I came here for news
Not reprinting of the moronic rantings of a shameless self-publicist. It really doesn't take much effort in computer security to come up with the dumbest story known to man and get big in the mainstream press does it?
Underscoring the permanence of data published on the internet, a security researcher has compiled the names and URLs of more than 100 million Facebook users and made them available as a BitTorrent download. Ron Bowles, who describes himself as a certified penetration tester, said he used some hastily written code to harvest …
*shrug* For the life of me I can't see the interest of this story. It puzzled me when it hit the big media. Exgirlfriends, colleagues, bosses, neighbours and mostly everybody have been stalked this way via google->facebook since the dawn of time.
And you guys are putting this on "Top stories"?
The only point that's marginally interesting about this is the "Internet is forever" thing. Which, sadly, is far from the truth. I browse the web archive more than I would like, and many thigs aren't there anymore.
Wow there's some serious harrumphing going on here.
Do you not think the scale of this at all news worthy?
OK, so they've basically just automated a process that could be done manually. Except that they've then used it to mine data from 100 million people.
Also, having not heard of this through the mainstream media, this seemed to be a well written, un-biased, informative piece on something that is certainly IT related.
Well done El Reg.
Boo angry people.
Whilst i have all of my security settings set to private and dont allow anyone but friends to view my stuff and dont post moronic messages etc, im still interested to see just how much stuff this trawl picked up. I'll probably download this tonight and do a search for my name to make sure that the level of privacy i THINK i have is the same as the level of privacy i ACTUALLY have.
I will probably also search for members of my family (who arent the most tech saavy of individuals) so i can show them exactly how much theyre making available online and get them to improve their security and start taking this seriously.
Yes its a non-story for anyone who is the remotest bit tech-saavy, if this story makes those for whom a breadboard is the thing in the kitchen you slice your loaf on, a tiny bit more aware of their privacy (or lack thereof) on thie internet this can only be a good thing...
Facebook != Privacy
Which is why my Facebook privacy measures are 100% secure as I don't have a Facebook account!
I've never bought into the whole Facebook culture fad. I use "old fashioned" forms of communications like email, IM, phones, letters, talking to people etc... They all do the job without having to leak so much about myself to the Facebook company and that is the real privacy issue. Because even when you are using Facebook privacy settings to the max, Facebook are still able to access and exploit your data and they do exploit it and they are not the only ones with access to Facebook data.
(Anyone who doesn't believe the kind of privacy issues Facebook presents, just try this as an experiment. If you live in the UK, and are on facebook then just for a laugh add binladin as a friend so you can tell all your friends you have finally found him, when no one else could. Think its just a joke, yeah right, then wait for the interesting worrying phone call that most definitely isn't from a marketing company. The question this raises is how does state security associate facebook to your phone number and directly to you? They clearly can because I now know for a fact this happens as its happened to someone I know. State security has no sense of humour, to them its not a joke because to them, that friend link is a honey pot trap to try to identify potential sympathizers. I think its profoundly ignorant in the extreme, but there you go, that’s the kind of twisted stupid games they are increasingly playing to identify people. So it shows the state is profiling Facebook all the time and they are increasingly trying to link people together and they have ever more reasons to try to link like minded people together. So even if you have never done anything wrong then just through association you can move higher up their watch list. Score enough points (even if they are false positives) and you win the coveted Domestic Extremist award which entitles you to have your liberty withheld whenever the state chooses while they rummage through your car, your house, your life, what ever they want. Evil Domestic Extremists like 2 million UK RSPB bird watching members, environmental protesters and airport expansion (destroying their homes) protesters. You know, the kind of people the police want to watch if they are going anywhere near potentially large protest meetings.
That’s just a glimpse of the insanely stupid ways Facebook data is being increasingly being exploited by the state. So behind the facade of a Facebook cultural fad, its getting very Orwellian very fast.
Which is why I said Facebook != Privacy … and that's just a glimpse of where we are at now!
I see you haven't heard of the Internet Archive and similar projects.
When I search for the site running on my lab's computer I get:
"We're sorry, access to http://xxxxxxxxxxxxxxxxxx has been blocked by the site owner via robots.txt."
And no, my site's URL is not xxxxxxxxxxxxxxxx.
Or go here to see El Reg in 1998 (instead of annoying Flash you get annoying animated GIFs, yay):
Do you *REALLY* think that Yahoo! doesn't still have access to all that data?
If you provide details to multi-billion-dollar multi-national corporations, you'll never be able to sweep the cats through the barn door into the worm can again ...
Now ask me why I don't use BingMyGooFaceYouTwit! & the like ...
 "tin", to you Brits.
Despite abandoning it years ago, I found my old Geocities now being hosted at oocities.com so they may not be all gone.
As for this story, this is such a non-event story. The files told me that they had found a couple of thousand people who had the same name as me, and didn't find the link to my url. And so what if they did, it's not as if it's not available from Google anyway.
Well, yes actually, this is Facebook and Zuckerburger's problem, in that the default security settings have always been the lowest possible, and whenever they change settings, they get reverted to the lowest possible, not to mention that only in the last year have they actually started to bother adding some real security settings at all....
"You won't get it!"
It all depends on what info is put on Facebook and what the level of access has been set to.
Plus, most people seem to have some really odd pictures as profile pics.
Then there are those with (against Facebook's T&C) more than one account where everything is fictitious.
I guess it's just the difference between someone scraping the publicly accessable side of Facebook and someone else getting in the backdoor of a bank or insurance company. I know which I feel safer with.
I've set my facebook page up to open because I really couldn't care less if people see my name and who I'm friends with.
I use it to upload photos and share with family and friends mainly and have it open so friends of friends etc can also view them.
I don't post anything up there that I wouldn't be happy with the world+dog seeing so no security issues are ever going to bother me short of someone getting access to my account and sending friends/familly obscene emails or spam =p.
I register a SPAM email address, fake address, no phone number, no problem.
But there's a whole planet full of people who simply don't understand the only security that counts is that which is between your ears and within your skull. For them, taking care of security is somebody elses task and is thereby never what it needs to be. Not that it ever will be.
Sheep were made to be fleeced, there's a sucker born every minute and if you're going to be dumb, you better be tough.
I am a tiny bit more famous now!
Nothing on my FB site I care about having exposed - I always assumed the security was crap and always would be and behaved accordingly.
Then again, I don't even assume what is on my home box behind a NAT and two firewalls is 'safe'. ....well, while it is on the encrypted external drive and said drive is unplugged, I tentatively make the assumption of reasonable content security.
...no-one hears about it. No point being a penetration tester if no-one knows you do it. This is how to get your story more exposure - instead of 3 people reading about it, a few million. I'm not saying it's right, ethical or whatever. I am saying it's exactly what I'd have done.
Seriously, who cares? The answer is easy - don't put anything on your Facebook pages that you don't want on your Facebook pages. The whole point of Facebook is that it's for sharing. If you want to keep things private you don't put it on the internet anywhere let alone a site that's specifically designed to share data with many people.
I'm bored with the whole Facebook-privacy thing.
Can't we just leave the following advice as a sticky on the Reg frontpage and not bother with any more Facebook stories?
"Facebook is a web site. Your data might be visible to people you didn't intend. If you're that concerned about data security and privacy, don't join Facebook. If you want to join anyway, only put things on there you'd be happy for anyone to see. Otherwise, keep calm and carry on."
And still people don't get it.
Once information is made public, it's Out There. That's nothing specifically to do with the internet, though it'll rub your face in it if you try and make things unpublic again ("Streisand effect").
It is also why privacy protection is important, and why "we'll store your data first and maybe perhaps remove it later" is not an acceptable answer from, oh, companies (nokia), the government (preventive storing on dna databases, fingerprinting 6yo children, others) or whoever else. Plenty of people don't get that, including people in government, corporations, or generally supposedly IT savvy readers of el reg.
Really, the only way to protect privacy in any meaningful way is to stop requiring full identity at the drop of a hat. Instead we'll have to find ways to reduce the information that needs handing over to the absolute minimum. If disposable credit cards aren't enough, well, maybe we'll have to come up with disposable "identity proofs". Yes, most people won't get that either, at first. They'll have to get their heads around it later or sooner. They'd better.
Reminds me of when I worked for a marketing company. They had a service they used to offer where they would "append" brick and mortar address details to any email address. The idea is they would capture your email address when you signed up for an email newsletter, then would be able to send you things though the post/get your home phone number etc. Un-ethical and probably illegal too I know.
I put in some of my email addresses that I've used over the years to see what got appended. The results where pretty funny. I hope to god that some marketing company somewhere really has tried to send some crap to the fake addresses I made up!
Sadly, the service often did manage to find addresses for email addresses.
I left the company mainly because I couldn't live the the feeling that I was helping distribute the kind of crap I hate to receive myself. The company has since folded.
It really is about time that self-described security researchers like this get taught that it isn't funny, and it isn't clever, to abuse a security hole as a way to publicise it.. This guy is no better than the tw@ts who write viruses, and he deserves the same treatment.
As one of the few people (it seems) that doesn't have a facebook account this doesn't impact me directly, but there are no doubt many ordinary users who, through inexperience or naivete, will get hurt by this, for no good reason.
"The list also includes the unique web address to each account, meaning the pages will be accessible even if the users later configure their accounts to be private"
In other words, the URL and viewability of your pages doesn't change when you change the privacy settings, only the existence of links to them. So, those pages are effectively public for ever. It's probably a Facebook bug, as it should be confirming your login status for every page, and gating content accordingly.
@"a**hole" ac: he didn't exploit a security hole! Facebook is wide open and publicly accessible. That's the whole point. If someone has their profile private, presumably there's no info on you in the torrent.
What's the consequence for violating the T & Cs? I suppose facebook could cancel his account.
Biting the hand that feeds IT © 1998–2019