Privacy Thread

Cain · October 13, 2011, 05:33:26 PM

More on Facebook

http://www.readersupportednews.org/news-section2/317-65/7854-facebook-can-track-web-browsing-without-cookies

QuoteThe Electronic Frontier Foundation cites a September 25th, 2011 blog post by hacker and writer Nik Cubrilovic that proved Facebook's session cookie was not being deleted upon log-out. Facebook responded with a "fix-it," but it raises serious concerns about whether one can effectively log-out of Facebook and whether or not Facebook can track users without the benefit of cookies.

According to Cubrilovic, he waited for a year to hear from Facebook on this privacy issue that he discovered, emailing them and reaching multiple dead-ends.

Two days later, on September 27th, Cubrilovic noted, "In summary, Facebook has made changes to the logout process and they have explained each part of the process and the cookies that the site uses in detail ... They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc."

EFF, however, is unequivocal in stating, "Facebook can track web browsing history without cookies."

"Facebook is able to collect data about your browser – including your IP address and a range of facts about your browser – without ever installing a cookie. They can use this data to build a record of every time you load a page with embedded Facebook content," added the EFF.

This ability to track users outside of Facebook is particularly troubling.

EFF states, "It's clear that Facebook does extensive cross-domain tracking, with two types of cookies and even without. With this data, Facebook could create a detailed portrait of how you use the Internet: what sites you visit, how frequently you load them, what time of day you like to access them. This could point to more than your shopping habits – it could provide a candid window into health concerns, political interests, reading habits, sexual preferences, religious affiliations, and much more."

That Facebook keeps this data on file for 90 days (before it's discarded or made anonymous) is a legitimate privacy concern and it could certainly be useful in the event U.S. intelligence services desires to build a profile of a particular user's web browsing.

Mesozoic Mister Nigel · October 13, 2011, 05:57:04 PM

Creepy.

Triple Zero · October 13, 2011, 07:19:55 PM

IMO, it sounds a little bit FUD-y.

The cookie-less tracking method from EFF is http://panopticlick.eff.org which has been linked before. I'm a liiiiiitlebit suspicious about that thing, because it always tells me my browser is unique. But then, maybe it is, I'm running Opera on Ubuntu Netbook, which is not very common at all, and who knows what settings I've changed that really makes it unique.

Anyway, as you try out Panopticlick (you can trust the EFF), you'll notice it's hardly unobtrusive. At least, it slowed down my computer for a bit while it was profiling me.

So, while Facebook (as well as any other big advertising network, such as, say, Google Ads) technically has the capability to do this, I really strongly doubt they're actually doing it right now. There's no evidence to suggest it. And to be quite frank, there's not really any conclusive evidence that Facebook tracked people via "Like" after they logged out. Just that it would have been really really easy for them to do so, because of the user-ID cookie sticking around. Implementing a sort of Panopticlick-like tracking/ID mechanism is quite a lot more effort.

And one thing that really doesn't make sense is, see the not-quite-logging-out cookie problem really was Facebook's fault. But Panopticlick is EFF's invention, a proof of concept to show that it can technically be done. So in all fairness, it's kind of a stretch to pin this on Facebook, just because they technically *could* use that technique (as could anybody else).

So in reality this is a far bigger problem, namely every ad network, pagecounter network, analytics network or whatever that loads cross-domain javascript or iframes is capable of tracking users via a Panopticlick-like technique.

Well okay, except that with Facebook there is always the added danger that in addition they do always have the ability to link it to your Facebook Profile. That does make it extra bad.

On the other other hand, fuck Facebook. Fuck them right in their Googly ears. Google feces-fuckface book smash their sockets in. So yeah, I do in fact believe they are in the habit of abducting young children to implant chips in their butt-cheeks. And they track your browser, too. Fuck those facefuckers. Spread the message. Tell your friends. Please RT!

Luna · October 15, 2011, 02:41:37 AM

http://www.zdnet.com/blog/facebook/facebook-releasing-your-personal-data-reveals-our-trade-secrets/4552

Worth reading, any snip I'd make would leave out a lot.

Triple Zero · October 15, 2011, 08:58:49 AM

Quote from: Luna on October 15, 2011, 02:41:37 AM
http://www.zdnet.com/blog/facebook/facebook-releasing-your-personal-data-reveals-our-trade-secrets/4552

Worth reading, any snip I'd make would leave out a lot.

That is VERY interesting, thanks for the link!

Also I just deleted my Facebook profile. I'll just make a new one if needed. Or two. It's not like finding all those friends and acquaintances is made hard for you or anything.

Funny how it "feels" doing that, even if I hardly ever used it or just logged on for the first time in months, today. "Will they think I'm dead?"

Triple Zero · October 19, 2011, 05:13:54 PM

It's ON, FACEBITCHES

http://www.identityblog.com/?p=1201

axod · October 20, 2011, 12:12:03 AM

Quote from: Triple Zero on October 04, 2011, 01:21:16 PM
Dude, what are you talking about? Tor hides nothing but your IP address ... badly.

Granted. But if tor is not sufficient for switching (hiding) IP's, is it that you trace the IP back to origin with statistical analysis? That would be hard to prove beyond a reasonable doubt: to identify a user as being connected to tor is not the same as identifying a particular tor user? Which is good enough for evading sated fb tracking concerns?

Triple Zero · October 20, 2011, 03:10:12 PM

Quote from: axod on October 20, 2011, 12:12:03 AM
Quote from: Triple Zero on October 04, 2011, 01:21:16 PM
Dude, what are you talking about? Tor hides nothing but your IP address ... badly.

Granted. But if tor is not sufficient for switching (hiding) IP's, is it that you trace the IP back to origin with statistical analysis?

Amongst other things.

There's also the problem that there are only a rather small number of Tor Exit Nodes, and you can bet that a rather large percentage of them are actually operated by all sorts of secret gov agencies. Why wouldn't they.

People of the general populace don't really like to set up a Tor Exit Node, because those are the unencrypted outlets of the Tor network so there's a good chance you'd be emitting kiddie pron or other ugly stuff.

Now technically, the Tor network is designed to even protect you against statistical analysis by DPI at the border, MITM or just analysis at the exit nodes.

But if you surf on your Facebook profile, well your IP might be all hidden and stuff, but the profile shows exactly who you are anyway, so that's why Tor is just the wrong tool for such a job. It's like wearing a fake moustache to prevent your voice from being recognized on the phone.

QuoteThat would be hard to prove beyond a reasonable doubt: to identify a user as being connected to tor is not the same as identifying a particular tor user?

I'm not really sure what you mean here?

"Beyond a reasonable doubt" sounds like you expect to be up against a court of law or something? In that case you're dealing with a whole different type of risk scenario. If you want to do something criminal, it's best to build a powerful cantenna from a Pringles tube, boot BackTrack Linux from a USB stick on an otherwise innocent laptop, use the cantenna to hack into a far away wifi network and then make sure that there's no evidence what you did on that laptop when you're done. Also, hide the USB stick and the cantenna.

QuoteWhich is good enough for evading sated fb tracking concerns?

Facebook doesn't really care about your IP, because they got something better, your Facebook profile.

I bet they don't even use your IP for anything except just for logging, in case somebody hacks something.

So Facebook doesn't care whether you use Tor or not, they know exactly where your friends live, regardless.

Clearing out your cookies helps somewhat, as I explained a few pages back.

Triple Zero · October 20, 2011, 08:50:18 PM

Security Flaw Links BitTorrent Users to Skype Accounts

In short: Skype has a security flaw that allows attackers to sort of "ping" Skype users and obtain their IP address. Cross-correlate this IP with the public data queried from DHTs¹ in BitTorrent swarms, and you get a connection of what Skype Accounts share what torrents.

Skype doesn't seem to care very much about this flaw.

I think it's an odd security flaw as well. Because it's neither specific to Skype, nor to BitTorrent. Just data leakage.

Another point is that they fear scammers will start calling Skype accounts and blackmailing them.

¹ Distributed Hash Tables, a relatively new (2005) BitTorrent feature that allows torrent clients to know what IPs are sharing what data, without the need for a centralized tracker, the upshot is that it gets you more peers. Without DHTs, the attacker would have to query many separate public BitTorrent trackers to get the same data, slightly but not much more effort.

Rumckle · October 27, 2011, 02:57:54 AM

Quote from: Triple Zero on September 25, 2011, 09:24:36 PM
Heyyyyy European folks, check this out:

http://europe-v-facebook.org/EN/Get_your_Data_/get_your_data_.html

Apparently EU law says you're entitled to request ALL data FB has been tracking about you

http://www.smh.com.au/technology/technology-news/maxs-privacy-war-brings-facebook-to-heel-20111027-1mksg.html

Apparently this guy asked FB for his information, and he received over 1200 pages

Triple Zero · October 29, 2011, 06:46:49 PM

Ooohh this is bad ...

http://code.google.com/p/fbpwn/

QuoteUsage

A typical hacking scenario starts with gathering information from a user's FB profile. The plugins are just a series of normal operations on FB, automated to increase the chance of you getting the info.

Typically, first you create a new blank account for the purpose of the test. Then, the friending plugin works first, by adding all the friends of the victim (to have some common friends). Then the cloning plugin asks you to choose one of the victims friends. The cloning plugin clones only the display picture and the display name of the chosen friend of victim and set it to the authenticated account. Afterwards, a friend request is sent to the victim's account. The dumper polls waiting for the friend to accept. As soon as the victim accepts the friend request, the dumper starts to save all accessable HTML pages (info, images, tags, ...etc) for offline examining.

After a a few minutes, probably the victim will unfriend the fake account after he/she figures out it's a fake, but probably it's too late!

Telarus · October 29, 2011, 10:45:08 PM

Quote from: Triple Zero on October 29, 2011, 06:46:49 PM
Ooohh this is bad ...

http://code.google.com/p/fbpwn/
QuoteUsage

A typical hacking scenario starts with gathering information from a user's FB profile. The plugins are just a series of normal operations on FB, automated to increase the chance of you getting the info.

Typically, first you create a new blank account for the purpose of the test. Then, the friending plugin works first, by adding all the friends of the victim (to have some common friends). Then the cloning plugin asks you to choose one of the victims friends. The cloning plugin clones only the display picture and the display name of the chosen friend of victim and set it to the authenticated account. Afterwards, a friend request is sent to the victim's account. The dumper polls waiting for the friend to accept. As soon as the victim accepts the friend request, the dumper starts to save all accessable HTML pages (info, images, tags, ...etc) for offline examining.

After a a few minutes, probably the victim will unfriend the fake account after he/she figures out it's a fake, but probably it's too late!

Glad I got rid of my FB and am re-booting it into a professional portfolio.

Triple Zero · November 07, 2011, 12:18:42 PM

This is actually mighty awesome of Google, publishing data on government requests:

http://news.cnet.com/8301-1009_3-20125483-83/google-governments-seek-more-about-you-than-ever/

And indeed it would be sweet if Facebook and Microsoft followed suit, except for the bit where people would simply be all like "whut, why are you surprised?"

Also, the bit of unspoken cognitive dissonance here is how these companies, including Google, have no trouble collecting all this data for their advertisers, which is the reason why a lot of this data is kept in the first place, nor does any of these companies publish complete info on how much and what sort of data is actually used in this fashion (see also Facebook vs Europe).

Faust · November 07, 2011, 12:27:09 PM

"Ireland
Fewer than 10 removal requests
0% of removal requests fully or partially complied with"

BOOYA!

Faust · November 07, 2011, 12:29:06 PM

Also I love how china has only 150ish user data requests while the US has nearly 6000

Principia Discordia

News:

Privacy Thread

Cain

Mesozoic Mister Nigel

Triple Zero

Luna

Triple Zero

Triple Zero

axod

Triple Zero

Triple Zero

Rumckle

Triple Zero

Telarus

Triple Zero

Faust

Faust