so you know when you say a thing, then someone calls you out for something, but they themselves are guilty of exactly what they are calling you out for?
yeah.
I'm spending the entire day today finding every single issue ever reported with fb messenger and how its not private.
yeah.
I'm spending the entire day today finding every single issue ever reported with fb messenger and how its not private.
for you, @merket.
because you are the straw that broke the camels back on this particular logical fallacy train.
because you are the straw that broke the camels back on this particular logical fallacy train.
so first, let's go back in time to when everyone started noticing "holyshit, my privacy settings 'just changed without notice'". this happened quite a lot. This was years ago, before cambridge analytica
medium.com/@matthewkeys/a…
I remember having to go manually update them often
medium.com/@matthewkeys/a…
I remember having to go manually update them often
Helpful posts like this one: postplanner.com/check-your-fac…
and others made by infosec folks on twitter would happen once every several months, telling people "fb did it again, we gotta go back and change shit back".
saying "users had to opt in" is bullshit. history says so clearly.
and others made by infosec folks on twitter would happen once every several months, telling people "fb did it again, we gotta go back and change shit back".
saying "users had to opt in" is bullshit. history says so clearly.
the whole concept that "oh but users had to opt in, look at these buttons" is myopic and ignorant. there is a very clearly documented history of "facebook simply changing shit every once in a while", and people had to scramble to go change shit back. That happened. with proof.
newsweek.com/messenger-priv…
private chats are "scanned".
say what you will about the intention here, but every single SRE in the back there (yes I see you too) is going BUT LOGS! ALL THOSE LOGS GO TO A HADOOP CLUSTER.
why yes. yes they do. and theyre usually plaintext.
private chats are "scanned".
say what you will about the intention here, but every single SRE in the back there (yes I see you too) is going BUT LOGS! ALL THOSE LOGS GO TO A HADOOP CLUSTER.
why yes. yes they do. and theyre usually plaintext.
so this becomes the same argument that the NSA has for "but but we're not actually wiretapping because it doesn't legally count as wiretapping if nobody is reviewing it! it's just 'collection' and thats how we're skirting the law'
yeah thats not better.
yeah thats not better.
everything generates logs. sometimes those logs have passwords in them (hi twitter). sometimes they have other things.
ask me about the redis research I was doing back in 2012 when I found THOUSANDS of open redis nodes on the internet, several with fb auth cookies.
ask me about the redis research I was doing back in 2012 when I found THOUSANDS of open redis nodes on the internet, several with fb auth cookies.
</logging tangent>
techcrunch.com/2018/09/27/yes…
then there was this. There's literally no way to paint this in a good light.
facebook asks you for your phone number, pressuring you into using 2fa "for security", then sells your phone number to advertisers.
techcrunch.com/2018/09/27/yes…
then there was this. There's literally no way to paint this in a good light.
facebook asks you for your phone number, pressuring you into using 2fa "for security", then sells your phone number to advertisers.
so i don't expect that the folks there making these business decisions at the leadership level give a shit what "the peons" think. They want their monies and they dont have a problem lying to their users to get it.
cbsnews.com/video/facebook…
so at some point, fb starts pushing their messaging app. hard. like very hard. like you cant use messages in fb anymore, it forces you to install the app..
so at some point, fb starts pushing their messaging app. hard. like very hard. like you cant use messages in fb anymore, it forces you to install the app..
arstechnica.com/information-te…
and this is why.
having a separate app allows them a FUCKTON more attack surface on both platforms for straight up collection. forcing calls and texts to go through THEM so that they can read/scrape/analyze THOSE for more advertisers.
and this is why.
having a separate app allows them a FUCKTON more attack surface on both platforms for straight up collection. forcing calls and texts to go through THEM so that they can read/scrape/analyze THOSE for more advertisers.
like, actually really just straight doing the NSA thing.
except to pull keywords out to sell to advertisers.
(honestly this is what people should have expected for not reading the EULA and just blindly agreeing to everything for the sake of convenience)
except to pull keywords out to sell to advertisers.
(honestly this is what people should have expected for not reading the EULA and just blindly agreeing to everything for the sake of convenience)
I mean, when people found out they were PISSED. and righfully so.
so they sued: engadget.com/2018/03/28/fac…
so they sued: engadget.com/2018/03/28/fac…
this seemed like a pretty big deal at the time (again before cambrige analytica)
bgr.com/2016/06/30/fac…
"security researcher was able to fetch links out of private chats"
WELP.
RYAN.
YOU TELL ME, RYAN.
bgr.com/2016/06/30/fac…
"security researcher was able to fetch links out of private chats"
WELP.
RYAN.
YOU TELL ME, RYAN.
Then there was this: "how to tell messenger to LITERALLY NOT FUCKING EAVESDROP ON YOU"
qz.com/697923/heres-h…
settings, that again, facebook has a history of "auto opting you in for", this time involving just straight up turning on your mic. and listening to you.
qz.com/697923/heres-h…
settings, that again, facebook has a history of "auto opting you in for", this time involving just straight up turning on your mic. and listening to you.
Ryan. I'd love for you to explain to me how my original tweet here was jumping on a bandwagon by saying fb messenger isnt private.
Please. Explain it to me slowly. I want you to extract as much joy as you can by being condescending to me.
Tell me how turning on the mic is ok
Please. Explain it to me slowly. I want you to extract as much joy as you can by being condescending to me.
Tell me how turning on the mic is ok
I should add, on a slight tangent, that this isnt not meant as a reflection to people who work at facebook in engineering or security roles. I have LOTS of friends there who are REALLY SHARP people, and who are well intentioned. They aren't the guilty ones here.
The leadership folks at facebook who are the folks saying shit like "oh man, we should JUST TURN ON THE MIC. right? that would be dope".
Those people. They're ostensibly "the problem".
it is possible to condemn some people in an org and not others who had no say.
Those people. They're ostensibly "the problem".
it is possible to condemn some people in an org and not others who had no say.
if we're lucky, we'll start seeing the same sort of behavior from fb folks like we did at google recently when there were people doing walkouts and risking their jobs by fighting google regarding their recent china related shenanigans. but time will tell.
(historically, we have not been "lucky" on this topic).
That being the case, from a security and privacy standpoint, the safest, easiest thing to do is "just uninstall the apps from your phone".
but i mean, we could continue to argue about it, right Ryan?
That being the case, from a security and privacy standpoint, the safest, easiest thing to do is "just uninstall the apps from your phone".
but i mean, we could continue to argue about it, right Ryan?
perhaps, Ryan, may I posit a hypothesis?
perhaps you're upset with me (and, laughably, not the journos who wrote the articles?) because I'm shitting on your baby? You worked on this platform and you took my tweet personally, ignoring the security implications?
perhaps you're upset with me (and, laughably, not the journos who wrote the articles?) because I'm shitting on your baby? You worked on this platform and you took my tweet personally, ignoring the security implications?
dont get me wrong. I worked at twitter for a year on their security team. And I can totally see how working for a place that does cool things and seeing someone fling shit at it doesnt feel good. I totally feel you on that one.
so it's only 11am pst, and there's a lot more day left.
I'll put this on pause for now, and come back later. I'd like to spend some time scouting for some very choice findings, since the ones I've presented thus far you have dismissed as bogus.
I'll put this on pause for now, and come back later. I'd like to spend some time scouting for some very choice findings, since the ones I've presented thus far you have dismissed as bogus.
Oh.
I guess he wasn't actually interested in further curated evidence.
I guess he wasn't actually interested in further curated evidence.
