Hacker Newsnew | comments | show | ask | jobs | submit login
Logging out of Facbook is not enough (nikcub.appspot.com)
475 points by nikcub 1439 days ago | 120 comments



These are the AdBlock Facebook rules you want:

  ||facebook.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
  ||facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
  ||fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
  ||fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
The key is to allow FB's CDN when on FB, but to disallow it and everything else when not on FB.

-----


What are the ramifications of doing this? Is all explicit sharing also disabled?

-----


It means Facebook lives on Facebook.com only.

If you need it to appear anywhere else temporarily then you use the AdBlock switch to temporarily whitelist a site or domain.

-----


You can always use what I call "old school" sharing - just copy & paste the relevant URL in a status update.

-----


In Chrome 15 there's a flag (in about:flags) to disable third-party cookies from being read:

  Block all third-party cookies.

  When the option to block third-party cookies from being set 
  is enabled, also block third-party cookies from being read.
(Don't forget to activate blocking in Preferences > Under The Hood > Content Settings... > Cookies.)

-----


But then some sites stop working, like Twitter and even some parts of Google :(

-----


I use Safari and that is the default setting, and I have not had any issues at all ... could you provide more information?

-----


Isn't Safari's option the same as Chrome's main "Block third-party cookies from being set"?

Chrome's about:flags option also blocks third-party cookies from being read.

-----


Could you elaborate?

I routinely run with only direct cookies permitted (no third party ones) and with all cookies except those I have explicitly whitelisted being deleted each time my browser is closed.

I am not aware of any problem this has caused me for a long time, including on the sites you mentioned. Maybe there is some useful feature I'm not seeing at all because of the cookie restrictions I impose, but maybe they've just got better over time at not relying on cookies for things they shouldn't?

-----


> maybe they've just got better over time at not relying on cookies for things they shouldn't?

It may be that. I just tried and Twitter is working perfectly without third-party cookies. Some months ago it didn't allow me to login.

With Google I had a similar problem, I couldn't login into my Google Account in sites that weren't the search engine (Docs, YouTube, etc). I just tried them, and again, it seems that it works now.

I use Chrome stable. Maybe something changed in the management of third-party cookies in recent releases?

-----


I would suspect it has something to do with Safari (Mobile at least) having third party cookies disabled by default.

-----


Safari help says "Select to reject cookies from advertisers and from “third parties”—websites other than those you open. This might help prevent certain advertisers from storing cookies on your computer."

This might mean that they reject third-party cookies from being set, but not from being read. That is, once you get a cookie (e.g. signed in to Facebook), every other request to Facebook (even if it's through the "Like" button) will also send your cookie.

The flag that appeared in the latest Chrome beta specifically disables sending of cookies to third parties, even if you have them.

-----


The +1 Chrome extension (https://chrome.google.com/webstore/detail/jgoepmocgafhnchmok...) doesn't work with third-party cookies disabled.

-----


Thanks for the tip! Anything equivalent for Firefox (and maybe IE and Opera too)?

-----


In the Firefox preferences go to the Privacy tab and select Use Custom Setting for History in the History section. From there you will see the check box to accept 3rd party cookies. Keep in mind this will prevent webmasters from using things like Google Analytics. Which you may want anyway but I thought it was worth mentioning.

-----


Are you sure that setting "Accept cookies" to "off" will prevent third-party sites from reading cookies as well?

-----


Based on the small amount of testing I did on couple versions of Firefox, disallowing third party cookies means only websites you are directly visiting can read or write any cookies.

So if you go to facebook.com and it sets some cookies and later you go to somerandomblog.com that has some images from facebook.com, Firefox will not send cookies to facebook.com, since you are not visiting it directly.

Now obviously if somerandomblog.com has javascript from facebook.com on it, then that javascript can read cookies from somerandomblog.com and do pretty much anything it wants with that page.

-----


Good question and I'm not sure. I would guess that if it doesn't accept them then it wouldn't read them either. The first step in the cookie transaction would be to check whether that cookie already exists (an attempt to read the cookie). It would seem easiest to stop that process at that point based on user preferences rather that just programming it to check at the actual write time.

This is all speculation though.

-----


But once you sign in to Facebook, you have the cookie, so browser will send it if there's no read blocking.

-----


Cookies can still be read if this is set to "off."

-----


I use Cookie Monster (https://addons.mozilla.org/en-US/firefox/addon/cookie-monste...) as it allows more dynamic blocking of cookies.

-----


Facebook Blocker for all common browsers: http://webgraph.com/resources/facebookblocker/

-----


not compatible with Firefox 6.0.2

-----


Opera: Preferences (Ctrl+F12) -> Advanced -> Cookies -> Accept cookies only from the site I visit.

-----


I blackhole facebook.com at the domain level using pdnsd:

neg { name=facebook.com; types=domain; }

I have no idea why people are so eager to give away their privacy to Facebook and others to sell and whore-out to the highest bidder. It's akin to getting a handful of bright, pretty beads for your property.

-----


What sort of sales and whoring-out has Facebook done? Is there really any value in one's social graph, or do we just hope there is so we can hate Facebook for being evil instead of for making us realize how dumb our friends are?

-----


As someone whose bought a ton of advertising on Google, and some on Facebook, there is a hell of a lot of value in the social graph.

With Google you bid contextually, that is, you are guessing that because the page is about (for example) "The Beatles" that the people there are interested in The Beatles. This is generally right. But, you have no idea about the demographics of the viewers. Just knowing if someone is under 18 or over 21 pretty much means whether or not they have any ability to purchase your product after clicking your ad. And these demographic/behavioral trends go much deeper.

On Facebook you buy an ad based on the users demographics (age, gender, etc.) and what they explicitly said they were interested in. Most people don't list every single interest. Facebook, by pulling in all this external data now has a shitload more stuff advertisers can target ads on. Instead of targeting the tiny fraction of people who put "The Beatles" as their interests, now advertisers will be able to target users that are likely interested in The Beatles because they do things like, listen to The Beatles every week, or all their friends listened to The Beatles this month.

Its very likely that Facebook will be able to beat Google's CPMs with this deep targeting ability. Whether or not its planned, I expect that Facebook will attempt to syndicate their advertising and compete directly with Google

Users should be very concerned. Advertisers can figure out a lot about you based on you clicking an ad that they targeted to a narrow set of specifications. You might think the ad is about free ipods but its really only being displayed to users that did a certain set of criteria. This can and will be abused. To a limited extent it already is.

Back when Facebook first rolled out their ad network, there was an advertiser or two who figured out you could target females that were engaged, and by insulting their weight get them to buy their weight loss pills.

As you can imagine, Google needs a large Google + user base so they can build their own dat aset to sell ads based off of.

Ironically the next Facebook killer social network will likely have the main selling point of privacy. I'd sign up. Google + is not it.

-----


You don't want Facebook to post an announcement say "I am watching a video on makeMEpleasure.xxx, and I like it because I visit this website ten times per day." or have Facebook recommend you with potential same-flavor friends or pages, which include something making more guys happy.

-----


The more data we have about a user's behavior the more useful it is potentially for predicting future behavior; whether it's how likely they are to buy brand x from store y or who they will vote for in the next election, and how they influence their friends and family (or vice versa).

Right now machine learning is still a niche area for the majority of programmers. Looking at open source software landscape for ml, this is slowly changing. It's only a matter of time before people make breakthrough applications (that is if they haven't already).

-----


I don't get why it's a big deal if Facebook knows who you're going to vote for or what brands you might buy.

I suppose that because people buy or vote for what they're told to buy or vote for, this will let those wanting to influence people more effectively spend their money. But the solution to that is not AdBlock, it's education. Smarter people mean less susceptibility to manipulation, which is what we are really trying to achieve, right?

-----


> I don't get why it's a big deal if Facebook knows who you're going to vote for or what brands you might buy.

It depends on who buys the data and / or the interpretation of that data from them. Just imagine a country like China buying it to predict who will become a subversive and arresting them before anything happens, something akin to pre-cog crime. When I think about it, we can probably aleady do this somewhat accurately with all the data we can collect right now. We have all the tools: open (and affordable proprietary) ML software, open big data frameworks (hadoop, storm, actor model, cassandra), as well as the cloud (AWS, Rackspace). People just need a comprehensive set of data.

> Smarter people mean less susceptibility to manipulation, which is what we are really trying to achieve, right?

Not necessarily, you can't constantly consciously fight thousands of years of evolution; but that's another topic.

-----


So the reason why Americans shouldn't use Facebook is because it's possible that some rogue government somewhere might oppress its people? Those governments seem to be doing a pretty good job already without Facebook's help.

Then there's the argument that in 30 years the US will be one of these countries, too. I wonder why people are so afraid of this, but not of the small chance that they'll be hit by a meteor when they go outside tomorrow to go to work. They've been hit by a meteor exactly as many times as their government has used a "social graph" to oppress them, after all.

-----


For most of human history most people in the world lived under tyranny. In that light the freedoms we enjoy in the USA are a pretty small blip in the data. Why do we think it will always be so, especially with so many people apparently unconcerned about the unprecedented ability of both commercial and government organizations to accurately profile the public/citizens?

-----


To be fair, the San Francisco BART protests come to mind when you talk about recent examples of government oppression. On the other hand, I don't know of anyone who has been hit by a meteor.

-----


That's just one obvious example. As for your analogy, that's like saying people were already doing a great job communicating via phone and email, what's the point of IM, twitter, or social networks in general?

You're vastly underestimating the potential value of access and storage of more and more precise behavioral data combined with the innovation of a startup vs the stodgy, uncreative, stubborn ways of both old world telecom and finance corporations. Back then, even with access to people's purchasing data and past addresses, I would have had to do a lot more work and ask for larger increases to our budget to figure out people's relationships as well as non-purchasing behavioral data aside from traffic. Now I can potentially have access to people's preferences to stuff as opposed to just guessing. Today it's much easier and cheaper.

-----


This protection is NOT about the value of the social graph. And neither is Facebook, BTW - that turned out to be a gambit to get where they are.

And where they are is that they know everything about you (biographical info, hobbies, affiliations, marital status, number of kids, sexual preferences, web sites you visit and when), independently of who you know.

Right now, fb are only (?) using it to target ads at you, but you can be sure that all three letter agencies are cc:ed on every database update

It's about not letting Facebook track your every move on the web and beyond (or, more accurately, not let every site snitch on you to facebook).

-----


Is there really any value in one's social graph

If there is value in the graph, then the protection works. If there isn't value, then this is a fail-safe.

-----


I have an idea: Use their cookies against them. Build a plugin that anonymously and randomly swaps cookie values amongst the people using it.

Could possible make use of telehash.org or like.

-----


Would you really run the risk of accidentally letting a random person into your Facebook account?

-----


I also think that this is a bad idea. This form of cookie sharing has been done many years ago and I don't remember the details of the story tonight. In the end it really freaked people out when they suddenly had user priviledges of other users on popular websites.

-----


In fact, deactivating/"quitting" your FB account is not enough, either.

I deactivated my FB account several weeks ago, not so much for privacy issues directly but out of concern of the overall psychological effect of so much sharing and the emphasis on superficial identity (something I don't see discussed much).

Anyway, I checked my cookies after reading this piece and, not surprisingly, FB didn't remove my old auth cookie (the one keyed 'datr') when I quit their site. I should have known better, but I still think it's shameful to some degree to track people after they've very clearly disengaged from the site and their FB "identity".

-----


datr is not an auth cookie. xs is an auth cookie, and c_user is the cookie which stores your user ID. datr is a machine identifier, not a user identifier (multiple people using the same computer share a datr, but don't share accounts, while a single user using multiple computers or browsers will have a single account, but one datr per machine).

-----


I use Disconnect for chrome. https://chrome.google.com/webstore/detail/jeoacafpbcihiomhla...

-----


It makes me nervous that it hasn't been updated since July. I switched to adblock plus with the fb rules above, and "disable all third-party cookies" in about:flags.

-----


I use 2 very simple adblock plus rules that deactivate all of facebook outside of the facebook website. Simple and straightforward and works fine for me.

It might not be enough, though :D

Something like, for FireFox, IIRC:

  ||facebook.*$domain=~facebook.com|~127.0.0.1
  ||fbcdn.net/*$domain=~facebook.com
And for Chrome, I think it would become:

  *.facebook.*$domain=~facebook.com|~127.0.0.1
Edit: adding the rules

-----


If you're a Firefox user and you'd rather whitelist known good actors, than blacklist known bad actors, as per this example. Install the RequestPolicy addon.

-----


I got pointed to this addon in a past discussion about FB here on HN and I can fully support this recommendation.

-----


Would you mind sharing that rule?

-----


done

-----


I guess EasyPrivacy one of the in built filter in ad-block plus already does that. Correct me if i am wrong.

-----


I thought that, but with EasyPrivacy, I still have the facebook comments on TC, but not with that rule.

Maybe I did something wrong...

-----


EasyPrivacy rules can be seen here: https://easylist-downloads.adblockplus.org/easyprivacy.txt

Search that for 'face' and you'll find only 4 rules that would apply, and those are about removing pixel trackers whilst leaving content intact.

The rules above remove content, which is just as well as anything a pixel tracker can do content could do. Which is where the current paranoia level seems to be.

-----


There's also the Antisocial filter, which removes social widgets.

https://adversity.googlecode.com/hg/Antisocial.txt

It has many filters for Facebook, and I can clearly see, for example, the one for Facebook Connect.

-----


I think there's a start up opportunity - "A dead simple way to take control of your privacy". Perhaps a native tool for windows, mac and linux. Just install it, set the settings and forget it.

-----


Expand on this more. How does this differ from privacy mode (at this point most browsers have a "InPrivate" browsing or "Incognito" or "Private" mode

-----


But you can't really use incognito mode all the time. It will log you out of all other 'legitimate' sites you want to be logged in forever, like Gmail.

-----


also, currently, all incognito windows (in chrome) share the same cookie jar. so if you are using facebook in an incognito window while surfing other sites in other incognito windows, you have the same problem.

-----


"A dead simple way"

-----


I've deleted all Facebook cookies from Chrome and Safari, and now I use Facebook exclusively with a Fluid.app SSB with private cookie storage.

I can recommend this setup for any Mac users willing to spend $5 for Fluid. Alternatively you could probably rig up a 'Facebook' script to launch Chrome with a separate profile to achieve the same results.

-----


Thanks for the update, that Fluid now has private Cookie storage.

-----


Imperfect hosts list, there may be more

127.0.0.1 www.facebook.com

127.0.0.1 facebook.com

127.0.0.1 connect.facebook.net

127.0.0.1 facebook.net

127.0.0.1 fbcdn.net

127.0.0.1 www.fbcdn.net

It sure seems to speed up using the web.

-----


Thanks. I tried to get a list of domains from their nameservers but they seem to have blocked the usual ways to do this:

  $ dig @ns1.facebook.com facebook.com axfr

  ; <<>> DiG 9.3.6-APPLE-P2 <<>> @ns1.facebook.com facebook.com axfr
  ; (1 server found)
  ;; global options:  printcmd
  ; Transfer failed.
and...

  $ host -l -t any facebook.com
  ; Transfer failed.
  Host facebook.com not found: 5(REFUSED)
  ; Transfer failed.

-----


This would just do a zone transfer of facebook.com (plus delegations of sub-domains) not all zones on their nameserver. It is also normally deemed a security vulnerability to allow zone transfers to unauthorized clients, which is basically any client that isn't a secondary nameserver.

-----


Here is some more:

0.0.0.0 badge.facebook.com

0.0.0.0 blog.facebook.com

0.0.0.0 en-gb.facebook.com

0.0.0.0 developers.facebook.com

0.0.0.0 touch.facebook.com

0.0.0.0 de-de.facebook.com

0.0.0.0 stories.facebook.com

0.0.0.0 it-it.facebook.com

0.0.0.0 hu-hu.facebook.com

0.0.0.0 peace.facebook.com

0.0.0.0 et-ee.facebook.com

0.0.0.0 az-az.facebook.com

0.0.0.0 0.facebook.com

0.0.0.0 apps.facebook.com

I always use 0.0.0.0 (which is really wrong) instead of 127.0.0.1 (which really exists, there is my local apache), this works on Linux and Windows systems.

-----


Let me get this straight, this guy posts about how logging out of Facebook isn't enough, and how Facebook learning things about you that you don't want it to. The majority reaction is to adblock them and disallow them to do that to you.

But this isn't right. Go on Facebook and tell me how many of your friends wouldn't even know the first thing to do with one of these extensions. So now the computer literate people know how to protect their privacy, but what about everyone else?

-----


Adblocking is a practical solution to something we see as a problem. Many people don't even think this is a problem and actively ignore people trying to educate them, so what do you propose the right thing to do here is?

> So now the computer literate people know how to do X, but what about everyone else?

This is only a problem that will get worse with time. Computer literacy is important to contemporary society.

-----


Because the majority reaction to any HN post is a technical pissing contest you have to learn to ignore if you want to glean anything interesting from the thread. If you're not interested in that, or in showing-off your own geeky credentials, then you're mostly wasting your time participating in an HN "discussion".

-----


To be completely honest, I don't really see why something like this is so novel and outrageous. It is as if everyone has forgotten why and how companies like Facebook, Google, Microsoft, Twitter, etc.. are able to provide what they do for free. The implicit contract is "you get all this for free, and in return we get to serve you ads that we target to you." Moreover, they all have much more information on you than your browsing habits.

Why the outrage?

-----


It's because the actual terms of the exchange are so infuriatingly unclear. Also, because efforts to fix this are met with an endless stream of deflections and evasions, all of which signal an intrinsically untrustworthy character in the organizations making them.

To understand this a bit better, imagine going to the grocery story, buying milk, eggs, etc. swiping your card, and not getting a total.

"Don't worry about that" says the store "as long as we (and our unnamed affiliates) have access to your bank account, everything will be fine."

Going home to look at your statement, you see a bunch of debits, most of which seem reasonable enough on their own, but none of which have a clear relation to specific purchases. All you come away with is a general sense that "I should save more" or "I can spend more".

So here's the question: if people started pointing that this arrangement was highly damaging to people's economic autonomy, and wide open to abuse, what would you think of someone who says "yeah, well, stuff isn't free"?

Would you think that this was an honest, intelligent reply? Or would you note that the person making it has just evaded the original question, shifting the topic away from concern about the deliberately unmanageable terms of the exchange and onto the (uncontested) subject of underlying economics? Also, would you notice that the jerk responding in this fashion added an extra layer of insult by suggesting that the person who asked the question must be a bit of an idiot because they don't understand basic economics?

Toxic politicians do this all the time. They 'reframe' questions before answering, allowing them to 'respond' by answering questions that nobody asked, while dodging the ones they did. If they're especially nasty, the land a rhetorical punch in the process, providing a disincentive to any further questioning.

It's bullshit. And people know it's bullshit. Ergo, the growing outrage.

-----


I said this yesterday on the original discussion.

http://news.ycombinator.com/item?id=3033475

Good that you ran with it, though, and illustrated the point.

Perhaps a better headline would have been "Facebook is still tracking you across the web even after you log out", though. Generally it's only hackers that know what "enough" means in this context, and Facebook's market is, as we all know, much much bigger than us.

-----


not that I want to turn this into a pissing contest, but I emailed this to them on the 14th of November 2010. I emailed them again on the 12th of January this year. I have been sitting on it for that long.

I updated my post to make that clear, that this is an issue that is almost a year old.

-----


You are not going to hear back from Facebook because they will not believe this is an "issue".

-----


Precisely - this is a design feature, working as intended.

-----


Normally the security@ team is very responsive, and not that hard to find:

https://www.facebook.com/security

As for your specific claim about cookies, there is a little checkbox labeled "Keep me logged in" or "Remember me" on the login page. If you don't trust the terminal, don't check that box. Leaving it unchecked will set the personally identifiable cookies to expire at the end of your browser session.

This is the same advice given for any website about unsafe terminals, and anyone who has 15 years of security industry experience would be aware of cookie expiration. What exactly are you claiming here?

-----


He's talking about after having clicked "log out". I don't think the "keep me logged in" button factors in here (though I could be wrong).

-----


this has nothing to do with 'keep me logged in' and as I mentioned in the post I contacted a number of facebook contracts a number of times (including the standard security report track) and never heard back

-----


Fair enough. I will follow up. FWIW, the act cookie is always set to session only.

-----


A question: I periodically delete all cookies in Chrome, and only use Safari for visiting Facebook; this should be safe enough, right? I use one browser (Chrome) for work related things like GMail, Twitter, web search, HN, and customer sites. I use Safari for casual browsing (Facebook, Reddit, etc.) This way I sandbox web tracking to one browser.

I suppose that one big hole in this is tracking my IP address.

-----


Firefox can delete all cookies everytime you close it, helps stop any site from tracking you for more than a day/session.

-----


Even after deleting FB cookies, what prevents them from tracking you (with reasonably good accuracy) using your IP address. In that case, you might as well just blacklist all of facebook.com.

In my opinion, internet users must be aware that there is no easy way to be totally anonymous, whether it be Facebook, Google, etc. If you require complete anonymity, you might as well unplug your internet cable.

-----


what prevents them from tracking you (with reasonably good accuracy) using your IP address

Dynamic IP addresses and use of the same IP address by multiple people.

All it takes is a couple of friends, acquaintances or others accessing using your home network and it'll confuse the hell out of the stats. And that's without going into IP ranges for universities, schools, offices large and small, and your local coffee shop.

Then add in IP address pooling by ISPs, where every time a user connects (or every week, month or year) they're issued a new IP, and you end up with an unclear situation.

I won't start on how cell/mobile phone networks further confuse the situation ;)

-----


Or, indeed, using your combination of locale, useragent, etc. These are often unique. You can test yours here: http://panopticlick.eff.org/

-----


you're partly right - the only resolution here would be to disable javascript, which makes a great part of panopticlick work (identifying installed fonts, etc.). however I think this kind of user recognition would be an overkill for a site with so many impressions like facebook - the computational effort to assign an account to each set of features must be huge (thou maybe sometime later ... when privacy laws get more restrictive).

-----


It is indeed sort of disturbing that panopticlick gives me the message "Your browser fingerprint appears to be unique among the 1,769,884 tested so far."

-----


If you add any new plugins your print would be unique again compared to your previous settings, which would make you difficult to track. Stay unique, my friends.

-----


Still possible, still possible. Of course, it all depends on how much they want to track you.

-----


This is like the old meme "If you had invented Facebook, you would have invented Facebook."

There's no solution to "I like using Facebook but I don't like Facebook using me."

If you don't want Facebook to talk to your computer, don't let your computer talk to Facebook.

-----


But it's not that simple now, is it? Facebook infests your life whether you want it or not and does not have a 'no thanks' or 'yes please' option that will kill all their cruft on a thousand and one websites. On a typical day of surfing you probably load their widgets 100's if not 1000's of times through all the sites that place the cruft on their pages. Whether or not you hit a page with a facebook widget on it is unknowable before you hit the page and facebook does not have a list of domains/hosts to blacklist either. And blacklisting is already beyond the capabilities of most internet users (which is really a sad thing, but you can bet that only a very tiny portion of the netizens knows where to find their 'hosts' file and how to make it do stuff for them).

-----


And even if you know where you can find the hosts file and know what it's good for, it is tedious to collect all the domains and subdomains and add them to the file. There is no wildcard mechanism like *.facebook.com to block all subdomains.

Another solution is to set up a local proxy and apply filter rules, but this is also complicated.

I would love to agree with everybody who says: You don't like Facebook, then simply don't use it. I don't have an account there, but their clutter is everywhere on the web, "like" buttons and stuff like that. I wish that people who maintain their own website or blog would think more about these things and their consequences, before they add fancy buttons to their page layout from a third party site.

-----


The solutions based solely around cookies only will help with that particular mechanism. Over the last year, I've seen a couple of articles similar to the following:

http://news.ycombinator.com/item?id=1714446

and

http://news.ycombinator.com/item?id=2891369

Where "cookies" can be stored in more than just the traditional cookie.db. I haven't looked to see if FB is making use of these alternative mechanisms, but other sites have.

-----


Between Google Analytics (which everyone seems to have nowadays), Adsense and now the +1 button, Google has been master of user tracking. Facebook only has things I chose to share, but Google can tie everything to my private emails through Gmail and all the creepy search terms I might have ever used. How do we stop them?

-----


You can opt-out: https://www.google.com/privacy/ads/

Or from Analytics: http://tools.google.com/dlpage/gaoptout

And permanently delete your web history: https://www.google.com/history

And you can take your data with you when you go: https://www.google.com/takeout/

Privacy center: http://www.google.com/intl/en/privacy/

-----


The point of this article is precisely that they know/have MORE than what you explicitly give them.

-----


I've been using Ghostery [1] to block Facebook tracking. While it's still a bit iffy in Chrome, it works quite satisfactorily in Firefox. I like it because it can be toggled on and off easily if you want to use your Facebook login on specific sites.

1. http://www.ghostery.com/

-----


I haven't looked, but I would bet any money that Google does the exact same thing, too.

-----


This seems like a gross privacy violation to not honor the logout button, and continue to track the account ID of the user. I would be very surprised if Google were doing this too. And I would be surprised if Facebook were not hauled into court over this (at least in the EU if not in the US).

-----


Logout has never meant "stop using unique id cookie tracking". Ad networks have been using them forever even without login/logout functionality.

-----


The cookie 'act' that Nik identifies as his account number is actually an extended UNIX timestamp.

-----


> The entire process was so flaky and frustrating that I haven't bothered sending them two XSS holes that I have also found in the past year.

You realise you're hurting innocent users much more than Facebook itself by not reporting them, right?

-----


It's not his duty to report such things.

No one is "honor-bound" to report vulnerabilities; in fact, it seems unethical to expect any random person to try to fix any random problem they stumble upon, don't you think?

My philosophy: it's backwards to look down on those who don't report vulnerabilities; it's better to be pleasantly surprised when someone does.

But he's certainly not "hurting" anyone at all. He didn't disclose any details of the attacks.

-----


I guess I'm too nice myself. It'd be nice if we all did that extra 10% to make the world better.

Normally these things are incredibly easy to report—sending a quick summary of the problem to a specific email address is all it takes.

(Facebook has a web form for it[1].)

[1] http://www.facebook.com/whitehat/report/

-----


He didn't put the bugs there, he only discovered information that already existed. He can't be blamed for hurting anyone.

It's easier to work for free like this if it is an open source group or a non-profit. It's a bit harder when it's a $100 billion company. If they don't compensate security researchers, let them find their own bugs.

-----


I use the Android Facebook app not the browser so yesterday I looked at it but can't see any way to log off. I'll probably have to delete it. On my Facebook page all I have is stupid stuff but still I would like to log off.

-----


I'm not surprised by this. I noticed for a few months that I would sign out, appear to be so, but navigating to the site again would magically get me back in. Sign out was broken!

Disappointing that Facebook won't do the honorable thing.

-----


That's user error.

-----


I am not aware of any problem this has caused me for a long time, including on the sites you mentioned. Maybe there is some useful feature I'm not seeing at all because of the cookie restrictions I impose, but maybe they've just got better over time at not relying on cookies for things they shouldn't?

-----


I am really curious if delete all cookies on exit, fixes this problem.

-----


thanks for the tip , facebook is now intruding in to every one's privacy, they want mobile phone numbers to register a profile. such measures of facebook seems to be ridiculous

-----


Facebook doesn't require mobile phone numbers to register as a user and maintain a profile. What makes you believe that such a thing is necessary?

We also require some additional information from application developers.

We do offer a two-factor login authentication that sends a text message to your mobile phone, so that your username/password credentials aren't enough to log into Facebook by themselves if a login attempt is done from an unknown device.

-----


Why should any cookie last more than 30 minutes anyway in this day and age? Make all cookies session cookies.

Also disable third-party-cookies entirely.

-----


Many users would be annoyed to lose their persistent login. Disabling 3rd party cookies globally will break many sites that use 3rd party services and may be against the site's TOS as it would negatively impact their ad revenue.

-----


it doesn't matter anymore, but there's a typo in the title.

-----


so if someone introduced a way to be on a small local area network with just you and your friends/family, without involving any third party servers (no xmpp or whatever else), would you guys be interested? encrypted of course, but based on "real world" trust (you already know each other in real life, you share a passphrase in person, the old fashioned way, no online pki conundrums).

is there a demand for this?

are people annoyed enough with facebook that they're ready for this?

-----


If you're a Firefox user and you'd rather whitelist known good actors, than blacklist known bad actors, as per this example. Install the RequestPolicy addon.

-----


[dead]

Have you read the thread about Chrome privacy? There are plenty of complaints in the comments there.

-----


Nice try, Mark.

-----


For Christ's sake, do we really need 4 or 5 anti-Facebook threads, especially when they haven't done anything malicious? This place is nearly as bad as Reddit. I am kind of upset about this.

-----


Hi all.First things first;I'm a girl,totally dumb in hacking,technologies etc.Few days ago my FB page was fully COVERED with adverts that I was checed on the net few hours ago(like: french connection,michael korrs).The shocking thing was,it wasn't just the webpage of MK on my FB but the items what I've just checked as well.Blimey.Its scary,I hate it and its getting worse day by day.I have internet explorer browser(ok I also have Chrome,but I ve never used).My question is: how can I stop these adverts?can anyone explain to me step by step(yes I'm a dumb lol)what to do?Thank u so much:-)

-----


I don't really understand what point you're trying to make.

-----


Hackernews is now known as Facebook news

-----




Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: