
Notifications for targeted attacks - fahimulhaq
https://www.facebook.com/notes/facebook-security/notifications-for-targeted-attacks/10153092994615766
======
NhanH
This question obviously is unlikely to have an answer, but someone has to ask:
does "nation-state" include the Western countries, namely the US/EU and
friends?

~~~
ryanlol
I once received this alert from google, a few months later had a run in with
the FBI.

I don't see why any non-Western countries would be interested in me, so yeah.

~~~
JoshTriplett
> I once received this alert from google, a few months later had a run in with
> the FBI.

Sounds like quite a story; any details you can share?

~~~
ryanlol
I received the alert around Dec 2012, big red bar at the top of my screen
(which interestingly enough caused a reflected XSS vulnerability in gmail)
just randomly popped up as I was eating dinner a few days before christmas.

Didn't really think much of it, account logs showed no access from outside of
my own IP addresses and analysing all the emails I had received in the past
few months found nothing out of place. Leads me to believe (Well, hope.) that
the attack was detected and blocked by google.

About 8 months (had to double check that, since it sure felt like less) later
I flew over to defcon and the FBI searched my hotel room, seizing my throwaway
phone and laptop. On my way out of the country I was again stopped at JFK by a
bunch of agents holding a grand jury subpoena.

Ended up being asked a bunch of rather silly questions regarding some ORNL
hack(and others) that I couldn't really answer.

Wasn't arrested, got to spend an extra day in the states and flew out.

~~~
joshmn
Your email address in your profile would lead me to believe you're Russian,
but you speak very fluent and informal American English. Don't suppose you'd
admit to being a Fin and having a name of Julius, would you?

Curiosity, that's all.

~~~
ryanlol
Yep.

~~~
Jerry2
Using russian email server is smart: out of subpoena powers of all of the
Western nations... and FSB, even if they were to spy on you, doesn't really
give a damn unless you’re trying to undermine Russian Federation.

~~~
ryanlol
And contacting yandex customer support is significantly easier than trying to
get in touch with someone at google capable of unlocking my account.

~~~
joshmn
Followed you briefly (news-wise). Fun fact: I once received a call about some
credit card information being leaked, and was brought on to figure it out. I'm
pretty sure you had something to do with it.

Small, fun little world we live in. I was amazed to learn that you were so
young. Hope you stay out of trouble and put your curious brain to good use. :)
Don't forget your SOCKS.

------
fahimulhaq
"we strongly encourage affected people to take the actions necessary to secure
all of their online accounts."

This is an important aspect. The affected individual might be using several
other services that don't have the sophistication of Facebook's security team.
Facebook might have been able to thwart the attack but his/her other online
accounts might have been compromised.

------
Pyxl101
Why state-sponsored hacking specifically, as opposed to any (likely)
unauthorized access?

~~~
jsprogrammer
Also, how will sending a new password to your cell phone help? If you are
dealing with state sponsored actors, why not assume they can see all text and
email?

~~~
Laforet
A two-factor authentication token to sent via text, not the actual password.

That said, I find SMS-based 2FA to be pretty dodgy as well. Cloudflare was
hacked once by somebody who managed gain access to an admin's mobile phone by
social engineering their telco. If a site does not offer TOTP based 2FA I
usually don't bother using it.

~~~
suneilp
How does TOTP compare to HOTP?

~~~
Laforet
HOTP tokens does not expire with time, so there is a bigger risk of them being
stolen from transit/storage and successfully used.

------
pearlsteinj
Will it disregard National Security Letters to notify users?

~~~
aNoob7000
I doubt it.

This is just propaganda by Facebook showing everyone that it cares about your
privacy. Unfortunately, I believe government all around the world are going to
have a talk with Facebook about what is acceptable levels of privacy.

------
joenathan
I've been getting regular emails from Facebook saying "sorry you've been
having trouble logging in to your account". I haven't been trying to login to
my account, I deactivated it years ago. Don't think there is anything I can do
about it.

~~~
eadz
You can delete your account. [https://en-
gb.facebook.com/help/125338004213029](https://en-
gb.facebook.com/help/125338004213029)

------
ryanlol
This is a good move by facebook and does have the potential to save lives, but
the fact that they don't provide any details about the attack or the supposed
attacker definitely makes it significantly harder for potential victims to act
on this information.

Imagine getting a message like this out of the blue, not even knowing who's
after you. What are you going to do?

It's hard to fight a faceless enemy, especially when you can't even be sure if
they really exist.

~~~
nness
I wrote a long response to this but decided to simply ask, what can a person
do to act on the information, if it were provided?

Protestors in Syria or China could probably already guess what such a message
means, so I'm curious as to the amount of information needed for a person to
be able to act on it?

~~~
ryanlol
Protestors in Syria or China aren't the only people getting these.

As Snowden demonstrated there's no lack of westerners being spied on just
because they happen to work at a telecom company.

The fact that there's no more information provided makes it far too easy for
those people to just ignore these warnings as mistakes and go on with their
lives.

~~~
nness
That's true, but I suppose its a lot easier for Facebook to show warnings when
actors like Syria or China are the culprits since they have no requirement to
abide by their law. Where as, as Snowden has shown, the US and EU can
stipulate whatever policy they want and require that Facebook can not disclose
anything about it. I'm just skeptical anyone in the US or EU will see this
warning.

~~~
ryanlol
I've, as a white EU citizen, received similar warnings from google.

I don't know if Facebook is going to be showing this to any western people,
but when google showed me their version of the warning there was very little I
could do with it since looking through my logs and emails showed no signs of
any attempted attacks.

------
aNoob7000
Except the USA, of course. :)

~~~
tonyarkles
Yeah, I suspect this wouldn't show up if Facebook received an NSL...

~~~
Myrmornis
Oh? I was hoping that that was one intended use for this. Would such an alert
violate the typical terms of an "NSL"?

~~~
thegeomaster
From Wikipedia:

 _NSLs typically contain a nondisclosure requirement, frequently called a
''gag order,'' preventing the recipient of an NSL from disclosing that the FBI
had requested the information._

...however:

 _The nondisclosure order must be authorized by the Director of the FBI, and
only after he or she certifies "that otherwise there may result a danger to
the national security of the United States, interference with a criminal,
counterterrorism, or counterintelligence investigation, interference with
diplomatic relations, or danger to the life or physical safety of any person._

So it seems this is regulated to some degree, though it is unclear what counts
as "interference with a criminal, counterterrorism, or counterintelligence
investigation".

------
cjslep
Imagine if this alert system were too liberal at labeling things "nation-
state" and a significant proportion of users saw this notice: I imagine the
general populous would be much more concerned about internet security than
they are now.

------
Johnny555
Rather than stealing your password so they can log in to your Facebook
account, won't these state sponsored hackers just steal the authentication
cookie that your browser sends to show that it's been authorized by MFA?

------
corndoge
Why so many naysayers? I can't see this having any detrimental effects,
regardless of how effective it is in practice.

~~~
TeMPOraL
People are biased about Facebook for various reasons, including $privacy-
issue-of-the-day; no matter what they do they get to be the villan.

That is, unless we're talking about their newest PHP optimizer or ad toolkit.

~~~
wadetandy
That's no good either, because then they are just giving it to you so they can
sure you later and steal your startup due to the PATENTS file.

~~~
TeMPOraL
Don't forget to post that the next time there's a Facebook tech thread :).

------
Glyptodon
The comments (on Facebook) are surreal.

------
canow
This is so stupid since they can be forced to give information with no hacking
involved...

