Friday, July 30, 2010
26. public information is, uh... public?
by now you might have read a story about the recent activities of one ron bowes, a security consultant and former employee of symantec (if not, check it here). thanks to his handiwork there is now a torrent roaming the interwebs containing information on over 170 million facebook users. now before you start to panic and check your account for hacks, understand that no private information was taken. the torrent file, which weighs in at slightly under 3gb, is nothing more than a consolidated list of all public information that are made public by facebook users. how did he do this? all he had to do was make a crawler to scour the facebook directory, publicly available at http://www.facebook.com/directory/, which on its own is still kind of spooky to look at. no hacks. no cracks. technically not even a security breach.
so what was the motivation? back when bowes worked at symantec, he posted something on the symantec blog called attack of the facebook snatchers (which i highly suggest all of you read). this blog post was about data phishing, and went over the idea of how privacy is an illusion, and that illusion can cause people to be far more free with the information they share. the spirit of this was to enlighten users as to how public information can be used to exploit you. that's what he does. facebook, of course, was not a fan of the post. in the same vein came this torrent he recently created, which is, in my opinion, in that same spirit of awareness in the digital age, even though it started as a pool of test users for a security tool. by his own words (i'd link his blog at skull security but it seems to be down):
"Why do I bring this up? Well last week @FSLabsAdvisor wrote an interesting Tweet: it turns out, by heading to https://www.facebook.com/directory, you can get a list of every searchable user on all of Facebook!
My first idea was simple: spider the lists, generate first-initial-last-name (and similar) lists, then hand them over to @Ithilgore to use in Nmap's awesome new bruteforce tool he's working on, Ncrack.
But as I thought more about it, and talked to other people, I realized that this is a scary privacy issue. I can find the name of pretty much every person on Facebook. Facebook helpfully informs you that "[a]nyone can opt out of appearing here by changing their Search privacy settings" -- but that doesn't help much anymore considering I already have them all (and you will too, when you download the torrent). Suckers!
Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details. If the user has set their privacy higher, at the very least I can view their name and picture. So, if any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not! Oops :)"
so what's the point here? as it always is with social networks, make sure you are the one who controls what others see. the problem in this particular story isn't the bad security man hacking your info, it's not really big bad facebook not protecting users, it's that your public info is in fact, public. and therefore easily accessible. don't publicize anything that could remotely come back to bite you later. given that the facebook service has extended from the chosen social network of twenty somethings to teenagers makes this all the more important. facebook's response to this whole thing is that they offer a number of controls to allow users to take their name out of the directory, and make their profiles unsearchable by engines like google or bing. this is too bad for people that fall into the "didn't know why" or "don't know how" category of users. even though this isn't really facebook's fault, they should go out of their way to make sure that users are fully aware of the privacy controls offered to them. facebook, as mr. bowes says, "has a special responsibility to go beyond doing the bare minimum."
on top of that, there are reports from gizmodo that large corporations and groups are downloading the torrent, either authorized or not. this includes computing giants like apple and HP, as well as groups like the united nations and the church of scientology. i'm not sure how legit this is, but gizmodo's generally pretty good about that. i'm not really surprised - i mean think about the statistical relevance of a sample size of 170 milion. their marketing departments must be very happy.
at any rate, hopefully this whole thing will make people re-think the way they share information in the future.