In an all out war scenario we don't really know the extent this new technology will ultimately play. Is it going to be the type of scenario like the first two World Wars where rifling, tank, and air combat technology is going to be one of the deciding factors? Is it going to be something more akin to World War 2 where Alan Turing's work on deciphering of the Enigma Machines / Nazi's communication codes is going to play an integral role in preparation, troop movement decisions, and gaining the edge on the enemy?
I get the feeling, personally, that it's going to be a combination of everything above and more. Those individual military's capability of incorporating all of the tech at their fingertips and applying the knowledge / inferences gleaned while also making the best use of their cyber, hard, and soft military tactics is going to be a major deciding factor since the war will probably be staged on many fronts (physical and digital) between many allied nations versus many other allied nations.
The ability to communicate and execute will be as important as it always was (e.g. maximum importance, as usual) and I strongly feel that history will reveal the more technologically advanced and more wisely dependent nations of those technologies will write history as they become the winning nation(s) / powers.
How would you propose we shine a light on what bad actors, companies and individuals who are attacked, and even our own federal law enforcement would rather keep secret? How do we give law enforcement the ability to trace these attacks to their proper source during an ongoing investigation, but keep them accountable?
The penalty are potentially very hefty fines. (up to 2% of annual revenue, IIRC)
Another reason to not use your phone number as a unique identifier.
On a more serious note, the unusual activity started Sept 14, took then 11 days before actually determining that it was an exploit, and took then 2 days after that to actually fix the issue. 2 days might not seem like a long time, but with automation, the hackers could have gone through a lot more accounts in that time frame.
That is very slow for a server-side vulnerability. Was the fix that complicated that it could not be safely deployed within minutes or hours? Or did the FB management not take the issue seriously?
As soon as we found the vulnerability, our first priority was to determine how we could protect people most effectively. If we had closed the vulnerability immediately, the attackers could have escalated their attack to modify information or post as someone else by using the access tokens they had already acquired before we reset them. Instead, we determined all the potentially affected accounts and reset their access tokens in a coordinated way to prevent further misuse of the vulnerability.
We haven't reset 90M accounts all at once before. Identifying the attackers, defining our remediation, validating that it would work, and closing the vulnerability while simultaneously ensuring all accounts were secure is complex to do at scale.
You could have taken the site down until it was fixed.
So protecting people was your second priority.
Everything should be in lock down mode while accessing vulnerability and working on a fix.
It would be fine if your point was reasonable. But it's not. It's little more than an excuse to hate on Facebook.
https://www.amazon.com/Art-War-Sun-Tzu/dp/1599869772 (the parts on the type of ground are very good and should be instructive to y'all)
https://www.artofmanliness.com/articles/ooda-loop/ (It seems you guys have been 'looped' pretty badly, this will start the process of fixing that)
https://www.amazon.com/War-Carl-von-Clausewitz/dp/1469947021 (the sections on 'fog of war' should help you all out, the text in general is informative)
"Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed. As a precaution, we also turned off “View As.”
The last sentence could mean they disabled the feature and then spent two days fixing the vulnerability before re-enabling it. It's not clear though, maybe this is just wishful thinking on my part.
Edit: This hasn't been the case for years.
Lots of reasons to delay.
Having your information leaked like this has real consequences. After the issue with Cambridge Analytica, you are simply becoming a lab rat peasant for the oligarchy. Any autonomy that you may have had will soon fade away.
For me, it's mostly been about student loans, which I have not had for several years now. It's not even targeted. It's just spam. Though anecdotally I've heard other people say they tend to get different calls, none of which seem particularly well targeted, so perhaps it's merely very very poorly targeted.
These guys know more than phone numbers.
They know names, spouses, children, employers and banking relationships.
Armed with this info they sound legit to even experienced and cynical infosec professionals
If anyone you know is on FB the chances are FB slurped up all your details from their address book.
You only have to hack Facebook to improve your targeting or something, but as I said, I've seen at best no evidence, and really negative evidence, that the recent spate of calls is well-targeted.
>Is my Facebook account impacted by this security issue?
>Based on what we've learned so far, your Facebook account has not been impacted by this security incident. If we find more Facebook accounts were impacted, we will reset their access tokens and notify those accounts.
I also get about ten spam calls a day.
I mean morally, yea, I'm with you, but from a legal standpoint, I'm not.
It's better than the do not disturb option because it doesn't also block text notifications.
Really this would all be massively simpler if iOS allowed your contacts to act as a whitelist and just push all other callers straight to voicemail.
Really a good system for fighting robocalls and distraction.
It's been a godsend.
"However, Hiya cannot send spam calls to voicemail without having your entire contact list on its servers. The app claims it needs contact access to avoid accidentally blocking people. As Nomorobo can do this without your contacts, this feels…sneaky."
Maybe this is incorrect or changed? It's possible they're just doing the comparison for neighborhood spoofing locally too.
My girlfriend's account was one of the affected and since then she keeps getting these random messages from profiles who look like ex military. No idea how they even find her profile, because she actually disabled search on FB for her name/profile.
For facebook, this is just yet another security incident, but for millions of ordinary people whose contact details are exposed and many of who are women, a continuous threat.
I'm unclear why it took 11-12 days to uncover this?
Someone noticed a spike on Sep 14th which was a Friday. Person A probably sent an email to Person B asking for information. Person B finally replied to ask person C on
Monday. Person C gets looped in Tuesday and assigns Person
D to take a look at it. Person D is finishing up a task and starts looking on Friday. Everyone thinks this is fine as the issue is probably just a front-end bug that's causing looped requests. It's not considered a security issue yet.
They make a little progress on Friday, but are out of town in Tahoe for the weekend. Monday the 24th rolls around and they finally figure out that it might be an attack and report back up the chain, a process which took 24 hours. Now it's the 25th, which is 11 days later.
1-Mark opens calculator
2-gets how much $$$$$$$$ he’ll lose if fb shutdowns for couple hours
3-lets hack continue
i’d estimate they have about in the ballpark of over 200 security engineers that have alerts for when smth like unusual activity happens
Second, if the counters that were being triggered by the attack weren't obviously malicious, it's likely that for some amount of time it was treated as a lower priority figure out what's going on deal rather than a sign of something being critically wrong.
"Hey, we're getting 25% increase in access to the video uploader but the number of successful uploads is normal. Did we break the page somehow and people are having to reload the page?". And then somebody spends a day looking at what was pushed the previous Thursday before deciding that the widget is working correctly and escalating to someone else.
It's also highly likely that the product teams at Facebook (who would probably have started the investigation, since it was product-related counters going up rather than something obviously security-related) might not have sufficient access to logs to determine the exact sequence of events. Maybe they didn't have the raw IP addresses of the requests, so couldn't realize that all this increase in traffic was coming from a handful of systems. Maybe they could only see the requests to their own service, but not the full path of requests to other services that the attacker used to pivot from one vulnerability to another.
A week after detection to deciding it was a security issue seems like a pretty plausible timeline to me.
That's why in security we don't play the blame game when someone gets hacked. We know it could happen to any of us, might already have happened, and we're all doing the best we can with the resources we have.
Also the more people you have who might be compromised. It's almost a certainty that there are people with access inside Facebook who are or have been corrupted. That can happen in a small company too, but the risk/reward is usually lower and there are many fewer people who can be targeted.
One person with a thumb drive can exfiltrate a highly damaging amount of data.
- Facebook is an incredibly juicy valuable target, worth investing time in
- FB has a very complex application and massive codebase. Your Django web store is far more straightforward
- smaller orgs can get away with not reporting, and don’t get visibility when they are compromised
If you must, then encrypt it so that you can never access it (eg you never have a users private keys)
If you must be able to decrypt data (eg fraud/law what have you), encrypt the data to a key where the private key is separated from the rest of your system.
Finally: have billions of dollars and still lose it :-/
You can't be perfect. And you likely have less talented engineers than Facebook can afford, but if your software doesn't provide these sort of bridges that Facebook developed then that's one less point of exposure you're testing/fixing/securing.
The thought of it sounds horrifying to me so I'm wondering if I'm missing something and how/why they might have approved such a design.
I was an eng at FB when the "View as" feature was being built. I wasn't involved in the project at all, and my memory is hazy (this was probably 7 years ago by now), but I remember people being like "wow this is crazy and probably a bad idea".
I don't actually know if View As generating access tokens was how it worked originally, or if that was a later refactor. Just, in general, spoofing privacy / access control is really scary, no matter how you do it.
However, at the time, Facebook was getting a lot of shit (rightfully) for not helping users understand the privacy model, and the View As feature was actually incredibly useful for helping users understand what was public. So my guess (pure speculation) is that yes, people acknowledged it was scary, but decided the value was worth the cost.
The idea that FB or any Western company can stand against tens of thousands of Chinese engineers with almost unlimited budget is absurd. As much as the government and government interference is maligned in tech, we need to start considering a serious public/private cybersecurity partnership.
This is ageism, but I can't think my way around it. The questions the Legislative body were asking the tech companies were so bad, and that's presumably after they'd been briefed by whatever experts worked for them.
Executive branch: "As far as the cyber, I agree to parts of what Secretary Clinton said."
FCC: "The thousands of dead people responding to our public request for comment is fake news. Also, it was a hack. But we weren't hacked."
Justice Samuel Alito on how cell phones can have huge storage capacity: "What if the person had on his person a compact disk?"
Justice Anthony Kennedy on what happens when you get a text, while sending one: "Does it say: 'Your call is important to us, and we will get back to you?'"
Imagine you are GCHQ or the NSA. You discover a 0-day. Do you a) make sure your own citizens and allies are patched ASAP or b) keep it quiet so you can use it yourself, perhaps on said citizens?
"They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles."
Seems a lot more like this has leaked the privacy of 400 million users, but Facebook are trying to focus on the smaller 30 million (though granted, those are more seriously affected.)