
Facebook's Mandatory Anti-Malware Scan Is Invasive and Lacks Transparency - dsr12
https://www.wired.com/story/facebook-mandatory-malware-scan
======
danso
I saw the screenshot of the FB anti-malware message being tweeted about and
thought for sure it was a malware/phishing scam, so I was surprised to read
that it is an official FB feature (admittedly I haven't been using FB much
lately).

That the feature couldn't detect the user's OS (had her download a Windows
binary even though she was on a Mac) doesn't lend much confidence though

~~~
mind-blight
I thought the same thing. That's really bad. It's going to train users to be
more susceptible to phishing attacks. I can't tell my grandmother that any
site that tells her to install software is a scam, because Facebook just made
this a legitimate user workflow

~~~
wmeredith
> I can't tell my grandmother that any site that tells her to install software
> is a scam

I mean, you still can :)

------
CryoLogic
Have you seen their VPN yet? Offers you "more secure facebook" while facebook
tracks every site you visit instead of just facebook.

~~~
LambdaComplex
I figured this would be satire. It's not satire.
[https://techcrunch.com/2018/02/12/facebook-starts-pushing-
it...](https://techcrunch.com/2018/02/12/facebook-starts-pushing-its-data-
tracking-onavo-vpn-within-its-main-mobile-app/)

------
dictum
"Facebook's Mandatory Anti-Malware Scan" is something I expected to read only
by 2026 or so, as the company, falling to hard times, would resort to dotcom
bubble-era techniques.

------
giancarlostoro
I guess it's russian roulette for how long till I permanently quit Facebook
then.

~~~
qume
Personally quite shocked that anyone in this community would endorse FBs
behaviour in general by being users.

A closed version of the internet controlled by a corporation? We should be
yelling from the rooftops not nitpicking things like this story

~~~
giancarlostoro
I keep it for family. It does allow me to connect with relatives I otherwise
wouldn't hear from. However, I've deleted my Facebook before (for over a year
even), and I'm waiting for a good time to wipe mine officially. I'll lose
touch with a lot of relatives is the downside. Facebook makes it almost
effortless to communicate with family.

------
Jeff_Brown
That scan is a .exe file, so it won't run on Linux. When I try to log in using
Chrome on Linux, they ask me to run it; I can't, so I can't log in.

Happily, so far, they don't ask from Firefox.

------
snvzz
I lack context. Can some Facebook user describe what this is about for non-
facebook users?

~~~
dragonwriter
The article fully explains it; using Facebook doesn't really provide any
additional insight. Facebook has decided to lock people out of accounts if
their undisclosed mechanisms of detecting a potentially compromised client
machine is tripped, and will continue to lock them out until they run a
Facebook supplied (but apparently sourced from one or more of a shifting set
of partners) malware scanning application is installed on the users machine
and run, with all the intrusive level of access that antivirus type of
applications tend to have.

~~~
snvzz
Training users to download and run dodgy antiviruses when some website says
you're infected. What could possibly go wrong.

------
joelrunyon
What's the best way to leave facebook while still retaining access to their
advertising tools?

I have no desire to personally be on FB anymore, but I would like to maintain
the pages + ads for business purposes.

~~~
nichodges
I have an account with no friends and that is an admin of one page, which I
buy ads for. It’s not my real name, but obviously has my real CC info in
there.

Interestingly, a friend showed me his contact list entry for me (I believe
created through a 3rd party OSX app), and in the Facebook field it had the
name used on the admin/ads account I have. Given I don’t use my real email
address on the Facebook account I am amazed (but not particularly surprised)
that the connection was made.

~~~
enzanki_ars
Might have tied it via your phone number.

------
kernelPan1c
How could Facebook detect an infected machine?

> A Facebook spokesperson said Charity may have been asked to download the
> wrong software because some malware can spoof what kind of computer a person
> is running

Just changed the user agent?

~~~
monochromatic
Maybe detect browser extensions that malware might drop? Other than that, no
idea.

------
kingkoronov
This is a new low. They have no shame.

------
gruez
1\. create (or download) a fresh windows VM

2\. run the malware scan

3\. everything shows up as clean

4\. ???

not defending facebook or anything, but that seems relatively easy to bypass.

~~~
monochromatic
Yeah, totally. I’ll just tell my grandma who uses Facebook to look at family
pictures that she just needs to spin up a new VM if she gets locked out.

~~~
spiorf
You will be the one spinning VMs to unlock facebook for your whole family.

------
larrik
I didn't realize Facebook did this. I feel like the spirit of the idea is from
a good place, though, even its the implementation and messaging have flaws.
The article has a bit of a "it's evil" slant that I'm not entirely sure I
agree with.

That said, I'm on Linux, so it would be pretty tricky for me to fix this issue
if it happened to me.

~~~
Bartweiss
The one part that struck me as genuinely evil is refusing to offer a guarantee
about the data use.

I realize internet companies all always hate offering info about data use,
much less binding agreements. But "let us and a third party touch and modify
every single byte on your machine to use our product" is a gigantic ask, and
deserves at least some good-faith effort to keep the results walled off from
everything except security initiatives.

Beyond that, the intent seems fine. I still think it's hubris, though -
Facebook is ostensibly just a website, and attempting to remotely diagnose and
treat malware is something they ought to acknowledge they're not going to do
well.

~~~
rwmj
Well that's easy: They guarantee they will store and use all the data forever,
and they guarantee they will lie to both you and the authorities about what
they have used it for and whether it has been deleted.

~~~
Bartweiss
Ok, fair point. A data-use guarantee would only reassure me if I didn't expect
outright lying, and that's more faith than I have at the moment.

