

Protecting People On Facebook - dbloom
https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766

======
ghshephard
There is one specific step that everyone can take to eliminate approx 90-95%+
of drive-by-zero-day-exploits without really impacting your web browsing
habits that much:

Disable Plugins on your primary browser.

Whether that be Opera/Safari/IE/Firefox - just disable the plugins. Then, all
of these Java 0days, PDF 0days, Flash 0days won't impact you.

Keep a backup browser, that is _not_ your primary, and use that for your SSL
VPN (frequently Java), or Crappy Enteprise Apps like timesheets and Remedy
(frequently Flash).

Yes, browsers have 0days as well, but they occur much less frequently
(approximately 1/10th) than plugin vulnerabilities, and get repaired much more
quickly.

For the really security conscious, of course, browsing from a
separated/virtualized thin-client is even better, particularly if you can live
with the hassle of refreshing your cookies every so often after a reset.

~~~
danso
This is good advice, but I'd amend it to say this:

For your __Facebook __-viewing browser, disable all plugins. For the most
part, you won't be viewing anything that can't be viewed without HTML5 and
Javascript anyway. The added advantage to sequestering FB activity to a
browser is that you won't be tracked by sites that use FB widgets.

Another added advantage of putting FB in its own browser, and YMMV, but it's
easier to prevent impulsively checking FB in the middle of your normal work-
related internet browsing, as it requires opening a new browser to do so.

~~~
mahyarm
You start running out of browsers quickly, and seperate browser users gets
tedious fast. I really wish there was easy same browser sandboxing that can
save cookies and so on. Double click the gmail icon, and gmail comes up in a
browser user devoted to just gmail, and shows up as a separate process and
separate app. All of the 'make a webpage an app' apps that I've tried still
share browser state amongst the main browser user.

~~~
jewel
This is easy to do with chrome. I have many different profiles, all of which
are completely separate. Just launch with the --user-data-dir argument:

    
    
        #!/bin/bash
        
        exec chromium-browser --user-data-dir=/home/jewel/.profiles/facebook -app=https://facebook.com

~~~
stephengillie
Does that both specify the custom profile location, and also launch the FB
app?

I'm looking at this, trying to think of how to do the equivalent in Windows.

~~~
jewel
It launches it in app mode (no tabs, no URL bar). I'm not sure if that's the
same thing as launching the FB app.

In windows you copy the chrome shortcut and then edit the shortcut to add the
command-line arguments. Then you add the shortcut to your launcher bar.

Alternatively, you could create a batch file for each site that you want to
isolate somewhere in PATH and launch it from the Start -> Run menu. In other
words, you'd press the start key, then type "facebook", then press enter.

(Please correct me if my instructions are incorrect, I haven't used windows
regularly for a long time.)

------
jtheory
This happened last month, so it was 0-day THEN, not NOW.

The hole in question was patched in the February 1st Java release, plus the
way the Java plugin works now (and how most browsers handle Java now) even if
there are still holes remaining in Java, the user will have to click through
at least one, probably two warnings before they can run the dangerous applet.

So far the latest fixes (in browsers and in Java) seem to have been effective.

~~~
jlgaddis
> ... even if there are still holes remaining in Java, ...

Heh

> ... the user will have to click through at least one, probably two warnings
> before they can run the dangerous applet ...

Unfortunately, there are still way too many users who will happily click
through those warnings (unsigned code, invalid certificates, UAC, and so on)
in order to {look at stupid pictures|play retarded games|win a free iPad|...}

~~~
jtheory
Not many Facebook engineers, though, I suspect.

And it's worth noting that even less technical users aren't so likely to click
through all of the warnings when they're _not_ expecting some kind of
interactive game to play. That also reduces the risk.

There will always be some people who click the links in their spam or open the
fishy attachments, who give permission to anything and everything, and whose
computers are so overloaded with malware, trojans, backdoors, etc. that they
collapse under the weight.

The main trick is to be sure that savvy users can keep themselves safe, and
making sure people doing important things on their computers are savvy.

I think Java is finally in a state now where it's safe for savvy users.

