Hacker Newsnew | comments | ask | jobs | submitlogin
Logging out of Facbook is not enough (nikcub.appspot.com)
468 points by nikcub 935 days ago | comments


buro9 935 days ago | link

These are the AdBlock Facebook rules you want:

  ||facebook.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
  ||facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
  ||fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
  ||fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
The key is to allow FB's CDN when on FB, but to disallow it and everything else when not on FB.

-----

gallamine 934 days ago | link

What are the ramifications of doing this? Is all explicit sharing also disabled?

-----

buro9 934 days ago | link

It means Facebook lives on Facebook.com only.

If you need it to appear anywhere else temporarily then you use the AdBlock switch to temporarily whitelist a site or domain.

-----

vaneck 934 days ago | link

You can always use what I call "old school" sharing - just copy & paste the relevant URL in a status update.

-----

dchest 935 days ago | link

In Chrome 15 there's a flag (in about:flags) to disable third-party cookies from being read:

  Block all third-party cookies.

  When the option to block third-party cookies from being set 
  is enabled, also block third-party cookies from being read.
(Don't forget to activate blocking in Preferences > Under The Hood > Content Settings... > Cookies.)

-----

1880 935 days ago | link

But then some sites stop working, like Twitter and even some parts of Google :(

-----

Silhouette 934 days ago | link

Could you elaborate?

I routinely run with only direct cookies permitted (no third party ones) and with all cookies except those I have explicitly whitelisted being deleted each time my browser is closed.

I am not aware of any problem this has caused me for a long time, including on the sites you mentioned. Maybe there is some useful feature I'm not seeing at all because of the cookie restrictions I impose, but maybe they've just got better over time at not relying on cookies for things they shouldn't?

-----

1880 934 days ago | link

> maybe they've just got better over time at not relying on cookies for things they shouldn't?

It may be that. I just tried and Twitter is working perfectly without third-party cookies. Some months ago it didn't allow me to login.

With Google I had a similar problem, I couldn't login into my Google Account in sites that weren't the search engine (Docs, YouTube, etc). I just tried them, and again, it seems that it works now.

I use Chrome stable. Maybe something changed in the management of third-party cookies in recent releases?

-----

lreeves 934 days ago | link

I would suspect it has something to do with Safari (Mobile at least) having third party cookies disabled by default.

-----

dchest 934 days ago | link

Safari help says "Select to reject cookies from advertisers and from “third parties”—websites other than those you open. This might help prevent certain advertisers from storing cookies on your computer."

This might mean that they reject third-party cookies from being set, but not from being read. That is, once you get a cookie (e.g. signed in to Facebook), every other request to Facebook (even if it's through the "Like" button) will also send your cookie.

The flag that appeared in the latest Chrome beta specifically disables sending of cookies to third parties, even if you have them.

-----

jeromeflipo 934 days ago | link

The +1 Chrome extension (https://chrome.google.com/webstore/detail/jgoepmocgafhnchmok...) doesn't work with third-party cookies disabled.

-----

X-Istence 934 days ago | link

I use Safari and that is the default setting, and I have not had any issues at all ... could you provide more information?

-----

fjarlq 934 days ago | link

Isn't Safari's option the same as Chrome's main "Block third-party cookies from being set"?

Chrome's about:flags option also blocks third-party cookies from being read.

-----

codedivine 935 days ago | link

Thanks for the tip! Anything equivalent for Firefox (and maybe IE and Opera too)?

-----

jnorthrop 935 days ago | link

In the Firefox preferences go to the Privacy tab and select Use Custom Setting for History in the History section. From there you will see the check box to accept 3rd party cookies. Keep in mind this will prevent webmasters from using things like Google Analytics. Which you may want anyway but I thought it was worth mentioning.

-----

dchest 935 days ago | link

Are you sure that setting "Accept cookies" to "off" will prevent third-party sites from reading cookies as well?

-----

jnorthrop 935 days ago | link

Good question and I'm not sure. I would guess that if it doesn't accept them then it wouldn't read them either. The first step in the cookie transaction would be to check whether that cookie already exists (an attempt to read the cookie). It would seem easiest to stop that process at that point based on user preferences rather that just programming it to check at the actual write time.

This is all speculation though.

-----

dchest 934 days ago | link

But once you sign in to Facebook, you have the cookie, so browser will send it if there's no read blocking.

-----

fgaaghf 934 days ago | link

Based on the small amount of testing I did on couple versions of Firefox, disallowing third party cookies means only websites you are directly visiting can read or write any cookies.

So if you go to facebook.com and it sets some cookies and later you go to somerandomblog.com that has some images from facebook.com, Firefox will not send cookies to facebook.com, since you are not visiting it directly.

Now obviously if somerandomblog.com has javascript from facebook.com on it, then that javascript can read cookies from somerandomblog.com and do pretty much anything it wants with that page.

-----

abredow 934 days ago | link

Cookies can still be read if this is set to "off."

-----

Mithrandir 934 days ago | link

I use Cookie Monster (https://addons.mozilla.org/en-US/firefox/addon/cookie-monste...) as it allows more dynamic blocking of cookies.

-----

tintin 933 days ago | link

Opera: Preferences (Ctrl+F12) -> Advanced -> Cookies -> Accept cookies only from the site I visit.

-----

mastar2323 935 days ago | link

Facebook Blocker for all common browsers: http://webgraph.com/resources/facebookblocker/

-----

moioci 934 days ago | link

not compatible with Firefox 6.0.2

-----

0x12 935 days ago | link

Imperfect hosts list, there may be more

127.0.0.1 www.facebook.com

127.0.0.1 facebook.com

127.0.0.1 connect.facebook.net

127.0.0.1 facebook.net

127.0.0.1 fbcdn.net

127.0.0.1 www.fbcdn.net

It sure seems to speed up using the web.

-----

infinity 934 days ago | link

Here is some more:

0.0.0.0 badge.facebook.com

0.0.0.0 blog.facebook.com

0.0.0.0 en-gb.facebook.com

0.0.0.0 developers.facebook.com

0.0.0.0 touch.facebook.com

0.0.0.0 de-de.facebook.com

0.0.0.0 stories.facebook.com

0.0.0.0 it-it.facebook.com

0.0.0.0 hu-hu.facebook.com

0.0.0.0 peace.facebook.com

0.0.0.0 et-ee.facebook.com

0.0.0.0 az-az.facebook.com

0.0.0.0 0.facebook.com

0.0.0.0 apps.facebook.com

I always use 0.0.0.0 (which is really wrong) instead of 127.0.0.1 (which really exists, there is my local apache), this works on Linux and Windows systems.

-----

ams6110 934 days ago | link

Thanks. I tried to get a list of domains from their nameservers but they seem to have blocked the usual ways to do this:

  $ dig @ns1.facebook.com facebook.com axfr

  ; <<>> DiG 9.3.6-APPLE-P2 <<>> @ns1.facebook.com facebook.com axfr
  ; (1 server found)
  ;; global options:  printcmd
  ; Transfer failed.
and...

  $ host -l -t any facebook.com
  ; Transfer failed.
  Host facebook.com not found: 5(REFUSED)
  ; Transfer failed.

-----

jaydeeca 934 days ago | link

This would just do a zone transfer of facebook.com (plus delegations of sub-domains) not all zones on their nameserver. It is also normally deemed a security vulnerability to allow zone transfers to unauthorized clients, which is basically any client that isn't a secondary nameserver.

-----

16s 934 days ago | link

I blackhole facebook.com at the domain level using pdnsd:

neg { name=facebook.com; types=domain; }

I have no idea why people are so eager to give away their privacy to Facebook and others to sell and whore-out to the highest bidder. It's akin to getting a handful of bright, pretty beads for your property.

-----

jrockway 934 days ago | link

What sort of sales and whoring-out has Facebook done? Is there really any value in one's social graph, or do we just hope there is so we can hate Facebook for being evil instead of for making us realize how dumb our friends are?

-----

AJ007 934 days ago | link

As someone whose bought a ton of advertising on Google, and some on Facebook, there is a hell of a lot of value in the social graph.

With Google you bid contextually, that is, you are guessing that because the page is about (for example) "The Beatles" that the people there are interested in The Beatles. This is generally right. But, you have no idea about the demographics of the viewers. Just knowing if someone is under 18 or over 21 pretty much means whether or not they have any ability to purchase your product after clicking your ad. And these demographic/behavioral trends go much deeper.

On Facebook you buy an ad based on the users demographics (age, gender, etc.) and what they explicitly said they were interested in. Most people don't list every single interest. Facebook, by pulling in all this external data now has a shitload more stuff advertisers can target ads on. Instead of targeting the tiny fraction of people who put "The Beatles" as their interests, now advertisers will be able to target users that are likely interested in The Beatles because they do things like, listen to The Beatles every week, or all their friends listened to The Beatles this month.

Its very likely that Facebook will be able to beat Google's CPMs with this deep targeting ability. Whether or not its planned, I expect that Facebook will attempt to syndicate their advertising and compete directly with Google

Users should be very concerned. Advertisers can figure out a lot about you based on you clicking an ad that they targeted to a narrow set of specifications. You might think the ad is about free ipods but its really only being displayed to users that did a certain set of criteria. This can and will be abused. To a limited extent it already is.

Back when Facebook first rolled out their ad network, there was an advertiser or two who figured out you could target females that were engaged, and by insulting their weight get them to buy their weight loss pills.

As you can imagine, Google needs a large Google + user base so they can build their own dat aset to sell ads based off of.

Ironically the next Facebook killer social network will likely have the main selling point of privacy. I'd sign up. Google + is not it.

-----

rhizome 934 days ago | link

Is there really any value in one's social graph

If there is value in the graph, then the protection works. If there isn't value, then this is a fail-safe.

-----

chaostheory 934 days ago | link

The more data we have about a user's behavior the more useful it is potentially for predicting future behavior; whether it's how likely they are to buy brand x from store y or who they will vote for in the next election, and how they influence their friends and family (or vice versa).

Right now machine learning is still a niche area for the majority of programmers. Looking at open source software landscape for ml, this is slowly changing. It's only a matter of time before people make breakthrough applications (that is if they haven't already).

-----

jrockway 934 days ago | link

I don't get why it's a big deal if Facebook knows who you're going to vote for or what brands you might buy.

I suppose that because people buy or vote for what they're told to buy or vote for, this will let those wanting to influence people more effectively spend their money. But the solution to that is not AdBlock, it's education. Smarter people mean less susceptibility to manipulation, which is what we are really trying to achieve, right?

-----

chaostheory 934 days ago | link

> I don't get why it's a big deal if Facebook knows who you're going to vote for or what brands you might buy.

It depends on who buys the data and / or the interpretation of that data from them. Just imagine a country like China buying it to predict who will become a subversive and arresting them before anything happens, something akin to pre-cog crime. When I think about it, we can probably aleady do this somewhat accurately with all the data we can collect right now. We have all the tools: open (and affordable proprietary) ML software, open big data frameworks (hadoop, storm, actor model, cassandra), as well as the cloud (AWS, Rackspace). People just need a comprehensive set of data.

> Smarter people mean less susceptibility to manipulation, which is what we are really trying to achieve, right?

Not necessarily, you can't constantly consciously fight thousands of years of evolution; but that's another topic.

-----

jrockway 934 days ago | link

So the reason why Americans shouldn't use Facebook is because it's possible that some rogue government somewhere might oppress its people? Those governments seem to be doing a pretty good job already without Facebook's help.

Then there's the argument that in 30 years the US will be one of these countries, too. I wonder why people are so afraid of this, but not of the small chance that they'll be hit by a meteor when they go outside tomorrow to go to work. They've been hit by a meteor exactly as many times as their government has used a "social graph" to oppress them, after all.

-----

carbocation 934 days ago | link

To be fair, the San Francisco BART protests come to mind when you talk about recent examples of government oppression. On the other hand, I don't know of anyone who has been hit by a meteor.

-----

ams6110 934 days ago | link

For most of human history most people in the world lived under tyranny. In that light the freedoms we enjoy in the USA are a pretty small blip in the data. Why do we think it will always be so, especially with so many people apparently unconcerned about the unprecedented ability of both commercial and government organizations to accurately profile the public/citizens?

-----

chaostheory 934 days ago | link

That's just one obvious example. As for your analogy, that's like saying people were already doing a great job communicating via phone and email, what's the point of IM, twitter, or social networks in general?

You're vastly underestimating the potential value of access and storage of more and more precise behavioral data combined with the innovation of a startup vs the stodgy, uncreative, stubborn ways of both old world telecom and finance corporations. Back then, even with access to people's purchasing data and past addresses, I would have had to do a lot more work and ask for larger increases to our budget to figure out people's relationships as well as non-purchasing behavioral data aside from traffic. Now I can potentially have access to people's preferences to stuff as opposed to just guessing. Today it's much easier and cheaper.

-----

beagle3 934 days ago | link

This protection is NOT about the value of the social graph. And neither is Facebook, BTW - that turned out to be a gambit to get where they are.

And where they are is that they know everything about you (biographical info, hobbies, affiliations, marital status, number of kids, sexual preferences, web sites you visit and when), independently of who you know.

Right now, fb are only (?) using it to target ads at you, but you can be sure that all three letter agencies are cc:ed on every database update

It's about not letting Facebook track your every move on the web and beyond (or, more accurately, not let every site snitch on you to facebook).

-----

clinq 934 days ago | link

You don't want Facebook to post an announcement say "I am watching a video on makeMEpleasure.xxx, and I like it because I visit this website ten times per day." or have Facebook recommend you with potential same-flavor friends or pages, which include something making more guys happy.

-----

jbk 935 days ago | link

I use 2 very simple adblock plus rules that deactivate all of facebook outside of the facebook website. Simple and straightforward and works fine for me.

It might not be enough, though :D

Something like, for FireFox, IIRC:

  ||facebook.*$domain=~facebook.com|~127.0.0.1
  ||fbcdn.net/*$domain=~facebook.com
And for Chrome, I think it would become:

  *.facebook.*$domain=~facebook.com|~127.0.0.1
Edit: adding the rules

-----

mike-cardwell 935 days ago | link

If you're a Firefox user and you'd rather whitelist known good actors, than blacklist known bad actors, as per this example. Install the RequestPolicy addon.

-----

slowpoke 934 days ago | link

I got pointed to this addon in a past discussion about FB here on HN and I can fully support this recommendation.

-----

jnorthrop 935 days ago | link

Would you mind sharing that rule?

-----

jbk 935 days ago | link

done

-----

sagarun 935 days ago | link

I guess EasyPrivacy one of the in built filter in ad-block plus already does that. Correct me if i am wrong.

-----

jbk 935 days ago | link

I thought that, but with EasyPrivacy, I still have the facebook comments on TC, but not with that rule.

Maybe I did something wrong...

-----

buro9 935 days ago | link

EasyPrivacy rules can be seen here: https://easylist-downloads.adblockplus.org/easyprivacy.txt

Search that for 'face' and you'll find only 4 rules that would apply, and those are about removing pixel trackers whilst leaving content intact.

The rules above remove content, which is just as well as anything a pixel tracker can do content could do. Which is where the current paranoia level seems to be.

-----

fl3tch 934 days ago | link

There's also the Antisocial filter, which removes social widgets.

https://adversity.googlecode.com/hg/Antisocial.txt

It has many filters for Facebook, and I can clearly see, for example, the one for Facebook Connect.

-----

sneak 935 days ago | link

I said this yesterday on the original discussion.

http://news.ycombinator.com/item?id=3033475

Good that you ran with it, though, and illustrated the point.

Perhaps a better headline would have been "Facebook is still tracking you across the web even after you log out", though. Generally it's only hackers that know what "enough" means in this context, and Facebook's market is, as we all know, much much bigger than us.

-----

nikcub 935 days ago | link

not that I want to turn this into a pissing contest, but I emailed this to them on the 14th of November 2010. I emailed them again on the 12th of January this year. I have been sitting on it for that long.

I updated my post to make that clear, that this is an issue that is almost a year old.

-----

aristus 934 days ago | link

Normally the security@ team is very responsive, and not that hard to find:

https://www.facebook.com/security

As for your specific claim about cookies, there is a little checkbox labeled "Keep me logged in" or "Remember me" on the login page. If you don't trust the terminal, don't check that box. Leaving it unchecked will set the personally identifiable cookies to expire at the end of your browser session.

This is the same advice given for any website about unsafe terminals, and anyone who has 15 years of security industry experience would be aware of cookie expiration. What exactly are you claiming here?

-----

nikcub 934 days ago | link

this has nothing to do with 'keep me logged in' and as I mentioned in the post I contacted a number of facebook contracts a number of times (including the standard security report track) and never heard back

-----

aristus 934 days ago | link

Fair enough. I will follow up. FWIW, the act cookie is always set to session only.

-----

vegashacker 934 days ago | link

He's talking about after having clicked "log out". I don't think the "keep me logged in" button factors in here (though I could be wrong).

-----

brown9-2 934 days ago | link

You are not going to hear back from Facebook because they will not believe this is an "issue".

-----

sneak 934 days ago | link

Precisely - this is a design feature, working as intended.

-----

netnichols 934 days ago | link

I've deleted all Facebook cookies from Chrome and Safari, and now I use Facebook exclusively with a Fluid.app SSB with private cookie storage.

I can recommend this setup for any Mac users willing to spend $5 for Fluid. Alternatively you could probably rig up a 'Facebook' script to launch Chrome with a separate profile to achieve the same results.

-----

biafra 934 days ago | link

Thanks for the update, that Fluid now has private Cookie storage.

-----

Zakuzaa 935 days ago | link

I think there's a start up opportunity - "A dead simple way to take control of your privacy". Perhaps a native tool for windows, mac and linux. Just install it, set the settings and forget it.

-----

veyron 935 days ago | link

Expand on this more. How does this differ from privacy mode (at this point most browsers have a "InPrivate" browsing or "Incognito" or "Private" mode

-----

Zakuzaa 934 days ago | link

But you can't really use incognito mode all the time. It will log you out of all other 'legitimate' sites you want to be logged in forever, like Gmail.

-----

bunnyhero 934 days ago | link

also, currently, all incognito windows (in chrome) share the same cookie jar. so if you are using facebook in an incognito window while surfing other sites in other incognito windows, you have the same problem.

-----

mildweed 934 days ago | link

"A dead simple way"

-----

hamidpalo 934 days ago | link

To be completely honest, I don't really see why something like this is so novel and outrageous. It is as if everyone has forgotten why and how companies like Facebook, Google, Microsoft, Twitter, etc.. are able to provide what they do for free. The implicit contract is "you get all this for free, and in return we get to serve you ads that we target to you." Moreover, they all have much more information on you than your browsing habits.

Why the outrage?

-----

alexqgb 934 days ago | link

It's because the actual terms of the exchange are so infuriatingly unclear. Also, because efforts to fix this are met with an endless stream of deflections and evasions, all of which signal an intrinsically untrustworthy character in the organizations making them.

To understand this a bit better, imagine going to the grocery story, buying milk, eggs, etc. swiping your card, and not getting a total.

"Don't worry about that" says the store "as long as we (and our unnamed affiliates) have access to your bank account, everything will be fine."

Going home to look at your statement, you see a bunch of debits, most of which seem reasonable enough on their own, but none of which have a clear relation to specific purchases. All you come away with is a general sense that "I should save more" or "I can spend more".

So here's the question: if people started pointing that this arrangement was highly damaging to people's economic autonomy, and wide open to abuse, what would you think of someone who says "yeah, well, stuff isn't free"?

Would you think that this was an honest, intelligent reply? Or would you note that the person making it has just evaded the original question, shifting the topic away from concern about the deliberately unmanageable terms of the exchange and onto the (uncontested) subject of underlying economics? Also, would you notice that the jerk responding in this fashion added an extra layer of insult by suggesting that the person who asked the question must be a bit of an idiot because they don't understand basic economics?

Toxic politicians do this all the time. They 'reframe' questions before answering, allowing them to 'respond' by answering questions that nobody asked, while dodging the ones they did. If they're especially nasty, the land a rhetorical punch in the process, providing a disincentive to any further questioning.

It's bullshit. And people know it's bullshit. Ergo, the growing outrage.

-----

NHQ 934 days ago | link

I have an idea: Use their cookies against them. Build a plugin that anonymously and randomly swaps cookie values amongst the people using it.

Could possible make use of telehash.org or like.

-----

CGamesPlay 934 days ago | link

Would you really run the risk of accidentally letting a random person into your Facebook account?

-----

infinity 934 days ago | link

I also think that this is a bad idea. This form of cookie sharing has been done many years ago and I don't remember the details of the story tonight. In the end it really freaked people out when they suddenly had user priviledges of other users on popular websites.

-----

Inversechi 935 days ago | link

I use Disconnect for chrome. https://chrome.google.com/webstore/detail/jeoacafpbcihiomhla...

-----

llimllib 934 days ago | link

It makes me nervous that it hasn't been updated since July. I switched to adblock plus with the fb rules above, and "disable all third-party cookies" in about:flags.

-----

sneak 935 days ago | link

I haven't looked, but I would bet any money that Google does the exact same thing, too.

-----

mckoss 934 days ago | link

This seems like a gross privacy violation to not honor the logout button, and continue to track the account ID of the user. I would be very surprised if Google were doing this too. And I would be surprised if Facebook were not hauled into court over this (at least in the EU if not in the US).

-----

sneak 934 days ago | link

Logout has never meant "stop using unique id cookie tracking". Ad networks have been using them forever even without login/logout functionality.

-----

lansing 934 days ago | link

In fact, deactivating/"quitting" your FB account is not enough, either.

I deactivated my FB account several weeks ago, not so much for privacy issues directly but out of concern of the overall psychological effect of so much sharing and the emphasis on superficial identity (something I don't see discussed much).

Anyway, I checked my cookies after reading this piece and, not surprisingly, FB didn't remove my old auth cookie (the one keyed 'datr') when I quit their site. I should have known better, but I still think it's shameful to some degree to track people after they've very clearly disengaged from the site and their FB "identity".

-----

yuliyp 934 days ago | link

datr is not an auth cookie. xs is an auth cookie, and c_user is the cookie which stores your user ID. datr is a machine identifier, not a user identifier (multiple people using the same computer share a datr, but don't share accounts, while a single user using multiple computers or browsers will have a single account, but one datr per machine).

-----

mark_l_watson 934 days ago | link

A question: I periodically delete all cookies in Chrome, and only use Safari for visiting Facebook; this should be safe enough, right? I use one browser (Chrome) for work related things like GMail, Twitter, web search, HN, and customer sites. I use Safari for casual browsing (Facebook, Reddit, etc.) This way I sandbox web tracking to one browser.

I suppose that one big hole in this is tracking my IP address.

-----

rythie 934 days ago | link

Firefox can delete all cookies everytime you close it, helps stop any site from tracking you for more than a day/session.

-----

jmspring 934 days ago | link

The solutions based solely around cookies only will help with that particular mechanism. Over the last year, I've seen a couple of articles similar to the following:

http://news.ycombinator.com/item?id=1714446

and

http://news.ycombinator.com/item?id=2891369

Where "cookies" can be stored in more than just the traditional cookie.db. I haven't looked to see if FB is making use of these alternative mechanisms, but other sites have.

-----

lurker19 934 days ago | link

This is like the old meme "If you had invented Facebook, you would have invented Facebook."

There's no solution to "I like using Facebook but I don't like Facebook using me."

If you don't want Facebook to talk to your computer, don't let your computer talk to Facebook.

-----

0x12 934 days ago | link

But it's not that simple now, is it? Facebook infests your life whether you want it or not and does not have a 'no thanks' or 'yes please' option that will kill all their cruft on a thousand and one websites. On a typical day of surfing you probably load their widgets 100's if not 1000's of times through all the sites that place the cruft on their pages. Whether or not you hit a page with a facebook widget on it is unknowable before you hit the page and facebook does not have a list of domains/hosts to blacklist either. And blacklisting is already beyond the capabilities of most internet users (which is really a sad thing, but you can bet that only a very tiny portion of the netizens knows where to find their 'hosts' file and how to make it do stuff for them).

-----

infinity 934 days ago | link

And even if you know where you can find the hosts file and know what it's good for, it is tedious to collect all the domains and subdomains and add them to the file. There is no wildcard mechanism like *.facebook.com to block all subdomains.

Another solution is to set up a local proxy and apply filter rules, but this is also complicated.

I would love to agree with everybody who says: You don't like Facebook, then simply don't use it. I don't have an account there, but their clutter is everywhere on the web, "like" buttons and stuff like that. I wish that people who maintain their own website or blog would think more about these things and their consequences, before they add fancy buttons to their page layout from a third party site.

-----

Aviwein77 934 days ago | link

Let me get this straight, this guy posts about how logging out of Facebook isn't enough, and how Facebook learning things about you that you don't want it to. The majority reaction is to adblock them and disallow them to do that to you.

But this isn't right. Go on Facebook and tell me how many of your friends wouldn't even know the first thing to do with one of these extensions. So now the computer literate people know how to protect their privacy, but what about everyone else?

-----

zinkem 934 days ago | link

Adblocking is a practical solution to something we see as a problem. Many people don't even think this is a problem and actively ignore people trying to educate them, so what do you propose the right thing to do here is?

> So now the computer literate people know how to do X, but what about everyone else?

This is only a problem that will get worse with time. Computer literacy is important to contemporary society.

-----

grourk 934 days ago | link

Because the majority reaction to any HN post is a technical pissing contest you have to learn to ignore if you want to glean anything interesting from the thread. If you're not interested in that, or in showing-off your own geeky credentials, then you're mostly wasting your time participating in an HN "discussion".

-----

ck2 935 days ago | link

Why should any cookie last more than 30 minutes anyway in this day and age? Make all cookies session cookies.

Also disable third-party-cookies entirely.

-----

mckoss 934 days ago | link

Many users would be annoyed to lose their persistent login. Disabling 3rd party cookies globally will break many sites that use 3rd party services and may be against the site's TOS as it would negatively impact their ad revenue.

-----

beaumartinez 935 days ago | link

> The entire process was so flaky and frustrating that I haven't bothered sending them two XSS holes that I have also found in the past year.

You realise you're hurting innocent users much more than Facebook itself by not reporting them, right?

-----

palish 934 days ago | link

It's not his duty to report such things.

No one is "honor-bound" to report vulnerabilities; in fact, it seems unethical to expect any random person to try to fix any random problem they stumble upon, don't you think?

My philosophy: it's backwards to look down on those who don't report vulnerabilities; it's better to be pleasantly surprised when someone does.

But he's certainly not "hurting" anyone at all. He didn't disclose any details of the attacks.

-----

beaumartinez 934 days ago | link

I guess I'm too nice myself. It'd be nice if we all did that extra 10% to make the world better.

Normally these things are incredibly easy to report—sending a quick summary of the problem to a specific email address is all it takes.

(Facebook has a web form for it[1].)

[1] http://www.facebook.com/whitehat/report/

-----

lawnchair_larry 934 days ago | link

He didn't put the bugs there, he only discovered information that already existed. He can't be blamed for hurting anyone.

It's easier to work for free like this if it is an open source group or a non-profit. It's a bit harder when it's a $100 billion company. If they don't compensate security researchers, let them find their own bugs.

-----

wonginator1221 935 days ago | link

Even after deleting FB cookies, what prevents them from tracking you (with reasonably good accuracy) using your IP address. In that case, you might as well just blacklist all of facebook.com.

In my opinion, internet users must be aware that there is no easy way to be totally anonymous, whether it be Facebook, Google, etc. If you require complete anonymity, you might as well unplug your internet cable.

-----

mootothemax 935 days ago | link

what prevents them from tracking you (with reasonably good accuracy) using your IP address

Dynamic IP addresses and use of the same IP address by multiple people.

All it takes is a couple of friends, acquaintances or others accessing using your home network and it'll confuse the hell out of the stats. And that's without going into IP ranges for universities, schools, offices large and small, and your local coffee shop.

Then add in IP address pooling by ISPs, where every time a user connects (or every week, month or year) they're issued a new IP, and you end up with an unclear situation.

I won't start on how cell/mobile phone networks further confuse the situation ;)

-----

v21 935 days ago | link

Or, indeed, using your combination of locale, useragent, etc. These are often unique. You can test yours here: http://panopticlick.eff.org/

-----

jcfrei 934 days ago | link

you're partly right - the only resolution here would be to disable javascript, which makes a great part of panopticlick work (identifying installed fonts, etc.). however I think this kind of user recognition would be an overkill for a site with so many impressions like facebook - the computational effort to assign an account to each set of features must be huge (thou maybe sometime later ... when privacy laws get more restrictive).

-----

thrill 934 days ago | link

It is indeed sort of disturbing that panopticlick gives me the message "Your browser fingerprint appears to be unique among the 1,769,884 tested so far."

-----

NHQ 934 days ago | link

If you add any new plugins your print would be unique again compared to your previous settings, which would make you difficult to track. Stay unique, my friends.

-----

v21 934 days ago | link

Still possible, still possible. Of course, it all depends on how much they want to track you.

-----

More



Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library

Search: