It's hard to tell precisely what's going on based on the amount of information in the post. It's possible that another interaction, including one that could be occurring on the client machine, is consuming the URL and generating this behavior.
We'll update if any new information is discovered.
I have had a lot of difficulty in the past discussing security and privacy concerns with your team - in particular a complain about the censorship of my linking leaked Snowden and Wikileaks documents and PDF scans of Islamic Extremist magazines (non-violent/gross content).
Do you have a transparency document anywhere that you can link, so that we can understand what you as a representative can and will contribute to the conversation? Could you also provide some proof that you are a representative of Facebook security?
Thank you again for your time.
If you have specific security vulnerabilities to report, here's a link to our Whitehat program: https://www.facebook.com/whitehat/report/
Is there a legal or transparency document that you can link so that we can understand what information you are able to share?
Facebook Transparency Reports https://www.facebook.com/about/government_requests
Facebook Terms (legal documents) https://www.facebook.com/policies/
Thank you for the links.
Our systems followed this URL after it was posted on a public site. Our system constantly explores links published on the web. We've checked our logs and confirmed that this is what happened in this specific case. It's not related to any Facebook chat messages containing this link. Our system doesn't access that information.
You left this comment on Bosnadev's blog. Mind sharing with the rest of us?
RE: whether these comments really are from the RF team, we're about to post the same info on our own blog.
Your link to the blog is broken (the href is missing an '=').
Unfortunately no new information for those following the threads. Are there any plans to release more details (links, logs) publicly?
http://pastebin.com/ukBvSKyw - Look at the timestamps. And no "Recorded Future" here, hence published before their fetch.
Since the OP published the article implying such a grand circumstance, and commented "I assure you it was not posted publicly by any of us. Newly created URL and link c/p to fb chat.", I believe that there are still a few basic questions in order, in any case:
1. What "link generation" program was the OP using? Is it possible this program streamed its output through something like Pastebin - without the explicit knowledge of the OP - and if so, can we verify this is the case by following up with an example?
2. Can the representative from Recorded Future comment on whether or not this site, Pastebin, is being monitored?
Thanks all, for what we'd surely hope to be a trivial, if unusual, case of software being stealthy...
Perhaps you won't say, exactly, without the OP's permission?
Can you give us more information including:
- Proof you are from Recorded Future
- The public URL at which you picked up the links
- Any evidence you have that what you say happened indeed happened? That is specifically the log information you report on having investigated. Publishing this will allow the original publisher and independent analysis to corroborate your story.
The more information you can publish to quell any doubts, if this is completely benign, the better for your company/Facebook/CIA.
if the url is public, let's see it :)
- Connectify: virtual router to broadcast wifi. Sees all traffic. Positioned perfectly for MITM SSL stripping. Closed source.
- FireEye (enterprise security)
(This also seems like a fun time to note that Witopia, a VPN provider lists its office address in a building occupied by multiple CIA subdivisions.)
An apparent theme of In-Q-Tel investments is targeting security-related markets. Most consumers and small businesses cannot implement their own security, so they need to leverage the services of a security company, like one of In-Q-Tel's many investments. In-Q-Tel understands this need, and so do other investors. Security is hot right now.
When consumers evaluate security companies, trust is becoming an increasingly important factor. After all, why purchase security services from someone you cannot trust?
In-Q-Tel is a CIA fund. The "post-Snowden era" has damaged American's trust in government intelligence agencies like the CIA. With more Snowden/Greenwald leaks pending, trust will likely continue to erode.
If Americans do not trust US intelligence agencies, why would they choose a security company funded by a US intelligence agency? One does not have to be a conspiracy theorist to agree with the logic for purchasing a security product not funded by the CIA.
Given this fact, it also seems natural to assume security companies will no longer seek investment from In-Q-Tel, given the presumably negative customer reception. For security companies, In-Q-Tel investment could become a negative signal to consumers, and therefore also to other investors.
Will Intelligence agencies have trouble investing in winning security companies? What will be the repercussions for CIA investment strategy?
We need more independent verification of actual software behavior, and better ways to manage it's behavior.
This seems the appropriate time to interject that this may not be particularly meaningful. I once worked in a building that contained offices of the IRS CI and Secret Service. The IRS were actually on my floor - seeing an armed accountant in the bathroom is a bit of a surprise.
It doesn't always mean a lot. In my case, it meant we were in a building conveniently close to highways and the local airport.
Office space could be cheap, or in this case datacenter space as well.
I am not accusing Witopia of being a CIA-funded VPN provider, but it seems reasonable to argue that sharing an address with the CIA is not a rational business decision for a VPN company.
It's hardly implausible, but is there any better, clearer source of this assertion?
> We identify, adapt, and deliver innovative technology solutions to support the missions of the Central Intelligence Agency and broader U.S. Intelligence Community.
> The second round of funding into Facebook ($US12.7 million) came from venture capital firm Accel Partners. Its manager James Breyer was formerly chairman of the National Venture Capital Association, and served on the board with Gilman Louie, CEO of In-Q-Tel, a venture capital firm established by the Central Intelligence Agency in 1999. One of the company's key areas of expertise are in "data mining technologies".
> Howard Cox is an Advisory Partner of Greylock, a national venture capital firm. Greylock with committed capital of over $2 billion under management has been an active investor in enterprise software, consumer internet and healthcare.
This is the closest connection I know between In-Q-Tel and Facebook, that's why I posted that link. (note that OP said "indirectly")
The indirectly comment is referring to the CIA itself. Funding by IQT would thus be indirect versus funding by the CIA. The problem is there's no credible evidence of either, just fairly weak circumstantial stuff at best.
Nah. Objective, verifiable info, please.
I would not be surprised one bit if SRI had not gamed this panopticon to the n-th degree in the 70s before Al Gore "invented" it for us.
[p.s. I can not reply to a follow-up so for the record, ARPANET was not an 'academic' exercise.]
I also assume from the timezone in your log that your server is outside the US. It would be interesting to test this with a link to a server located inside the US, to try to determine where the interception is taking place.
I'm a fan of sites like: https://twofactorauth.org/ (credit to davis) that call out this kind of stuff and list competitors next to each other.
Does anyone know of one similar for calling out privacy BS?
Is it irony that sending a full-pixel render of markup is the opposite of the HTML idea? :p
I'm just curious to the community's impression of the level of tolerance the general public has on these matters of privacy.
A person's chats being read by some spooky unknown company or government agency has little-to-no tangible effect on a person's life. Until it does, people can spend their effort on problems that do have tangible effects on their lives. And I think that's reasonable. Others might say we shouldn't wait until it's too late... but there's many other problems where it's already "too late" that deserve attention.
Anyway, I think it's cheap to imply that people are just lazy (as some do) for not caring about this stuff. It's just they have other problems that deserve their attention.
The less security that is provided to everyone, the easier it is to access content of the truly vulnerable people.
So even if it turns out that facebook is selling off all of its data to the highest bidder people would probably still use it, unless there is an alternative. For chat we're seeing more and more protocols and apps springing up, both proprietary and open source - e.g. XMPP or the much younger/newer http://matrix.org (which I work on).
For event organization? The key thing that makes facebook useful for this is that pretty much everyone has an account. You could probably build something on top of a distributed/federated chat/data replication system (like Matrix or possibly XMPP, etc.), but I don't see any new closed app being able to get enough traction to overthrow Facebook there.
This would be broadly equivalent to Facebook killing the Whatsapp brand and letting the team go, and relaunching an enhanced FB Messenger a couple of months later...
The Supreme Court is perfectly clear as to what rights we have when we don't have "reasonable expectation of privacy".
Finally, we are effectively coerced [in]to using these products -- unless you want to head to the woods and live the back to nature life.
Game is over.
> The (then) CEO of Google Inc. loudly declared the (constitutional) legalese that the users of his company's product have "no reasonable expectation of privacy".
never happened. You're conflating different events.
One is presumably Eric Schmidt warning users that Google is subject to the Patriot Act.
The other was a defense (I assume from one of their lawyers and well after Eric Schmidt stepped down from being CEO) that when people email a gmail account, they don't have reason to believe that gmail won't process their email.
From your conclusions: first, the lawsuit was in the context of non-gmail users, not the gmail account holders themselves, so doesn't apply to "users of his company's product". Second, the judge rejected that line of argument anyways. Finally, you're taking a limited defense (they were arguing within the confines of the Wiretap Act) and somehow spinning that off into a general loss of constitutional rights that doesn't follow.
His intent is opaque and irrelevant.
What is relevant is that it is, and has been for a few years at this point, a matter of public record and declaration that you do not have "a reasonable expectation of privacy" when using certain internet services.
That's fine; I was just responding to your assertion that it was the "(then) CEO of Google Inc" saying things.
> What is relevant is that it is, and has been for a few years at this point, a matter of public record and declaration that you do not have "a reasonable expectation of privacy" when using certain internet services.
You just skipped every single one of my points. You're taking a limited claim and turning it into histrionics. Your expectations of privacy do not work that way. Please re-read my comment above.
Google may still be the best search engine, but I use Facebook solely for the chat functionality. If some competitor comes along that offers the same features with the same quality but better privacy I would have no problem with switching.
(In case somebody smells a startup idea or already know a solution, I am looking for a service with good, easy to use Android, Apple and Windows Phone Apps, website for desktop use (desktop client for Windows and Linux is fine too), decent direct-message as well as group chats with consistent message ordering. I should be able to view all my messages, including history, in Apps on all my phones as well as on my desktop.)
I've always had a thesis that I'm not sure is true, perhaps i'm not social enough, although I have my facebook friends and many contacts in my phone I really only talk to 3-8 people. If such a thing existed I don't even know if it would be too much work to switch since I would only tell that small amount of people.
But perhaps i'm too antisocial, I wonder what other people think about that.
I think if a competitor showed up that is seriously better than Facebook, every person switching could have a huge Ripple Effect. People already use a multitude of Apps/Services for communication, using one more isn't a big enough cost to invoke the network effect in my opinion.
1 - http://www.theguardian.com/technology/2013/aug/14/google-gma...
2 - http://www.consumerwatchdog.org/newsrelease/google-tells-cou...
3 - http://en.wikipedia.org/wiki/United_States_v._Jones_(2012)#A...
Now let's have a conversation.
Speak up. Which of the above statements are not factual?
Now I just don't trust giving private info over such chats.
 Facebook policy on interstitials for malware/malicious links
If you trust your data to a company it will be sold. That goes for Facebook, Google, and any other major company.
As for the ToS, I'm not sure you can say someone is bound by a set if rules they can change at any time without notice. They may have already changed the rules and simply not made the changes public.
Privacy is one of the main points any facebook competitor can use to get an advantage. One day that could really hurt facebook.
What's more insidious at this point us that Google is only marginally better, but a lot if people have much higher opinions of Google.
When it comes down to it, trusting a company just isn't a good idea. Companies inherently aren't trustworthy. Even if the current leadership is trustworthy, companies can change hands and the data is still there. Companies get hacked, try to do what's right but compromise to stay in business, etc. The only way you can trust that a chat service isn't sharing your data is if they mathematically are prevented from doing so through cryptography.
Facebook chats are stored on the servers of a company that I have no control over, that is not funded by me, and that has repeatedly demonstrated a commitment to getting people to reveal things about themselves.
And meanwhile the U.S. government is listening to our phone calls.
Are Facebook chats read by the U.S. government? Of course they are -- even if the claims in this article are completely false.
So, again, why is this an issue?
Facebook is in PRISM and a myriad of other government programs - everything that is posted, uploaded or chatted there is tagged, filtered and alerted for activity that the US government may deem dangerous or may want to pursue for other reasons (DEA, aggregate understanding and persuasion/'engagement').
Agreed broadly that this wouldn't be completely new news (were it to be confirmed). Technical details and confirmation do help citizens to understand that surveillance/'bulk collection' is alive and well.
Again that isn't anything new - although still profound.
How good is it, in terms of latency and reliability?
But if you are ok with alpha-quality software and want encrypted chat similar to IM/Facebook chat you should stick to something like Pond https://pond.imperialviolet.org/
May be (just an example), you might not have deep knowledge about cryptography, does it mean those who have the knowledge should not call out the problem when they find one?
Anyone have any knowledge re: the legitimacy of this?
Most people - anyone clueless about computers, and only vaguely informed on the state of our intelligence community - they do not "know" what you imply. Because, we do not "know", and therefore we cannot prove it to them.
We are given bits, here and there. Who knows what bits are suppressed by which interpretations of this Patriot Act or that?
Such a laizze-faire attitude about such potential for warrantless, unbounded, infinitely intelligent surveillance (and control, which it implies) is inconsiderate of most people, to say the least. To say the most, it could be fatally reckless for too many of us.
"Come on": if a random link was crawled by a "threat intelligence agency" in an otherwise innocuous chat? That is outrageous, if true.
To be clear, I recognize "hints" that have been posted (as opposed to proof) suggesting that, in fact, something like Pastebin.com was crawled. And, for some reason, the link that was allegedly private allegedly ended up on Pastebin.
In any case, the authors of this thread were clearly not aware of such "sniffing" on their computers... to say the least.
Maybe completely innocuous, and maybe not.
But since we're on this Snowden/Citizenfour topic, let me at least be clear: I refuse to let the walls keep crumbling, if that's what we're really talking about. You can bet your ass that Benjamin Franklin was right: “They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”
I refuse to consciously and explicitly grant free reign to "Big Brother" - and reduce this to a "catch me if you can" survival of the "most evasive" - just because, you know, "national security" knows whats best for us.
Who's security exactly? Who helped lobby to put whom in what directorship of what agency that deems it fit to keep this (slightly sensitive topic to Corporation X, Y, Z) confidential?
The more you let the surveillance state grow - whatever respectable, admirable, necessary ideals it may have - the fewer and weaker your "million secure alternatives" will become.
We must not reduce control of the future of our country to a cat and mouse game. We must be tigers ready to fight for what's right for everyone. And yes, everyone should decide this together - not just a few "intelligence analysts" (or worse, their bots) in a pretty little lab somewhere...
On April 30, 2014, we announced the deprecation of the XMPP Chat API as part of the release of Platform API v2.0. The service and API this document covers will no longer be available after April 30, 2015.
Once version 1.0 is deprecated on April 30, 2015, chat.facebook.com and the xmpp_login permission will no longer be available.
We recommend developers who have integrated with the XMPP Chat API deprecate this functionality from their apps before April 30, 2015 to avoid broken experiences.
The problem that needs to be solved is one of having a fully encrypted, distributed messaging protocol (i.e.: no central server) with apps that are easy enough that gramma can use.
It's a shame that XMPP never really took off; even more so as a lot of people seem to be taking it as proof that no distributed chat system will ever take off. I think there are quite a lot of reasons end users would really like distributed chat, one of which is very much security. We need to learn why XMPP didn't take off and either a) fix it, or b) learn and move on.
(Which is why I'm part of a team building http://matrix.org/, check it out!)
However, I don't necessarily think we're ever going to get to a world where everything is end-to-end encrypted. There will always be trade offs involved when using encryption, and sometimes the trade off aren't worth it (a stupid example being public group chats).
It would be nice, however, if chat apps and protocols in general made it clearer what level of security is involved. Just like the average user is slowly getting to grips with HTTP vs HTTPS (thanks in part to the nice and simple padlock icon on most browsers), there's no reason that users can't be made aware of the security of a given conversation and medium.
Facebook, for all its woes, is still easy/useful when trying to organize events, and I really don't care that much if they are spying on that. On the other hand I don't really use facebook messenger since I do care about those conversations.
We need to empower average users to be able to make those same informed choices on who they trust with what.
File storage are moving from standard calls like fopen() to using the Dropbox API or Google Drive API.
Phone calls are moving from device-agnostic copper wire to Skype or Google Hangouts.
Taxis are moving from wave your hand to proprietary Uber API to proprietary Lyft API.
But then again, back in the day, competing products in a single market (e.g. Zip Drives vs. LS-120) were still sufficiently similar that it was possible to use a single API to access both (e.g. fopen()). Nowadays, competing products in the same market (e.g. Dropbox vs. Google Drive) are so different in implementation and feature set that it's inherently difficult to come up with a single extensible standard that covers both.
So are we now in an age where everything will remain proprietary for a few decades due to technological limitations?
On April 30, 2014, we announced the deprecation of the XMPP Chat API as part of
the release of Platform API v2.0. The service and API this document covers will
no longer be available after April 30, 2015.
Mea culpa. :/
> Jack Carter said a woman from Canada saw the posting, did a Google search for his addresses and when she noticed he lived near a school, called the police.
The second round of funding into Facebook ($US12.7
million) came from venture capital firm Accel Partners.
Its manager James Breyer was formerly chairman of
the National Venture Capital Association, and served
on the board with Gilman Louie, CEO of In-Q-Tel, a
venture capital firm established by the Central
Intelligence Agency in 1999. One of the company's
key areas of expertise are in "data mining
None of Facebook's SEC filings ever showed a single dollar from In-Q-Tel and they're not shy about publicizing what they've invested in: