
Wait, what... you think I'd give my address...? To Facebook? Nyahahahaha! HELL NO.
Reminds me of when I worked for a marketing company. They had a service they used to offer where they would "append" brick and mortar address details to any email address. The idea is they would capture your email address when you signed up for an email newsletter, then would be able to send you things though the post/get your home phone number etc. Un-ethical and probably illegal too I know.
I put in some of my email addresses that I've used over the years to see what got appended. The results where pretty funny. I hope to god that some marketing company somewhere really has tried to send some crap to the fake addresses I made up!
Sadly, the service often did manage to find addresses for email addresses.
I left the company mainly because I couldn't live the the feeling that I was helping distribute the kind of crap I hate to receive myself. The company has since folded.
This is a complete joke. So he can google and brute force? I think he needs a friendly DoS from anon to remind him that he is a pathetic little c**t.
What's that? skullsecurity.org is down? I wonder.
Fine by me
All the shit on my farcebook page is intentionally made searchable, to obfuscate anything that might be important further down the rankings.
- YARR! Pirates walk the plank: DMCA magnets sink in Google results
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- Review Xperia Z3: Crikey, Sony – ANOTHER flagship phondleslab?
- Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
- Human spacecraft dodge COMET CHUNKS pelting off Mars