It’s been a bad week for Facebook and its two billion-plus users.
Firstly it was discovered by computer scientists at Northeastern University that Facebook was allowing advertisers to target advertising at individuals by exploiting phone numbers only given by the users for the purposes of two-factor authentication (2FA).
In short, even if you had set your Facebook privacy controls to their most restrictive settings – advertisers could still target you because you had (quite sensibly) enabled two-factor authentication to protect your account from hackers.
Similarly, according to the research, it seems there are pitfalls if users provide their phone number to receive alerts about unrecognised logins on their Facebook account:
“Facebook allows users to add email addresses or phone numbers to receive alerts about logins from unrecognized devices. We added a phone number and an email address to an author’s account to receive login alerts, and found that both the email address and phone number became targetable after 17 days.”
It’s one thing to use information that users choose to include in their Facebook profile for targeted advertising. It’s quite another to take advantage of information that was only shared with the site to boost security.
Remember, unrecognised login alerts and 2FA are features that users should be actively encouraged to enable, to better protect their Facebook accounts. When Facebook is revealed to be helping advertisers exploit such private, personal information, it only encourages users not to enable these protections in the first place.
And that’s not all… The researchers confirmed that Facebook was using “shadow contact information”, collected from other Facebook users’ address books, and associating them with your account. Facebook hides the fact that it has connected, for instance, alternative email addresses and phone numbers to your profile but uses it to assist targeted advertising.
As Kashmir Hill of Gizmodo explains:
…if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later.
All of this amounts to what the EFF describes as “deceptive and invasive” practices by Facebook, which ignore “reasonable security and privacy expectations”.
Such behaviour by Facebook inevitably erodes users’ trust in the service.
And then the world found out about the security breach.
On Friday 28th September, Facebook went public with details of a “security issue” that it had discovered earlier in the week.
Approximately 50 million accounts were left exposed to attackers who were able to exploit a vulnerability in the site’s “View As” feature (actually a combination of three bugs). This security hole allowed hackers to steal users’ access tokens:
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
The bad news is that these Facebook access tokens could not only be used to access Facebook accounts, but also other third-party apps that use Facebook for login.
According to Facebook, the vulnerability in its code was introduced in July 2017, and on September 16th 2018 it saw a massive spike in traffic on its servers as hackers exploited the flaw and harvested access tokens for other users’ accounts. It took until September 25th for Facebook to determine that there had been a security breach.
Facebook says it has temporarily disabled its “View As” feature until it has completed a “thorough security review”.
You can learn more about both of these issues in this edition of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
That's a lot more people than I would have thought. That's a lot of people.
We're not some tinpot little country, Maria Varmazis. We have lots of people going to these conferences.
A political conference? I would have thought a couple hundred. I don't know, who wants to go to these things? They're so boring.
Smashing Security, Episode 98 of Facebook Omni: Shambles with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 98. My name is Graham Cluley.
And I'm Carole Theriault.
And Carole, hello, hello, hello. We are joined this week by—
Let me guess.
What, what, what?
Is it a David?
Well, we've had about 4 or 5 Davids in a row.
Exactly.
It is actually, yes, it is a David. It's David Varmazis. Hello, David Varmazis.
Hi. Hi, it's David.
Oh no, it's Maria Varmazis. Hi, Maria.
Much, much better.
I'll go by David if that helps. But that's also confusing for me. I don't know.
I loved your little David time, but it's time for Maria time.
Maria time.
Well, what it isn't time for, Carole, is a time for celebration because at the time we are recording this, it is the morning after the Podcast Awards.
Tell you what, I'm hoping this show is going to cheer me up. I don't think I've smiled all day.
There's got to be a morning after.
If you haven't heard, Maria, we didn't win at the Podcast Awards.
No. Boo, hiss.
Well, they're wrong.
Despite the enormous effort we went to creating our acceptance speech video, which they requested in advance.
Yes. Okay. I was just going to say they did request it in advance.
Yes. They said, if you want any chance of winning, you have to make an acceptance video. They said, we thought, oh, darn.
So we got our friend Michael Hutch to help us create a cool, cute video. And yeah, we still lost.
So you couldn't win without a video? Am I understanding that correctly? Yeah. Yes.
Well, it turns out sometimes you don't win with a video. It wasn't in the bag, you see. I misread.
Anyway, it was a brilliant video. We'll link to it in the show notes if people want to see it.
It's a great video. We're going to use it again.
To be honest, it's better than our podcast. I think we should have just won the Trophy Acceptance Video Awards instead of the Podcast Awards. That would have been nice, wouldn't it?
Now, Carole, are we even going to do an episode next week? Because you're off somewhere, aren't you?
Now, Carole, are we even going to do an episode next week? Because you're off somewhere, aren't you?
Yes, well, we'll have to see what we do next week. Yeah, I'm in Montreal at the Virus Bulletin 2018 conference.
Get you?
Yes.
Well, I'm doing a little work there, so if there's any Smashing Security fans in the area, they should come and say hello.
Oh yeah. Bonjour.
Yeah. So, you know.
Okay. Will you have a little something for them? I'm into sticker. Oh, Smashing Security sticker. Will you have anything to give people, you know, if they're listeners?
I don't think people need a sticker to come say hello to me, Graham. I think meeting me is pretty cool.
It might help. Hey!
This episode of Smashing Security is supported by LastPass. Everyone knows LastPass is password manager for end users, but it's also a great solution for businesses.
LastPass Enterprise simplifies password management for companies of all sizes, giving you the right tools to centrally control employee passwords.
LastPass Enterprise simplifies password management for companies of all sizes, giving you the right tools to centrally control employee passwords.
Go to lastpass.com/enterprise lastpass.com/smashing to learn more.
Hey Graham?
Yes?
So I've got a problem.
Yes?
I use a cloud service, I put all my files and data up there, and I'm kind of nervous about prying eyes looking at it. Any advice?
Yeah, you've got to encrypt it.
Before I load it up?
Well, I would recommend so, because any file which you put on Dropbox or Google Drive or OneDrive or those other sort of cloud services, it could be accessed by that company.
Or indeed law enforcement or any hacker who broke into your account. So what I would recommend is use a piece of software like Boxcryptor.
It's what I run on my computer, and any file before it gets uploaded to those cloud services gets encrypted with my own keys, which I control.
So the cloud service itself can't see the contents of the files which I'm putting on the cloud drive. It's all encrypted.
Or indeed law enforcement or any hacker who broke into your account. So what I would recommend is use a piece of software like Boxcryptor.
It's what I run on my computer, and any file before it gets uploaded to those cloud services gets encrypted with my own keys, which I control.
So the cloud service itself can't see the contents of the files which I'm putting on the cloud drive. It's all encrypted.
Cool, I'll check it out.
Go to Boxcryptor.com, and thanks to Boxcryptor for supporting the show this week.
I want to take you both on a summer holiday to the heart of Britain, the jewel of the Midlands, the beautiful resort known as Birmingham.
I want to take you both on a summer holiday to the heart of Britain, the jewel of the Midlands, the beautiful resort known as Birmingham.
Just up the road.
It's not that far from us, is it?
No.
And that is where the Conservative Party, who are currently the party ruling Britain, have been having their conference this week. Yeah.
Now, the Conservative Party conference doesn't always go without a hitch. For instance, last year Prime Minister Theresa May, she was giving her keynote speech.
Now, the Conservative Party conference doesn't always go without a hitch. For instance, last year Prime Minister Theresa May, she was giving her keynote speech.
She wasn't very well.
Well, she did have a cough and someone passed her a lozenge, but that actually was the least of her problems because her keynote speech also got interrupted by a comedian who managed to pass her a P45 on stage.
That's basically the form you get when you've lost your job.
That's basically the form you get when you've lost your job.
So what we would call a pink slip. Yes. Yes. Gotcha.
See, there's a reason why you make them pink, right? If it had been pink, she would not have touched it with a 10-foot pole. She thought it was a secret message. I felt for her.
And then there was this signage behind her. You know, they put big slogans behind you.
Yeah.
And she had one behind us which said, building a country that works for everyone. But during her speech, every now and then, a letter would fall off the wall. It's the Velcro.
Oh, God.
It did feel a bit like they didn't have a very big budget.
It's poetic.
It was a bit of an omni-shambles. And they don't want a shambles again, do they?
Omni-shambles.
Yes. They really don't want one of those. So this year, Conservative Party Chairman Brandon Lewis, he's in charge of the whole conference.
He wanted to make sure that everything went very smoothly.
He was planning to boast at his opening address about the evidence that the party had turned itself around and that they were really getting with the beat.
And they had a new conference app, he was planning to say, which would let delegates provide feedback during cabinet ministers' speeches.
He wanted to make sure that everything went very smoothly.
He was planning to boast at his opening address about the evidence that the party had turned itself around and that they were really getting with the beat.
And they had a new conference app, he was planning to say, which would let delegates provide feedback during cabinet ministers' speeches.
Oh, wow.
Like a Twitter?
Something like that, but a specific conference app. Unfortunately, it turns out that the app has a vulnerability. Unfortunately, my wife is also now printing a document behind me.
She's somewhere else in the house.
She's somewhere else in the house.
I was wondering what that sound was. Are you Xerox copying your butt right now, or?
Are you paying attention to the podcast? Because this is business.
It's not time for vulnerability. Was that printing is going to happen? Yeah, that's my guess.
So I don't know how many pages there are going to be.
Maybe it's a book. Maybe it's a Harlequin. Read a few lines. Read a few lines.
What is this? It's either my son's math homework or it's something to do with the PTA.
Okay. It's not going to be very long then.
No, hang on.
Is that a dot matrix? What are we?
No, it's a desktop. Yes, desktop. Let me just find out how much he's actually printing. Okay.
Maria? Yeah?
Maybe we should tell him now about our news.
Right now while he's not actually listening.
Well, he's editing the podcast.
Oh, is he really? Well, Graham. We have news for you.
Oh, shit.
Hang on.
I'm coming back. Right. She's rather embarrassed and she says she won't print anymore. Right. Now, listen, listen.
We're behaving.
We're being good.
Right.
Okay.
So nothing suspicious happened while you were gone. Just want to assure you. You have nothing to worry about.
Everything above board.
Yep, absolutely nothing went on.
No, we didn't—
Nothing was discussed. Nope, not in the slightest. Just skip over that bit.
Listen, listen, there was a Conservative Party conference app, and unfortunately the app had a vulnerability. It had a weakness.
You could access and change anyone's information simply by entering their email address. No password required. Okay, access anyone's account.
You could access and change anyone's information simply by entering their email address. No password required. Okay, access anyone's account.
No printer involved?
Whoa, whoa, no, this wasn't a printer flaw.
Oh, okay.
Graham.
Yes.
So I go to this app and I put in your email address.
Presuming I was a Tory MP.
Presuming you were a Tory MP, which you are now, by the way. Oh, fantastic.
A career with a future. Or perhaps not.
And then I'd have access to your page and I could say you don't live at your address, but you live at Bum Sweat Lane.
You would— wow. You could change my profile photo. You could view my secret mobile phone number. You could maybe send me messages or send messages from my account.
So this was not meant to be open to anyone.
No, no, no, it certainly was not. And the problem is, right, so the only authentication is an email address. In the UK—
Wait, that was it? There's not even a password?
No, no, there's no password.
What?
In the—
Had I not made this clear? In the UK, MPs' email addresses are public. They are published on the parliamentary website.
It's a matter of public knowledge how you get hold of your MP via email.
It's a matter of public knowledge how you get hold of your MP via email.
Yeah, that's nothing. Yeah, that— yeah.
So it was easy to get hold of any of these or to log in. Now, it wasn't just MPs who were affected by this, but of course there are lots of political journalists who go.
In fact, a total of 11,000 people are in attendance at this conference, and many of them were presumably on this app.
In fact, a total of 11,000 people are in attendance at this conference, and many of them were presumably on this app.
That's a lot more people than I would have thought. That's a lot of people.
Yeah, we're not some tinpot little country, Maria Varmazis. We have lots of people going to these conferences.
A political conference, I would have thought like a couple hundred. I don't know who wants to go to these things, they're so boring.
You get all the MPs, all the aides, and the people they're having affairs with.
You have the journalists, you have companies, because there'll be an exhibition there, people who are touting.
You have the journalists, you have companies, because there'll be an exhibition there, people who are touting.
Oh, exhibitionists.
Yes, yes, yes, all those exhibitionists. So all those sort of people. Now, as a consequence of this a number of things happened.
You will find it hard to believe, but there are pranksters and mischief makers out there who, when they get hold of a minister's private mobile phone number, they might call them up.
You will find it hard to believe, but there are pranksters and mischief makers out there who, when they get hold of a minister's private mobile phone number, they might call them up.
Wait, is that all they do?
No, no, no, it goes further than that, of course.
Because that's not what I would do.
Well, other victims included former London mayor and former foreign secretary and wannabe prime minister BoJo, Boris Johnson, who had his picture briefly replaced by something unmentionable.
But yeah, I think the clue is in his surname, Johnson.
But yeah, I think the clue is in his surname, Johnson.
See, that's more where I would have gone with that.
Yes.
Yeah. Yep.
Juvenile.
Oh, absolutely.
Immature. And there were also journalists who were tweeting actual screenshots of themselves effectively hacking into MPs' accounts.
And this is where it begins to get a little bit dodgy because, for instance, Guardian columnist Dawn Foster, who was one of the first to notice the flaw, she raised the alarm.
And this is where it begins to get a little bit dodgy because, for instance, Guardian columnist Dawn Foster, who was one of the first to notice the flaw, she raised the alarm.
Right.
She posted a picture of herself having access Boris Johnson's account. And she was fuming. She was saying, look, you can do this with anyone who's on the app.
And you can post comments as them. They've essentially made every journalist, politician, and attendee's mobile number public. Fantastic, she said sarcastically. Rather embarrassing.
And you can post comments as them. They've essentially made every journalist, politician, and attendee's mobile number public. Fantastic, she said sarcastically. Rather embarrassing.
Thank you for that clarification.
Need a sarcasm alert.
I didn't catch that.
British person using sarcasm, you may not have noticed.
As an American, it went right over my head. What can I say?
Now imagine, imagine you were a state-sponsored hacker wanting to infect an MP's smartphone with a zero-day exploit, or even just phish them.
Their mobile phone number, well, that'd be pretty useful, wouldn't it? So I think all Conservative MPs, their mobile phone numbers have to now be considered public knowledge.
Everyone who was listed in the app needs a new mobile phone number pronto.
And journalists as well who were in the app, they need new mobile phone numbers as well because of this security breach.
And you know, there are people out there who want to hack into journalists' phones, aren't there?
Their mobile phone number, well, that'd be pretty useful, wouldn't it? So I think all Conservative MPs, their mobile phone numbers have to now be considered public knowledge.
Everyone who was listed in the app needs a new mobile phone number pronto.
And journalists as well who were in the app, they need new mobile phone numbers as well because of this security breach.
And you know, there are people out there who want to hack into journalists' phones, aren't there?
Now tell me, is Brandon Lewis thoroughly embarrassed?
I imagine that his crumpets are being toasted right now.
I don't think he deserves any crumpets after this shenanigans.
I imagine that he is in a little bit of hot water about this, because of course this distracted from a wonderful, fantastic conference as they were going forward.
And yeah, he doxxed 11,000 people, basically.
Well, yeah, I mean, he didn't write the code. It was the developers.
Oh, he didn't? Okay.
Oh, no, no, we don't get the actual chairman of the party to write the program.
It's a little different over here, Maria.
I know, I know you guys are—
I know Trump does everything.
On average smarter than us, so I don't know what the level is, you know, like Donald Trump gets his son Barron, doesn't he?
Because he's really good with computers. We've said that to us before. He gets into it. No, a company called CrowdComms, they've apologized and said that they fixed the app.
But you know, the damage has been done.
But you know, the damage has been done.
That's not really an oops thing, right?
This isn't like a, sorry guys, sorry.
Hugs. Well, this I think is the central point here, which is conference apps. Do we really need them? And I was reading an article by a chap called Matthew Hughes on the Next Web.
And he's saying, you know, basically they're all a load of rubbish, aren't they?
And he's saying, you know, basically they're all a load of rubbish, aren't they?
They're just there to track you.
I'm speaking at a conference this week, actually.
And one of my followers on Twitter said, hey, Graham, I've just installed the conference app and it's asking for my location on Android.
You know, why on earth would it be doing this? And I thought, well, maybe it's to track speakers.
You know, if I went off to the loo or something and I should have been on stage, maybe they'd be able to find me that way.
But yeah, generally I think it's probably unnecessary, right? But Matthew Hughes on the Next Web, he says, conference apps, they're as close as you get to disposable software.
They're like Pampers diapers, used once, then discarded. And as a result, they seldom have the polish you might expect from a commercial piece of code.
And I would imagine if this company made an app for this particular conference, they may make apps for other conferences, just reuse them.
So there may be many other conferences, maybe from other political parties, which have similar vulnerabilities.
And one of my followers on Twitter said, hey, Graham, I've just installed the conference app and it's asking for my location on Android.
You know, why on earth would it be doing this? And I thought, well, maybe it's to track speakers.
You know, if I went off to the loo or something and I should have been on stage, maybe they'd be able to find me that way.
But yeah, generally I think it's probably unnecessary, right? But Matthew Hughes on the Next Web, he says, conference apps, they're as close as you get to disposable software.
They're like Pampers diapers, used once, then discarded. And as a result, they seldom have the polish you might expect from a commercial piece of code.
And I would imagine if this company made an app for this particular conference, they may make apps for other conferences, just reuse them.
So there may be many other conferences, maybe from other political parties, which have similar vulnerabilities.
Yeah, no, I think that's a really good point, actually. I don't think I've ever thought about that before, but of course, they're just one-hit wonders, these apps, aren't they?
Yeah, I don't really need an app for a conference. What I need is an agenda, right? Or a map.
A piece of paper.
A piece of paper. Yes. Wouldn't that be a novel thing to do?
That you could fold and put in your pocket?
Oh, flexible screen. Fantastic. Yeah, why not?
Yeah, I think it would be much smarter if these people use platforms that are trusted and recognized, and I'm actually having trouble thinking of one that is trusted.
Well, the internet. I mean, just put it on your website, the agenda. I mean, you know why conferences use these apps, right?
Yeah, yeah, yeah, yeah, yeah, but if the agenda is on the website, when you go to the conference, there's often lousy network coverage or the Wi-Fi sucks.
Oh, yeah, it's nonexistent. Yeah, but if you have a conference app that's trying to pull that information from the internet anyway, then you have the same problem.
It could cache it, couldn't it? But yeah.
So conference apps, they exist because the conference organizers are going, our agenda is going to change at the last minute.
Some Graham dude is not going to end up speaking because he's in the bathroom. So we need to change the lineup and we need people to know that. And paper doesn't update itself yet.
Some Graham dude is not going to end up speaking because he's in the bathroom. So we need to change the lineup and we need people to know that. And paper doesn't update itself yet.
I think I'm going to add that to my advice column though, that, you know what, say no to one-hit wonder apps.
Yeah.
Yeah. I think we're alone now.
We're advocating people just printing stuff out, are we? Interesting.
Just take a notebook and write it down. Get rid of the computer, get rid of the phone, just go back to paper.
At least in an emergency, you can put the paper to additional uses. So that's—
Oh.
What? You mentioned the bathroom.
You wipe your butts with paper?
In an emergency, Carole.
Not even, no.
I was once out walking my dog.
Wait, do we really need to hear this? No! I don't want to hear the rest of the story. No.
Maria, Maria, what story have you brought for us this week?
So equivalent to talking about wiping your rear end with something, we're talking about Facebook. It's time for my story.
Settle in, kids. This is going to be fun.
So big, big story this week. Hard for me to even concentrate on much of anything due to the whole political situation in the States right now.
So I was— some sort of breach happened on a day where there was a lot of news happening politically in the States, and it was Facebook.
And I don't know, it kind of went under the radar for me, which was, I'm sure, completely on purpose.
So I was— some sort of breach happened on a day where there was a lot of news happening politically in the States, and it was Facebook.
And I don't know, it kind of went under the radar for me, which was, I'm sure, completely on purpose.
Must have been. Yeah, it must have been a coincidence, right?
Yeah, that they would announce this breach on a day when they knew not a lot of people in the States at least were paying attention.
So gross.
Yeah. So let's talk about what has now been dubbed the Facebook View As debacle. I'm dubbing it that. I don't know who's dubbed it that but me.
I did not pay attention to any real details here on the story, so I am very pleased.
Because you're not a Facebook user, are you?
No, certainly not.
That's the lovely thing about not being on Facebook.
Didn't give a shit.
Don't give a flip. It's great. Well, a lot of people still use it.
I do care. I do care. I care for you. I care for you, Maria, because you use it.
I do. I wasn't affected as far as I know, but whatever. I don't know. So did you at least hear about this View As debacle? Yes. Are you familiar?
Okay. Okay.
Okay.
So for those that aren't familiar, Facebook announced this past week that someone, some external actor, some malfeasant exploited a vulnerability that impacted the View As feature on Facebook.
Which is the little button that you hit on your profile that lets you see how your profile appears to somebody else, usually the general public.
So for those that aren't familiar, Facebook announced this past week that someone, some external actor, some malfeasant exploited a vulnerability that impacted the View As feature on Facebook.
Which is the little button that you hit on your profile that lets you see how your profile appears to somebody else, usually the general public.
Oh, to see if you're revealing too much or too little information.
Yeah, it's a nice little privacy check to go, okay, I want my profile to look like basically nothing to a random person I'm arguing with on some news article.
It's actually a really nice feature. And I like that Facebook has this because it helps you check that your privacy settings are set correctly. Yeah.
You know, if I was my crazy stalker, would he be able to view me? No, he can't. Fantastic. Okay. Let's, you know, it's a good thing.
You know, if I was my crazy stalker, would he be able to view me? No, he can't. Fantastic. Okay. Let's, you know, it's a good thing.
Well, I bet you loved it if it were coded properly. Let's hear what happened. Yeah.
So yeah, I mean, right now it's disabled and here's why.
So when you pretend with the View As feature to pretend to be someone else, you end up with this little token, which is that person you're impersonating's key effectively.
And you're able to grab it if you're a bad guy and actually pretend to be that person for real.
And you're able to grab it if you're a bad guy and actually pretend to be that person for real.
Yes.
Okay.
Yeah, so—
I think I'm following.
Basically, very, very, very high level, somebody could get access to your Facebook account.
Right, and then screw around with it and pretend to be you and say stuff.
Yes, and all sorts of things.
So let's talk for half a sec, maybe a little longer than that, and we're done, the weird cascade of flaws in Facebook that actually allowed this to happen.
I thought it was fascinating, because it wasn't just one thing. It's actually three.
So let's talk for half a sec, maybe a little longer than that, and we're done, the weird cascade of flaws in Facebook that actually allowed this to happen.
I thought it was fascinating, because it wasn't just one thing. It's actually three.
It rarely is.
Yeah, but somebody figured this out. I mean, obviously a lot of people are targeting Facebook, and this is a really cool — I think it's kind of cool how they figured this out.
So problem number one, in one version of View As, when you're specifically wishing somebody happy birthday, so it has to be the target's birthday, the video uploader still appears, which it should not.
So that's problem number one.
So problem number one, in one version of View As, when you're specifically wishing somebody happy birthday, so it has to be the target's birthday, the video uploader still appears, which it should not.
So that's problem number one.
Okay.
Number two, apparently it appears as if you are the person you are viewing and not yourself, which it shouldn't be either.
What?
Yeah.
I was like, blah, blah, blah, blah, blah, blah. Okay.
Yeah.
And then three, with a change in the video uploader that Facebook made last year, the video uploader incorrectly generates an access token with more permissions than it should.
So you can see a video uploader when you shouldn't be able to.
And then three, with a change in the video uploader that Facebook made last year, the video uploader incorrectly generates an access token with more permissions than it should.
So you can see a video uploader when you shouldn't be able to.
Yeah.
You get, it shows as you are the person that you are viewing. You are not yourself, which is — this is some very philosophical stuff. And number three, you then—
Is it me? Is it me?
And then number three, you get more permissions than you should through the video uploader. So there's some weird squirreliness.
It's very interesting, Maria. Very interesting. I think you've really put your finger on it. I think we can maybe summarize this as omnishambles.
Omnishambles, yes.
Almost like you've got a member of the Conservative Party in the UK to write Facebook's code, something like that.
Basically, you're able to do way more than you should. It's a mess. It's a mess.
It's a mess.
It's a mess.
You don't need to know any more. It's a complete mess. And please don't ask what happened. It's a mess.
Oh my God. We'll put a link in the show notes to the detailed technical explanation.
Facebook's actually given us some information on how this all went down, but they're being a little cagey because they're not entirely sure they've got it locked down yet.
Facebook's actually given us some information on how this all went down, but they're being a little cagey because they're not entirely sure they've got it locked down yet.
They don't understand themselves how the code works.
Because you're not you, you're somebody else. And that's where it starts getting really confusing.
So when you combine all these problems, basically the attacker could grab that access token that allows them to log in as somebody else. That's really the crux of it.
So when you combine all these problems, basically the attacker could grab that access token that allows them to log in as somebody else. That's really the crux of it.
Yes. Yes.
Yes. Yes. So that's on its own, it's a problem, but then—
So was it a vulnerability or was it hacked? Was it taken? Was it breached?
Well, those three problems combined make a capital V vulnerability, which then an attacker can exploit. So if you want to call it a hack, sure.
No, no, no, what I mean is it hasn't been exploited yet.
Oh no, it was.
Oh, it has.
It was, yes.
Okay, okay.
They confirmed that it was active, it was actually taken advantage of. So they ended up resetting access tokens for 50 million users that they confirmed were affected.
Does not mean all 50 million were breached, it means that those people were affected by this issue.
So 50 million users were forced out of Facebook and they had to basically re-login again.
And on top of that, Facebook said there was another 40 million users that were potentially problematically affected.
So that's total 90 million users who had to reset their access token by logging out.
Does not mean all 50 million were breached, it means that those people were affected by this issue.
So 50 million users were forced out of Facebook and they had to basically re-login again.
And on top of that, Facebook said there was another 40 million users that were potentially problematically affected.
So that's total 90 million users who had to reset their access token by logging out.
And even though this vulnerability has been present since July of 2017, Facebook only found out about this, I think they've, what first happened was they saw a spike in the activity on one of their servers on September 16th.
And it was only last week that they noticed a few days before they decided to bury the news amongst all the political stuff.
And it was only last week that they noticed a few days before they decided to bury the news amongst all the political stuff.
That timing was suspect.
It was only last week that they realized, oh, we've actually been breached. And that's what that huge spike in activity was, was people grabbing tokens.
And they don't have a chief security officer right now because Alex Stamos is no longer with Facebook.
So that's kind of—
Oh, they haven't replaced him?
No, they haven't. So that's another— Yeah, no. Yeah, yeah.
It's outrageous though, isn't it?
Well, there's more to this. I feel like I'm always, and there's more bad news. So you know how a lot of people use Facebook to sign onto other services?
LastPass, that Facebook single sign-on thing.
This whole hack means that potentially if the attacker had your token, they could have also logged into any other services that you were logged into before Facebook figured this all out.
LastPass, that Facebook single sign-on thing.
This whole hack means that potentially if the attacker had your token, they could have also logged into any other services that you were logged into before Facebook figured this all out.
So, oh, before, so they wouldn't be able to do that now.
Well, now they've reset the keys, I think.
Yeah, so I don't think it's possible now, but before Facebook figured this out, and presumably this could have been going on for, you know, a little while, having that access token means they could log into for example, your Spotify account if you used Facebook to sign into Spotify.
Oh no, don't let the hackers get my mix lists, right?
Which is terrible. Or, you know, your home delivery services.
Or in my case, if Spotify is now in conjunction with Ancestry and is making a playlist based on my DNA, that person now has my DNA info. So it's great. I don't know.
Or in my case, if Spotify is now in conjunction with Ancestry and is making a playlist based on my DNA, that person now has my DNA info. So it's great. I don't know.
Or your dating app, or all kinds of things do use Facebook login, don't they?
So now we shouldn't even use apps that I was going to call Facebook a trusted app, and then I was going to go, "Hahaha." But, you know, so we can't use one-off apps.
The conference apps.
Thanks for cheering me up, guys. You got it. I was all depressed about the fact that we hadn't won the award.
We can now just say Facebook as a single sign-on is really not a good idea.
We've said that before, and now we're, "Well, we've got more proof." They've actually had an issue now about this, and maybe we should reconsider using that everywhere, because Facebook really wants to be your internet everywhere identity and—
We've said that before, and now we're, "Well, we've got more proof." They've actually had an issue now about this, and maybe we should reconsider using that everywhere, because Facebook really wants to be your internet everywhere identity and—
Your internet BFF.
Yeah, maybe there's some other solutions there. Backstabbing. I don't know, but it ain't Facebook.
Strike one, Facebook. That's not good, is it? That's another— Strike one? Well, that's another nail in the coffin. You think it's more than that, Carole?
Strike 17 million.
Well, look, why don't you cheer us up with a happy, jolly security story to restore our trust in these online services. Over to you, Carole.
He's setting me up, guys, because he knows that I want to talk about Facebook 2. I know.
Facebook 2, is that the sequel?
Electric Boogaloo.
Look, it's important. I know we're all bored of Facebook, but, you know, we need to talk about Zucks and his Facebook fail because there's another problem with this.
And this isn't just Facebook. This is also Twitter, Google, and so on.
This story comes to us thanks to months and months of investigation work by a group of 4 academics and Gizmodo's Kashmir Hill.
So there's all kinds of notes in the show notes for you.
This all starts with a few researchers deciding to figure out how phone numbers and email addresses get sucked into the advertising ecosystem vortex.
Because there's some addresses that you kind of put out there for that. I don't know if you guys do that.
You may have a kind of junk account or junk mail address that you may use for certain purchases. For phone numbers? Well, for certain purchases, right?
Not phone numbers, but for email addresses.
And this isn't just Facebook. This is also Twitter, Google, and so on.
This story comes to us thanks to months and months of investigation work by a group of 4 academics and Gizmodo's Kashmir Hill.
So there's all kinds of notes in the show notes for you.
This all starts with a few researchers deciding to figure out how phone numbers and email addresses get sucked into the advertising ecosystem vortex.
Because there's some addresses that you kind of put out there for that. I don't know if you guys do that.
You may have a kind of junk account or junk mail address that you may use for certain purchases. For phone numbers? Well, for certain purchases, right?
Not phone numbers, but for email addresses.
Sorry. Okay. Yeah, I do. .
And if you had a very kind of protected email address, the one that you didn't want to get into the wrong hands, you want to keep kind of clean, you might be surprised if you're being advertised on it and how they got that information.
And that's what these guys are trying to get into. That's what's bugging them. How are they getting access to this information?
So let's go back and just think about how online advertising works, right?
So Facebook, and I'm sure everyone has a version of this somewhere, says that they use the information it has about you, including information on your interests and your actions and your connections, to select and personalize ads, right?
And that's not a surprise. And what do you guys assume that includes in terms of information they'd have access to?
And that's what these guys are trying to get into. That's what's bugging them. How are they getting access to this information?
So let's go back and just think about how online advertising works, right?
So Facebook, and I'm sure everyone has a version of this somewhere, says that they use the information it has about you, including information on your interests and your actions and your connections, to select and personalize ads, right?
And that's not a surprise. And what do you guys assume that includes in terms of information they'd have access to?
Oh, literally everything. Might be just me. Just me? No.
So it'd be based upon information you've given them, things your hometown, maybe your age. So stuff in your profile, let's say?
Yeah, your interests, groups that you've liked, or, you know, your interests and things you've liked on Facebook, I would imagine.
Yeah, your interests, groups that you've liked, or, you know, your interests and things you've liked on Facebook, I would imagine.
Things you comment on. Yeah.
What if you said, though, this is only for me, don't show this information to anyone else, your contacts, for instance?
Oh, I would expect Facebook to completely and utterly honour that. I would trust Mark Zuckerberg.
Oh, that's so sweet.
You see, I wasn't told I'm not totally surprised that they would take that information as well, right? Because even the only me kind of misleads you. It's a bit misleading, I think.
But anything else?
But anything else?
Oh man. If you hover your mouse over something, I assume if you're on a computer, which, you know, nobody is anymore, but they would say, hey, this shows interest. I don't know.
What if I told you that Facebook also harvests information that you put into your security page to beef up your security?
You know, your 2FA stuff, your multifactor authentication, the phone number they're supposed to call in case you get locked out of the app.
You know, your 2FA stuff, your multifactor authentication, the phone number they're supposed to call in case you get locked out of the app.
Really? Oh, that should be, shouldn't that be behind a wall, in a vault, hands off. That's not what that information's for. Right?
So this security contact information, according to this academic team that did research in this, and it's not like Facebook were upfront about this, right?
This took months and months of digging and researching to be able to prove this, and they've put a paper together to explain how they did it.
But they hoover up, snuffle up all that security contact information. And then basically hand it over to Facebook, vetted, whatever that means, advertisers.
This took months and months of digging and researching to be able to prove this, and they've put a paper together to explain how they did it.
But they hoover up, snuffle up all that security contact information. And then basically hand it over to Facebook, vetted, whatever that means, advertisers.
They're not really, I think I need to stop you just there. They're not handing it over to the advertisers, are they?
So it's not like the advertisers get a database of all of this information. It's just that they are able to advertise and target based upon it. So Facebook does the match-up.
So it's not like the advertisers get a database of all of this information. It's just that they are able to advertise and target based upon it. So Facebook does the match-up.
So yes, it's like a dating game. But it's still underhand. And Facebook is allowing this huge resource people going, yeah, these are people that might be interested in buying this.
Yeah, but that distinction we're making, most people aren't — the end result is the same. That information should not be connected to advertising in any way.
That should be walled off. It should, in my mind anyway. But I guess Facebook says, well, what's the point?
You're putting that data in my app, so I'm gonna do whatever the hell I want with it.
Whatever you're thinking I'm using it for, I'm gonna do for my own purposes because I'm Facebook. Fuck you.
That should be walled off. It should, in my mind anyway. But I guess Facebook says, well, what's the point?
You're putting that data in my app, so I'm gonna do whatever the hell I want with it.
Whatever you're thinking I'm using it for, I'm gonna do for my own purposes because I'm Facebook. Fuck you.
But they're also doing this with two-factor authentication, which on Facebook, it doesn't have to be SMS-based any longer, but if you were using SMS-based and you gave them your actual mobile phone number—
They also have the in-app version though, the code generator on the phone app.
Yes. And so that, this particular instance, that's not affected because you haven't given Facebook your mobile phone number then, right?
But if you have used the version which requires the mobile phone number, then what the advertiser does is they upload loads of phone numbers, which they've collected through some means or another of people they want to advertise in front of.
And Facebook matches it to the mobile phone number which you have associated with your account by enabling two-factor authentication.
But if you have used the version which requires the mobile phone number, then what the advertiser does is they upload loads of phone numbers, which they've collected through some means or another of people they want to advertise in front of.
And Facebook matches it to the mobile phone number which you have associated with your account by enabling two-factor authentication.
So if you put this information to your security page, it takes about a week or two, apparently, according to the researchers, before you start seeing targeted ads that specifically use that hoovered-up information from your security page.
So they're calling it PII-based targeting, and it allows an advertiser to uniquely identify an individual. And I don't even know how this sits with GDPR. It just seems crazy to me.
So they're calling it PII-based targeting, and it allows an advertiser to uniquely identify an individual. And I don't even know how this sits with GDPR. It just seems crazy to me.
So by whatever means, Facebook has acquired your phone number. Basically, they don't care if you gave it to them under the guise of it's for security only.
They're like, well, we have it, so we're putting it in the big phone number pile. Right.
Of all the things that Facebook has done, this one I cannot believe is making me go, this is probably the one that makes me most uncomfortable.
They're like, well, we have it, so we're putting it in the big phone number pile. Right.
Of all the things that Facebook has done, this one I cannot believe is making me go, this is probably the one that makes me most uncomfortable.
Me too.
It's so it's not satisfied with the contact information that you volunteer as part of your profile, but it also wants the details you provide to get extra privacy and security at their recommendation.
Right? They say to you, please do this so that your account can be more secure. And it pisses me off. Sorry to use big language, boys and girls.
But I do feel a bit like Facebook are acting a little bit like scammers, right? Because they're not being totally upfront about what they're taking from users.
They're not being explicit about it in their terms and conditions that they're taking that information.
It's so it's not satisfied with the contact information that you volunteer as part of your profile, but it also wants the details you provide to get extra privacy and security at their recommendation.
Right? They say to you, please do this so that your account can be more secure. And it pisses me off. Sorry to use big language, boys and girls.
But I do feel a bit like Facebook are acting a little bit like scammers, right? Because they're not being totally upfront about what they're taking from users.
They're not being explicit about it in their terms and conditions that they're taking that information.
You've gone too far now. You're suggesting that Facebook is in some fashion underhand. And I just will not accept that they've ever done anything dodgy whatsoever.
This is a step to— sorry, do I need the klaxon again? The sarcasm?
This is a step to— sorry, do I need the klaxon again? The sarcasm?
So are we saying that Facebook has no scruples? Are we really saying that? No scruples whatsoever?
I do feel like this particular instance shows a real lack of— because they can't put this down to, oh yeah, we had no idea. Right. Like they play dumb when it suits them, I feel.
But I think this is just underhanded because they're not alone. Omni-unscrupulous.
So they are literally, you know, effectively selling this security PII information to third-party advertisers. And by doing that, they're pitting privacy against security. Yeah.
And that is the issue, right? It's a bad precedent.
But I think this is just underhanded because they're not alone. Omni-unscrupulous.
So they are literally, you know, effectively selling this security PII information to third-party advertisers. And by doing that, they're pitting privacy against security. Yeah.
And that is the issue, right? It's a bad precedent.
Yes. Because we in the IT industry—
This is why I think you're pissed off, because this is why I'm pissed off.
We advise people all the time to take advantage of these security features like two-factor 2FA to help users keep better control of their accounts.
Yeah, that's never what that information is for. So the EFF is freaking out about this, and I don't blame them.
They are worried that people are going to stop using things, security features like 2FA, to authorize accounts because they've heard about this big story.
And of course, from a security point of view, that's a big step backwards if we stopped using 2FA, because that's what helps you keep control of your account.
So, but should you have to do that as a trade-off for privacy?
We advise people all the time to take advantage of these security features like two-factor 2FA to help users keep better control of their accounts.
Yeah, that's never what that information is for. So the EFF is freaking out about this, and I don't blame them.
They are worried that people are going to stop using things, security features like 2FA, to authorize accounts because they've heard about this big story.
And of course, from a security point of view, that's a big step backwards if we stopped using 2FA, because that's what helps you keep control of your account.
So, but should you have to do that as a trade-off for privacy?
It's insane. We've joked about this. This is bloody awful. Yeah.
And I haven't joked about it, actually. Well, I've been very serious.
She's on the verge of tears over there. I can hear it. Yes.
A few giggles might have been nice. But no, I mean, it's— this is terrible because it's deliberate. It's intentional. It's underhanded. And you can't trust them.
And we all know that Facebook are hurting for cash, right? We know that. That's why they're doing this, because they just quit Facebook.
Just quit Facebook. Just quit Facebook now. Hi, Facebook. Just quit Facebook. Did you?
Hey, Graham, you were talking about Boxcryptor earlier. Yes. What about price? Is it super expensive? Oh no, it's free for non-commercial use.
And if you have a company and want to take advantage of some of the enterprise features, then obviously you spend a little bit of money, but they have flexible licenses as well.
But your data is encrypted before it reaches the cloud, works with lots of cloud services, and it's cloud security made in Germany. And that's cool, isn't it?
But your data is encrypted before it reaches the cloud, works with lots of cloud services, and it's cloud security made in Germany. And that's cool, isn't it?
Yeah, thank you, Boxcryptor.
Boxcryptor.com, go and check it out. Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare!
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, supporting user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashing. No more password snafus, no more boo-boos, just LastPass. And welcome back.
And you join us at our favourite time of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare!
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, supporting user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashing. No more password snafus, no more boo-boos, just LastPass. And welcome back.
And you join us at our favourite time of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It's like you've said that 100 times. 98 times so far.
Not security related necessarily. Definitely should not be. Now, my pick of the week is related to a TV programme which is broadcast in the UK.
I don't believe, Maria, you will be able to see it in the United States unless you do some craftiness with a VPN and pretend to be based in the UK and go on to iPlayer.
Tut tut if you do. What are you talking about? I'm talking about a TV show called The One Show. Oh, you're recommending The One Show? Just wait and see.
I don't believe, Maria, you will be able to see it in the United States unless you do some craftiness with a VPN and pretend to be based in the UK and go on to iPlayer.
Tut tut if you do. What are you talking about? I'm talking about a TV show called The One Show. Oh, you're recommending The One Show? Just wait and see.
Hush, hush. I don't know what this is.
Oh my gosh. The One Show is a BBC television magazine programme. It's snorefest. Broadcast live on weeknights at 7 PM. So sort of prime time here in the UK.
Unfortunately, even though it's been on for about 10 years, BBC One's programme controllers don't seem to have noticed. That it's complete and utter shite.
Unfortunately, even though it's been on for about 10 years, BBC One's programme controllers don't seem to have noticed. That it's complete and utter shite.
Wow, don't hold back. I just said snorefest. I don't know why you're comparing it to fecal matter.
It's not just a snore, it is an omnishambles, a word that we've used quite a lot in this podcast. It has lost all meaning at this point.
It's filled with gaff, it's painfully terrible, but it's there on our main TV channel. Pot kettle. Oi, watch it.
And so, because no one else appears to have done anything to put it out of its misery, there is a new podcast called The One Show Show. And what they do is every week—
It's filled with gaff, it's painfully terrible, but it's there on our main TV channel. Pot kettle. Oi, watch it.
And so, because no one else appears to have done anything to put it out of its misery, there is a new podcast called The One Show Show. And what they do is every week—
Does someone have a stutter? Every week they look back.
They do the very important job of ridiculing it, looking back over past episodes.
So for instance, the most recent one was Rowan Atkinson talking about his new movie with his sidekick as serious guests on the show.
So for instance, the most recent one was Rowan Atkinson talking about his new movie with his sidekick as serious guests on the show.
Yes, yes, right.
They get very serious guests and then they get truly bizarre people to sit next to them. Oh no.
Anyway, so this podcast, The One Show Show, features John Holmes, not that one, and guests forensically analyzing each week of the show and ripping it to shreds.
Anyway, so this podcast, The One Show Show, features John Holmes, not that one, and guests forensically analyzing each week of the show and ripping it to shreds.
Oh, I don't know if I like it now.
That's a bit evil. Well, someone has to put it out of its misery.
Is he being paid a ton in the BBC?
But I think they do make quite a lot of money, the presenters of this show. Do you think? I think they probably do, Carole.
I've always seen it as a kind of afternoon show.
Well, they put it on at 7 PM, you know.
Yeah, I was surprised by that actually.
Now, if you don't— I don't watch The One Show, obviously, because it's rubbish.
But you will probably, even if you don't like The One Show, enjoy The One Show show, because it's quite— You too, if you can laugh at them, even if you don't know them.
It's quite funny.
But you will probably, even if you don't like The One Show, enjoy The One Show show, because it's quite— You too, if you can laugh at them, even if you don't know them.
It's quite funny.
It's quite funny. I'll take your word for it. You're a little bit mean-spirited, Graham Cluley.
Well, I just— No words.
No words. I pay for The One Show. I pay a BBC licence and it's one of those shows which, unlike Doctor Who, which is returning this very weekend.
They probably get 20p and they're very grateful for your 20p that they get from your license every year.
Anyway, I found the podcast funny and maybe other people will. And that is why, Carole, it is my, if not yours, pick of the week. Thank you.
Did you take a little bow at the end there? I did a little flourish.
Did a curtsy. It sounds to me like cyberbullying. Oh, for geez. On a digital scale.
Yeah, well, if we're going on that route, then Zuck's going to say that we're cyberbullying him because we're picking on Facebook so much.
So— Yeah, let's do a nice little bland podcast, shall we, Carole, where we're really nice to everybody and we just say, oh, well, bless them.
Bless, bless, bless, bless Mark Zuckerberg. Oh, he's so good, isn't he? I love his hair. I love his hoodie. No, we're not doing that sort of show. We're saying it as it is, right?
Bless, bless, bless, bless Mark Zuckerberg. Oh, he's so good, isn't he? I love his hair. I love his hoodie. No, we're not doing that sort of show. We're saying it as it is, right?
Well, maybe that should be episode 100 where you just— Can I ask one question before we move on to the next book of the week?
How many times have you watched The One Show? Literally never. A handful of times. A handful of times.
You know, if it's been on and, you know, I've been in the room and I might have been there rolling my eyes at the inanity of it all. Yes, maybe.
I watched one with Bruce Willis once, a very, very awkward interview on The One Show. Maybe I'll dig it out and put it in the show notes.
I watched one with Bruce Willis once, a very, very awkward interview on The One Show. Maybe I'll dig it out and put it in the show notes.
I think I've seen that one, right?
So he did not play ball, did he? I think that must have been a meme going around. They're not very good presenters, to be honest, and they do ask very dumb questions.
Anyway, I digress. I apologize.
Right. Maria, what's your pick of the week?
Well, my pick of the week is an internet artistic experiment-y thing. It's got a Facebook presence, but I'll ignore that. We'll go straight to Twitter. Yeah, obviously.
They have a Twitter account, and the name of this internet experiment artistic-y thing is called The Man Who Has It All. So the Twitter account is Man Who Has It All.
That's what it is.
They have a Twitter account, and the name of this internet experiment artistic-y thing is called The Man Who Has It All. So the Twitter account is Man Who Has It All.
That's what it is.
Okay, I'm looking at it right now.
So I'll just read some of the tweets. Time to get up, dads, before your wife and kids. Now is the time to prepare healthy snacks, get a load of washing in, and exfoliate your elbows.
Working dad, pro tip, empower yourself by starting a gratitude journal. Log every occasion your wife helps you with the housework or the kids.
Or one of my favorites, I don't mind being called a postwoman because I know it covers both women and men. 'Anything else would sound silly,' says Ben 33, male postwoman.
Working dad, pro tip, empower yourself by starting a gratitude journal. Log every occasion your wife helps you with the housework or the kids.
Or one of my favorites, I don't mind being called a postwoman because I know it covers both women and men. 'Anything else would sound silly,' says Ben 33, male postwoman.
I think I've worked out what they're doing here. Yeah, it's pretty great. I feel slightly uncomfortable because I, of course, allegedly have a penis. And so I feel slightly uneasy.
It appears the worm has turned and womankind is rebelling through the form of this Twitter account.
It appears the worm has turned and womankind is rebelling through the form of this Twitter account.
It's like, actually, it's a gender-neutral neutral term.
Yep, it's a brilliantly funny thing and they make me laugh so much. And so I just follow them on Twitter and they tweet a lot and it's—
I've just fallen— I just fallen in love. I just saw a t-shirt saying Crazy Cat Gentlemen. Yes, and men.
Yeah, just a little reminder to smile today because women like positive men. It's great, it's really, really great. And yeah, I don't even know what else to say.
A few tips for you, Graham. A few tips.
Yes, go on then.
I'm being kicked here. Go on. No, I think just—
I just think follow, I just think follow, follow the, follow the feed and learn a few things, dude.
Oh, I got one right here. Man architect is not an offensive term. It is simply a way to differentiate them from proper architects. End of story.
What's your problem, Graham, you man host?
Oh, I love this account so much.
I thought you're going to say man ho rather than man host, so I suppose I should be pleased about that at least.
Male guitarist. Allegedly. Male guitarist. Okay.
Moving rapidly on.
I made all the listeners really uncomfortable.
Oh no, no. We've got plenty of male listeners as well as female. Oh really? Oh great.
Oh, that's wonderful.
Yes, yes.
It's really nice to talk to men once in a while. I don't hear from them very often.
Just like most tech podcasters. You know, we have a small number of men listening. Just women all the time.
We have an open door policy for men. Yes.
Nothing but estrogen.
You know what? We're pretty good because we have a pretty much 50-50 mix between the hosts, don't we? I mean, I'm mostly male and Carole, you're mostly female.
You weigh a little more than I do. Like by little, I mean—
Host by weight is apparently what we're doing.
Well, if it's even stevens, I'm just saying. So my pick of the week, since no one's going to introduce me, my pick of the week.
It revolves around Lenovo and their attempt to boldly go where no laptop has gone before. Say hello to the Star Trek Dream PC. Oh my God, I have it!
Please click on the provided YouTube link, friends.
It revolves around Lenovo and their attempt to boldly go where no laptop has gone before. Say hello to the Star Trek Dream PC. Oh my God, I have it!
Please click on the provided YouTube link, friends.
Don't Rickroll me.
At home, you can go to the show notes. Oh my God, this is so cool! Look at that, it's got lights.
It actually is a laptop modeled after the 23rd century Federation Starship USS Enterprise.
It actually is a laptop modeled after the 23rd century Federation Starship USS Enterprise.
The original, no letter.
Yeah, it's not perfect because they had to squeeze in a lot of tech under the hood.
It's not perfect, Carole, because if this is a laptop, it's a very, very inconvenient shape.
Do you think so, Graham? Yes, I do.
Look at those nacelles, they're gorgeous. Oh my God. I am clearly the target audience for this.
How are you going to get a case for this?
Does this sound delicious to you, Maria? It has a GeForce RTX 2080 graphics card. Is that exciting?
Computing? GeForce is okay. Yeah. I don't—
Okay. All right. What about 9th generation Intel CPU? That's pretty advanced.
And apparently, is it overclocked? Yes, it's overclocked.
Of course it's overclocked. Shouldn't it be next generation rather than 9th generation?
No, this is original Trek. This is not next generation.
Oh, sorry. So I've been outnerded.
Yes. Oh, you're on my turf now, Graham. You're on my turf. Careful now. I will not out-Doctor Who you, but—
Apparently it's fairly high spec. It's only available in China, Maria.
That's an easy problem to solve.
It was at the Beijing Tech World Conference. Oh, not Bajoran. Did you see? $2,200. Really?
He made a DS9 joke just now. That's impressive. Are you impressed? I'm actually a little impressed. Oh yeah.
DS9. It's not, Carole, I have to refute this claim that this is a proper laptop. First of all, you could not use this on your lap.
Yeah, not convenient to walk around with. You know? Not really easy to take into presentations to your sci-fi, I don't know, conventions.
And how much does it cost? $2,200. Okay, that's actually not as bad as it could be.
Because there's also a replica of a Cardassian desktop computer that just came out, and it doesn't do anything. It doesn't actually work as a computer, but it costs $2,500.
Just for a replica.
Just for a replica of— it's just a screen that lights up that doesn't do anything, and it looks like the thing he had in his ready room, but it doesn't work as a computer.
So at least this works as a computer, and it's cheaper.
Because there's also a replica of a Cardassian desktop computer that just came out, and it doesn't do anything. It doesn't actually work as a computer, but it costs $2,500.
Just for a replica.
Just for a replica of— it's just a screen that lights up that doesn't do anything, and it looks like the thing he had in his ready room, but it doesn't work as a computer.
So at least this works as a computer, and it's cheaper.
I could probably make you a replicator if you wanted a hot cup of tea.
Earl Grey, hot.
I just wish I could see it open. I wanna see the screen.
Yeah, that's my confusion is how does this computer?
I think, okay, if you imagine the Starship Enterprise is basically a donut with a few, I don't know, a whisk at the back of it, or an iron with a donut on an iron.
Just say it looks like the Starship Enterprise. That's what it looks like, doesn't it?
Okay, that's okay.
But if I'm gonna say the top lid of the Starship Enterprise opens up. The saucer. The saucer.
This is painful.
That's for the CD drive, I guess.
That's probably the hard drive though, legit. That's—
Well, where's the screen then? I think it looks like there's a screen behind it. I think you have to lug a monitor around with it as well.
Oh, this is just the hard drive?
Are you sure this actually is a laptop, Carole, and not a desktop computer? Yeah, no, I'm not sure at all. Oh, it says with an optional built-in projector coming soon.
Oh, very interesting.
Oh, very interesting.
Okay, because it says it's just a construct. It's a massive metal construction PC.
So look, to be honest, I didn't do a lot of research in this. I really— I knew Maria would take over because she loves Star Trek, so it was just basically an easy win.
I slid it in there, it all went perfectly. Thank you, Maria.
I slid it in there, it all went perfectly. Thank you, Maria.
Don't worry, I don't think anyone noticed.
Anyone who wants to see— hold on, anyone who wants to look at it, check the show notes. But Enterprise NCC-1701.
No bloody A, B, C, or D. Yes, thank you. Okay. I don't know what's going on.
Well, fortunately, we have a number of male nerds who listen to this podcast who have no problem at all understanding what Maria's talking about.
Male nerds is great. There are not many of them.
So, especially, we need to differentiate them because they're not proper nerds, right?
Correct.
When you get a male fan of Star Trek, there's something to be celebrated.
These guys is the thing, you know.
Exactly. Exactly. They're just fanboys. Squealing away. What? Okay. Okay. No, maybe not. Anyway, on that bombshell, I think we've spoken enough, frankly. I think we're done.
Maria, if people want to follow you online to share Star Trek gossip, how should they do that?
Maria, if people want to follow you online to share Star Trek gossip, how should they do that?
The internet. Twitter. Twitter's good.
Twitter. You'll find me. You'll find me.
Yeah, I was do I have to spell my name out again? M-V-A-R-M-E-Z-I-S. You can find me on the internet. I'm on Twitter. Just find me on Twitter.
And you can find us on Twitter at Smashing Security. No G. Twitter won't allow us to have a G.
And it's a good idea to follow us there because we often will tweet out discount codes, which you can save money at our online store and grab a mug, a t-shirt, a sticker at smashingsecurity.com/store.
And it's a good idea to follow us there because we often will tweet out discount codes, which you can save money at our online store and grab a mug, a t-shirt, a sticker at smashingsecurity.com/store.
I would that people send in their favorite moments from the past 97 episodes.
This one was full of them. Oh, yes. It was definitely full of something.
So that'll make my job of editing the 100th episode maybe easier.
Oh, so you're asking people if they—
I'm asking people to please, please send in the episode and a timestamp of your favorite moments of Smashing Security.
And you, your episode might get in with a chance to be on the 100th episode.
And you, your episode might get in with a chance to be on the 100th episode.
Could they also just email in with stuff they love about Smashing Security or maybe an audio clip? Maybe they could send us some audio clips.
Yeah, if you have anything nice to say about Maria or I, we're very welcome to hear it.
.
Can someone do a master edit of Graham, you doing just your wheezy chuckle thing? Just a whole master edit of that. Just a chain of them. What a wonderful man laugh.
Until next time. Cheerio. Bye-bye. Adieu, mes amis.
See, I'm going to Montreal, that's why I said this.
Oh yes.
I'm gonna eat poutine.
Ooh. I'm down.
You don't know what that is. Maybe a smoked meat poutine?
It's not Vladimir. It's delicious, that's all I gotta say.
I have yet to have really great poutine, so—
Oh, well, come to Montreal.
No, I've been! When I went, I didn't have good poutine.
I was this is crap. Mon dieu!
High profile victims of the “View As” security breach are reported to include Mark Zuckerberg, as well as Facebook’s chief operating officer, Sheryl Sandberg, and its European vice- president, Nicola Mendelsohn.
What a week. It’s enough to make you reconsider your relationship with Facebook, isn’t it?
I quit Facebook earlier this year. If you’re finding it hard to imagine doing the same, why not listen to this “Smashing Security” podcast we put together describing the process of quitting Facebook:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I then deleted my Facebook account and then re-upped it in 2005 and have not been able to get off the stupid thing since. So I am a super—
So why can't you get off? What are your— You guys!
It's not that kind of podcast.
Smashing Security, episode 75: Quitting Facebook with Carole Theriault and Graham Cluley. Graham Cluley. Hello, hello, and welcome to Smashing Security episode 75.
My name is Graham Cluley.
My name is Graham Cluley.
I'm Carole Theriault.
And we're joined this week by a returning guest, Maria Varmazis. Hello, Maria.
Hi. Hello, Maria.
Hello.
Hi, everyone.
Are you all right? You sound a little bit tired.
I'm just a little sleepy. It's all good.
Oh, do we bore you? Is that what's going on?
So tedious.
Yawn.
Yeah, I'll be okay. My energy will get up. I just had a late night due to baby stuff. So I'll be okay. I'll be all right.
Because you've got a baby. It's not that you're trying to have another baby. Or you haven't given birth overnight, have you? That would not be a good reason to.
Oh no, my uterus is not that uber. No.
Do Uber do uteruses now? Is that what you just said?
Yeah, you didn't know Uber for uteruses? It's a thing.
What?
Copyright Maria Varmazis, please don't pitch that. That's mine. It's my retirement plan.
This is a special Splintergun Logical— no, it isn't. It's a special Splinter episode all about quitting Facebook. That's all we're going to talk about.
We are going to discuss whether you should quit Facebook.
We are going to discuss whether you should quit Facebook.
Yes, you should.
And how you can quit Facebook right after our sponsor break.
This episode of Smashing Security is sponsored by LastPass. LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralised control of employee passwords and applications.
But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses. Right, Facebook. Get me off it, kids.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralised control of employee passwords and applications.
But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses. Right, Facebook. Get me off it, kids.
Yeah, exactly. So are we all on Facebook?
Yep. Well, no.
Well, I don't know. I'm deactivated on Facebook, which I understand to be that I am still lurking on there but not locatable.
Oh, okay. So if I go onto Facebook right now, let's open a little window right now. Excuse my typing here. And I enter Carole Theriault into the search.
Yeah, do vomit on my name because that's so nice of you.
And— oh no, there are other Carole Theriault there, but there's not you.
Can we be sure?
So this basically means— I don't know what it means. What if we were friends? Were we friends on the Facebook?
Does it say anything in your feed that I've disappeared, or have I just kind of gone away?
Does it say anything in your feed that I've disappeared, or have I just kind of gone away?
You don't appear, and we were Facebook friends. I remember that. Unless you unfriended me. And so I've received no notification that you deactivated.
You just disappeared into the mist.
You just disappeared into the mist.
Okay, that's good. So it's not that anyone feels dissed by me. Like, Carole left you.
It's not like AOL Instant Messenger where you hear the door close sound or ICQ where it went "uh-oh," or whatever. Anyway, sorry.
I'm pissed because I was on Facebook, but I was on it quite responsibly.
If you remember, Graham, we did a lot of Facebook security training very early on in Facebook's birth and its growth.
If you remember, Graham, we did a lot of Facebook security training very early on in Facebook's birth and its growth.
Sounds like a disease.
I never got apps. I never played Facebook apps. I didn't share any pictures. I didn't like people posting pictures of me.
And still my data could be compromised simply because I was friends with people that may not have been as privacy aware as me. Actually, it probably wouldn't have mattered.
Someone somewhere downloaded some game that hoovered up all my data.
And still my data could be compromised simply because I was friends with people that may not have been as privacy aware as me. Actually, it probably wouldn't have mattered.
Someone somewhere downloaded some game that hoovered up all my data.
So yeah, I mean, I know you've had a Facebook account for a long time. In fact, Carole, it was you who got me onto Facebook way back when. I think maybe because you are Canadian.
I did hear about it early because everyone, a lot of people at my university.
That was it.
Yeah. And Canada was quite an early adopter of Facebook.
Well, back then is when it was universities only. It was only for certain colleges in the US. That's when I joined, when it was still in beta.
Oh, well, aren't you cool? Well, thank you very much, Maria, because thanks to people like you, we're in this mess.
I'm a Facebook hipster. I then deleted my Facebook account and then re-upped it in 2005 and have not been able to get off the stupid thing since. So I am a super—
So why can't you get off? What are your— You guys, the sun is still shining in all our time zones.
For a while, Carole has been wanting to have an agony aunt section on the show. So let's talk about this. Why can't you get off Facebook?
Facebook.
Why can't I quit Facebook? Why can't you quit Facebook? Otherwise it's not that kind of podcast. Well, is it?
No.
It's, I hate Facebook and I can't quit it. And I feel like everyone else I know on Facebook feels exactly the same way with the exclusion of old people who just adore it.
Okay, but why?
I'll tell you why. Because people don't like to miss out.
It's formal.
Because their friends are there, or because you have family who are distant. And it's a really easy and lazy way of continuing to feel connected with people.
I can tell you, I've seen so many times people doing the, "I'm just taking a step away from Facebook," or, "I'm temporarily deleting my account," and then a week later, a month later, the person is inevitably back because their social life completely dies.
You don't know what events are going on, you forget somebody's birthday, nobody wants to email you anymore, nobody answers the phone anymore.
You don't know what events are going on, you forget somebody's birthday, nobody wants to email you anymore, nobody answers the phone anymore.
Is that what's wrong with my life?
Have you noticed that you have no friends? Because this might be why.
No, no, I have too many to even look after.
Oh well, la-dee-da.
And they're real friends, you know, from real life.
I feel like you're a corner case though.
Yeah, maybe. Or a lucky one.
Yeah, your friends keep in touch outside of Facebook and you hate Facebook and deleting it will be super easy for you.
Whereas for a lot of us who want to quit Facebook, it's like, well, we will literally have no way to keep in touch with people.
Whereas for a lot of us who want to quit Facebook, it's like, well, we will literally have no way to keep in touch with people.
The thing is, it's so much easier to click the like button on someone's Facebook update than it is to pick up the phone.
That's so true.
Isn't it? And say, hey, how are you? And you feel like, oh, I've done that now.
And they'll see a little, oh look, they said they like the picture of my child or whatever it was, or the holiday I'm on. That's nice. And you continue to feel connected.
And they'll see a little, oh look, they said they like the picture of my child or whatever it was, or the holiday I'm on. That's nice. And you continue to feel connected.
And you get that little adrenaline rush, right? Or whatever, dopamine rush.
And from that point of view, I think Facebook's pretty good.
What I don't like is that people, of course, give this curated image of themselves on social networks, you know, where they're, "Oh, aren't I fantastic?
Look at me, I'm doing my warrior pose at the yoga." That's like the max of your familiarity with yoga. I'm doing my sun salutation.
What I don't like is that people, of course, give this curated image of themselves on social networks, you know, where they're, "Oh, aren't I fantastic?
Look at me, I'm doing my warrior pose at the yoga." That's like the max of your familiarity with yoga. I'm doing my sun salutation.
Me having yet another amazing day out with my amazing friends.
What you don't typically do is you don't post up things saying, "Oh God, I hate my life." Yeah, because if you do that, everybody's going to be like, 'Are you okay?' Or, 'Oh, they're such a drama queen.' So you can't do that either.
You can't be keeping it real because then you feel like I'm totally missed out. Now tell me, did you use your Facebook login?
Because you could use Facebook to log into other apps, right?
Because you could use Facebook to log into other apps, right?
Yeah, I did.
And is that another reason why it's hard to walk away?
Yes.
Or that's not the leading reason? Or is that the leading reason?
It's not the leading reason, but it's extremely annoying.
I'm a Spotify user, and it's one of the many apps where you can create your account just by saying, just create your account with Facebook. You just click this button.
It's super easy. And I did that. And there's no way for me to easily disassociate my account without literally deleting my old account and creating a new one.
And then I'll lose my playlists and my albums. I have to recreate all that stuff I've done.
I'm a Spotify user, and it's one of the many apps where you can create your account just by saying, just create your account with Facebook. You just click this button.
It's super easy. And I did that. And there's no way for me to easily disassociate my account without literally deleting my old account and creating a new one.
And then I'll lose my playlists and my albums. I have to recreate all that stuff I've done.
And at the time, a lot of people created these accounts on third-party sites using the Facebook login process because they thought, well, this is perhaps more secure because I don't have to remember different passwords.
I don't have to generate passwords. Facebook's going to handle it.
And this site which I'm signing up for, I don't have to worry about them looking after my password because they're using the whole Facebook process instead.
So I think this is a really valuable thing for people to remember if they are considering quitting Facebook is what the impact will be on any other apps and websites which might be—
I don't have to generate passwords. Facebook's going to handle it.
And this site which I'm signing up for, I don't have to worry about them looking after my password because they're using the whole Facebook process instead.
So I think this is a really valuable thing for people to remember if they are considering quitting Facebook is what the impact will be on any other apps and websites which might be—
Suck it up, get off Facebook.
Well, yes, I agree with that. So here's my first reason why I think you should leave Facebook.
The way you can convince yourself that you've shared too much information on Facebook is to download a copy of your Facebook data, right?
There is a link, and we will put it in the show notes, which you can go to on Facebook. And regardless of whether you plan to quit or not, download your data.
It will download all the photos that you've posted and all the messages and all kinds of other stuff as well. You will be horrified.
The way you can convince yourself that you've shared too much information on Facebook is to download a copy of your Facebook data, right?
There is a link, and we will put it in the show notes, which you can go to on Facebook. And regardless of whether you plan to quit or not, download your data.
It will download all the photos that you've posted and all the messages and all kinds of other stuff as well. You will be horrified.
Yeah.
Most people will be stunned at just how much information they have given over the years, because many people will have been on the site for years and years and years.
And at that point, you begin to think, crikey, I volunteered so much information, information which I would never have given to a phishing site, information I would never have given to some scammer or fraudster ringing up on the phone.
I have willingly given to Mark Zuckerberg and his cronies, and what on earth are they planning to do?
And at that point, you begin to think, crikey, I volunteered so much information, information which I would never have given to a phishing site, information I would never have given to some scammer or fraudster ringing up on the phone.
I have willingly given to Mark Zuckerberg and his cronies, and what on earth are they planning to do?
And then you realize how come all the ads are so perfectly targeted to your insecurities on the site, right?
Right, because they've learned all about you and the groups that you've liked and the things which you've given a thumbs up to, or the—
Yeah, you should go on. I bet, Maria, if you go on right now, there'll be ads for caffeine or Red Bull ads to gee you up.
I'm weird. I don't actually post much personal stuff on Facebook. I post political things and memes. I don't post about my life. I don't post about my family.
I'm a little weird in how I use Facebook.
I'm a little weird in how I use Facebook.
All right. We've all had a good whinge about Facebook. Let's tell our glorious audience different ways in which they can quit Facebook.
And I'm going to start off with the simplest thing you can do, which is not a complete cutoff, but it is called turning off the Facebook platform.
That is the thing which basically Facebook uses to integrate you with third-party apps and websites.
It's the thing which powers the like buttons which appear on third-party sites, which can of course track you around the internet, which isn't terribly nice either.
And I'm going to start off with the simplest thing you can do, which is not a complete cutoff, but it is called turning off the Facebook platform.
That is the thing which basically Facebook uses to integrate you with third-party apps and websites.
It's the thing which powers the like buttons which appear on third-party sites, which can of course track you around the internet, which isn't terribly nice either.
So this is different from deactivating your account?
It is. This is a different level. This is turning off the level one, what we call Facebook platform. Yeah.
And this is the thing which was exploited by Cambridge Analytica's app, or the app which gave them the data, which allowed, for instance, your friends to give your information to other people as well.
So this is— if you're not ready to leave Facebook for whatever reason, you might want to consider turning off the Facebook platform.
So we're going to include a link where you can do that.
It's deep within the settings, and what it will mean is that all posts by apps and games and things like that will be removed from your timeline.
You won't be able to log into apps or games and websites using Facebook. Oh, wow, I live.
And this is the thing which was exploited by Cambridge Analytica's app, or the app which gave them the data, which allowed, for instance, your friends to give your information to other people as well.
So this is— if you're not ready to leave Facebook for whatever reason, you might want to consider turning off the Facebook platform.
So we're going to include a link where you can do that.
It's deep within the settings, and what it will mean is that all posts by apps and games and things like that will be removed from your timeline.
You won't be able to log into apps or games and websites using Facebook. Oh, wow, I live.
I just did it.
How will Maria get her Spotify playlists?
I just tried it, and now I'm really curious how broken my Spotify account is. But I just did it. I actually didn't know that. Good job.
You can always turn it on back again, you know, if you need to temporarily. You're also going to lose other information like your high scores in games and your favourite places.
Oh, diddums. Oh dear, you've lost all that. But that is the most private I think you can really make Facebook without deleting the account altogether.
So there you are, disable Facebook platform.
Oh, diddums. Oh dear, you've lost all that. But that is the most private I think you can really make Facebook without deleting the account altogether.
So there you are, disable Facebook platform.
Is this a new feature that they've put out?
Nope, this has been around for some time. It's just been hidden deep, deep down in the settings, and so most people never ever find out about it.
That pisses me off as well. I was trying to permanently delete my account originally, and I found it so difficult to find the information that I ended up just deactivating.
You need to listen to this podcast.
Tell me, but I'm going to shut up right now.
You take the floor.
So the next step is doing what Carole has done, which is deactivating the account. So you can deactivate your Facebook account temporarily and choose to come back whenever you like.
Yippee, right? When you change your mind. So at the moment, you won't find Carole on Facebook. Carole could log back in if she wanted to, but right now, no one can see your profile.
No one can search for you.
Yippee, right? When you change your mind. So at the moment, you won't find Carole on Facebook. Carole could log back in if she wanted to, but right now, no one can see your profile.
No one can search for you.
I'll tell you one thing that's a bit annoying about the deactivating your account bit. So you deactivate it, and then of course you kind of want to check to see if you're not on it.
And as soon as you log in, if you're using a password manager, it obviously just fills in the login page as you get there.
And bish bash bosh, you gotta do the whole deactivation again. So you can't get a friend to look to see if you've been removed.
And as soon as you log in, if you're using a password manager, it obviously just fills in the login page as you get there.
And bish bash bosh, you gotta do the whole deactivation again. So you can't get a friend to look to see if you've been removed.
Well, so what you need to do is you need to create a second account purely for testing if the other one exists.
I just got off it 'cause I don't want to be anywhere near it.
That's crazy.
Well, Facebook shareholders are gonna love this, Carole. How are they gonna get to 3 billion users?
I've got friends. Maria, I'll call you. You're not getting off anytime soon. I'll just go, hey, Maria.
All right. We got to use a different phrase.
What different phrase?
Quitting Facebook.
Oh, getting off.
I actually, I have, I actually have two Facebook accounts. Yeah. And I know I have three. Yeah. I have a bunch that I use for testing stuff. It's terrible.
Anyway.
Yeah.
So you can do that if you want to. Right now, once you've deactivated some information, like messages you sent to friends, they're still probably going to be visible.
Okay, so you don't clean up everything which you posted around the place. Your friends may even still see your name in their friends list, but it won't go any further beyond that.
But also keep in mind that if you deactivate your Facebook account, your Messenger account, which is like their IM system, that will remain active.
So disabling Facebook Messenger is a whole separate thing.
Okay, so you don't clean up everything which you posted around the place. Your friends may even still see your name in their friends list, but it won't go any further beyond that.
But also keep in mind that if you deactivate your Facebook account, your Messenger account, which is like their IM system, that will remain active.
So disabling Facebook Messenger is a whole separate thing.
Yeah, yeah, yeah, let me make a note. Because you can actually use Facebook Messenger without, I think, a Facebook account.
Now, I don't know if that's 100% true, but I know of some people who said they've sort of either deactivated or deleted their account, maybe just deactivated.
Now, I don't know if that's 100% true, but I know of some people who said they've sort of either deactivated or deleted their account, maybe just deactivated.
I don't know. Certainly with a deactivated account, it appears that Facebook Messenger continues.
Yeah.
Yeah.
That seems very much by design. You know, there are sort of third-party options that you can use that are sort of an in-between the deactivating and the restricting.
Have you heard about the Firefox extension that puts Facebook in its own little container tab?
Have you heard about the Firefox extension that puts Facebook in its own little container tab?
Oh no, tell me, tell me.
So basically, if you're not ready to even go as far as deactivating, but you want to just really, really slap the hand on Facebook and say, you need to stop talking to all the other websites I go to, there's a Firefox extension that you can install that will make sure that if you're in Facebook, Facebook can only talk to a Facebook page and it will not start sniffing around the other pages that you're visiting.
The way they describe it, it sort of isolates your Facebook identity from the rest of the web, which does mean that all of those like buttons, which are distributed so far and wide across the internet, won't be able to communicate back.
They won't know that you're logged into Facebook as well.
They won't know that you're logged into Facebook as well.
So I hate to ask this, Maria, but how do you know that this is a trusted plugin?
It's actually created by Mozilla. Yeah, that's a very good question. But yeah, Mozilla actually created this.
So it's called Facebook Container. Cool.
Now I don't use—I use Firefox regularly, but one of the things that I've done is I've updated my ad blocker with specific code and rules which block any like buttons from working on pages when I visit them, because I don't want Facebook knowing which pages that I'm going to and gathering data about my movements around the internet if I do accidentally leave myself logged into Facebook.
And that's something else which you can do with a blocker as well. But this is all kind of really nitty-gritty advice.
I think maybe the push for this podcast is how are you going to stop giving any data to Zuckerberg?
So right after this sponsor break, we're going to talk about how you can actually delete your Facebook account entirely.
Now I don't use—I use Firefox regularly, but one of the things that I've done is I've updated my ad blocker with specific code and rules which block any like buttons from working on pages when I visit them, because I don't want Facebook knowing which pages that I'm going to and gathering data about my movements around the internet if I do accidentally leave myself logged into Facebook.
And that's something else which you can do with a blocker as well. But this is all kind of really nitty-gritty advice.
I think maybe the push for this podcast is how are you going to stop giving any data to Zuckerberg?
So right after this sponsor break, we're going to talk about how you can actually delete your Facebook account entirely.
This episode of Smashing Security is sponsored by LastPass. LastPass simplifies password management for companies of every size, but it isn't just for enterprises.
It's equally a great solution for business teams, families, and single users. Learn more at smashingsecurity.com/lastpass. LastPass.
It's equally a great solution for business teams, families, and single users. Learn more at smashingsecurity.com/lastpass. LastPass.
So let's go nuclear now.
Finally.
And let's permanently delete our account. So I've put the link in the show notes. We can find out where to do this at facebook.com/help/delete_account.
Pretty hidden away, to be honest. You have to go hunting for it if you do want to do it.
And you will get this big fat warning says if you don't think you're going to use Facebook again and would really like your account deleted. We can take care of this for you.
Bear in mind, you will not be able to reactivate your account. So really, they want you to deactivate rather than delete your account.
Pretty hidden away, to be honest. You have to go hunting for it if you do want to do it.
And you will get this big fat warning says if you don't think you're going to use Facebook again and would really like your account deleted. We can take care of this for you.
Bear in mind, you will not be able to reactivate your account. So really, they want you to deactivate rather than delete your account.
Exactly.
I'm falling into their trap by just being deactivated rather than deleted. So I have no qualms about getting off. All the reasons you guys gave don't hold any water with me.
I think you're really lucky. I mean, you never really got—Smart, Maria.
Brainy.
Very smart. You saw this problem coming a mile away. I mean, you were able to not get tangled up in all of this, but a lot of us are, and it's—I wish I could just hit delete.
I really wish I could.
I really wish I could.
I promise you'll survive if you do it.
Oh, I know I will. I just will never ever know what's going on in my social group ever again.
Just take up another habit like crystal meth. No, come on.
Probably takes less time than Facebook.
My skin might suffer a little bit.
So girls, what do you think happens when you press the delete my account button?
Are you sure? Are you sure? Are you sure?
Are you really, really sure?
Please, please don't kill us. Please, please.
Here's a picture of Mark Zuckerberg's dog. Isn't it cute? Why don't you friend that? No. What it actually does is nothing.
Does nothing for a few days because it's given you a chance to change your mind.
Does nothing for a few days because it's given you a chance to change your mind.
Of course. So they say psychological warfare.
We will delay deletion of your account for a few days. So you have that instant regret. Oh, should I really have done that? Maybe I shouldn't. I wonder what I'm missing.
Because that evening you're thinking, I wonder if anyone's posted any funny cat memes.
Because that evening you're thinking, I wonder if anyone's posted any funny cat memes.
Your grandma calls you up, "You did what? How am I gonna share my favorite do you remember from the 1920s memes?"
Is that what your granny voice sounds like?
If you try and log back into your Facebook account after pressing that delete button in the first few days, it's gonna be like you deactivated it.
Your request is cancelled, yippee, and your account is back. And Facebook says it can take up to 90 days, up to 3 months to delete data they may have stored in their backup systems.
But it says during that time, your information isn't available on Facebook publicly.
Your request is cancelled, yippee, and your account is back. And Facebook says it can take up to 90 days, up to 3 months to delete data they may have stored in their backup systems.
But it says during that time, your information isn't available on Facebook publicly.
I think that's the length of time that addicts are often told— that's the first phase of being clean is 3 months. So that's interesting.
Now, the other thing is that some information isn't actually stored in your account, which means that you're not going to delete everything.
If you've been communicating, if you've been sending messages to friends and things, they're still going to have those messages in their inboxes.
If you've been communicating, if you've been sending messages to friends and things, they're still going to have those messages in their inboxes.
Yeah, it doesn't scrub their account.
Exactly.
Unless you're Mark Zuckerberg, and then you can have your messages mysteriously disappear.
He did do that.
He did. But we can't have that capability now.
It was the equivalent of you, Crow. Do you remember, Crow, when you sent some— I think you replied to all something not entirely appropriate.
I was telling someone off, wasn't I?
How do I retract that email?
Yes, I yanked the cable out of the back of the computer. This was before Wi-Fi. I don't know what I'd do now.
It was that Terminator 2 moment.
Yeah.
Throw yourself across the desk. And Graham was like, what are you doing? And I'm like, nothing. But I saved it. It didn't go. I don't know how I managed it.
So that is how you do it. We've put the link in there and that will delete your account.
And the thing is, whatever privacy steps you take, even if shutting down platform and things like that, if you continue to have a Facebook account, you're still sharing information with Facebook.
And you have to ask yourself, do you trust this organization with your information?
And the thing is, whatever privacy steps you take, even if shutting down platform and things like that, if you continue to have a Facebook account, you're still sharing information with Facebook.
And you have to ask yourself, do you trust this organization with your information?
And I do 100%.
You do?
100%.
That has been extremely clear from this entire podcast.
And think about how much time you're going to— extra time you're going to get back in your life because you're not constantly checking Facebook.
You'll probably go on to some other social network instead.
You'll probably go on to some other social network instead.
Yeah, I've got TweetDeck open.
I mean, so I think I'm going to delete my account. Right.
Are you?
I have deleted it before.
I know.
And what happened with me was about 5 years ago, I started working for myself and I thought I should really probably have a Facebook account because I need to promote, well, the podcast and need to promote the blog and things like that.
Right. And so I started creating the community. Now I closed down my blog page. I told them I'm not going to update it anymore and it's going to be deleted.
Carole, what we haven't discussed is what should we do about the Smashing Security Facebook group?
Right. And so I started creating the community. Now I closed down my blog page. I told them I'm not going to update it anymore and it's going to be deleted.
Carole, what we haven't discussed is what should we do about the Smashing Security Facebook group?
I was just going to ask about that. Yeah.
I've never been on it.
No, I've noticed that.
Of course you haven't.
I haven't been on it. So, you know, I love that they're there, but I'm not going to miss them. Well, I say, you know, get in touch via old school methods. Send me a letter.
Handwritten letter.
Handwritten letter.
Postcard campaign for Smashing Security.
Exactly. Postcards.
Carole, this is our fan base.
Right now, the one thing that is stopping me from deleting my personal account is that it is the administrator for our Smashing Security Facebook group.
Right now, the one thing that is stopping me from deleting my personal account is that it is the administrator for our Smashing Security Facebook group.
I don't care.
Really?
Yeah.
Wow.
This is your— you're— you're—
I—
Hey, I love Smashing Security. I am not— I am not—
What's Angelina going to say?
I'm just reading the group chat.
What are they gonna do? We've got some people who love us up there, Carole.
Well, they can love us. Why does that stop them loving us?
Hang on, Andrew Angelina. Geoff.
Oh good, that's good. That's good GDPR practice. Read all their full names off on the air.
Oh, I'm gonna have to get the bleeper out, am I?
Tony. Bronwyn.
Rik Astley.
Let's just, you know what, let's just look right now. I'm sure I have a lighter or a match somewhere in the house near the barbecue.
I am gonna hold up a little flame for all our Facebook fans.
I am gonna hold up a little flame for all our Facebook fans.
And when you find yourself on dodgy networks, doo doo doo, we're going to press delete. Okay. So we're going to kill off the Smashing Security Facebook group. Oh no!
Wow.
Because we don't want to give anybody another reason to stay on Facebook, right?
I'm sure we're not the only reason they're on Facebook, but why should we make it— I'm pretty damn sure that's not the case.
Why should we add to the difficulty of quitting the addiction?
I'm sure we're not the only reason they're on Facebook, but why should we make it— I'm pretty damn sure that's not the case.
Why should we add to the difficulty of quitting the addiction?
Yeah. Confession time. You are the only reason I am still on Facebook.
Ignore everything else I've said.
In this podcast. That's actually the reason.
So we're going to go through this process. First of all, we're going to download our data.
We're going to check that we don't have any websites or third-party apps which are associated with our Facebook login.
And if they are, we'll recreate accounts on those sites without using Facebook logins. Okay. Or we just ditch the apps because what are they thinking?
And we'll zap the Smashing Security Facebook group. Sorry guys. Thank you for all the support. Go and join us on Twitter.
We're going to check that we don't have any websites or third-party apps which are associated with our Facebook login.
And if they are, we'll recreate accounts on those sites without using Facebook logins. Okay. Or we just ditch the apps because what are they thinking?
And we'll zap the Smashing Security Facebook group. Sorry guys. Thank you for all the support. Go and join us on Twitter.
Yeah, on Twitter instead. Yeah.
So much better.
Well, that's the question. Now, what's the alternative? Is there anything like Facebook which we actually like? I don't know that there is.
I mean, a lot of people say go to Instagram, but that's owned by Facebook.
Well, yeah, exactly.
That's where all the younger folks tend to be at, and that's— it's owned by Facebook. So, you know, the exit is right there.
I say go old school. Go old school. Send an ad in the paper, Graham.
I will get on my donkey and I will ride over and I'll talk to you in person. It'll be about 3 months till I get there because I have to take a boat.
Why don't you start doing a town crier thing in the city?
That's probably great.
Yeah, and Maria would be amazing.
Oh my God, I could do it.
You could.
I think my main qualm is that it's super easy to quit Facebook if you never really use it to begin with, but if you're really, really in, you have to sort of take baby steps to cut off your addiction.
I think that may be sensible advice because otherwise you'll just jump back in again.
Yeah, it's too hard to go—
You guys with your addiction advice.
Well, I mean, okay, so here's what I like.
Cheese sandwiches, find them hard to stop.
Yeah, do you, what do you do? Do it cold turkey when you decide to give them up, or do you just—
I love me a turkey sandwich with some salt.
Now you're talking.
One thing you— so for Facebook, legitimately get rid of the app on your phone first. That seems to be the first thing to try. That's what I did about a year ago.
That helped me a lot.
That helped me a lot.
That's a good idea.
Just get the phone app off your phone so it's not tracking your location at least, and only check in on a computer. It forces you to use it a lot less.
Yes.
And that will sort of force you to really, really slow down your Facebook use, and then you'll see, do you really need it?
I've just deleted my Facebook app on my phone.
Hallelujah!
That's how you start.
I think that is a fantastic first step. I will be deleting my account entirely. I will be posting up an apology to our Smashing Security listeners as to what's happening.
I'm sure they've listened to the podcast and know, well, I'm going to give them time just to deal with it.
I'm sure they've listened to the podcast and know, well, I'm going to give them time just to deal with it.
And they may be catching up on past episodes. It takes us some time.
Yes.
Yeah.
I'm sure they're going to care.
I mean, I'm behind by an episode or two, so, you know.
Well, that just about wraps it up for this special splinter episode of Smashing Security.
We'll be back next week with a regular episode, pick of the week and all the other goodies and a different guest.
But if you want to follow us in the meantime, you can join us on Twitter @SmashingSecurity. Security, no G, Twitter wouldn't let us have a G.
You can grab t-shirts and stickers and mugs and things like that at smashingsecurity.com/store.
And you can go to smashingsecurity.com for past episodes and for details on how to get in touch with us. Thanks for tuning in. Thank you, Maria, as well for joining us.
If you like the show, rate it on Apple Podcasts. It really does help new listeners discover us, which we like. Until next time, cheerio, bye.
We'll be back next week with a regular episode, pick of the week and all the other goodies and a different guest.
But if you want to follow us in the meantime, you can join us on Twitter @SmashingSecurity. Security, no G, Twitter wouldn't let us have a G.
You can grab t-shirts and stickers and mugs and things like that at smashingsecurity.com/store.
And you can go to smashingsecurity.com for past episodes and for details on how to get in touch with us. Thanks for tuning in. Thank you, Maria, as well for joining us.
If you like the show, rate it on Apple Podcasts. It really does help new listeners discover us, which we like. Until next time, cheerio, bye.
Bye everyone! Bye!
Uber for uteri? Is it uteri rather than uterus?
No, it's not. Uteron? Vairi? Uterons? It's the same ending, same suffix. But—
Etymology.
But—
Yeah.
I see. I agree. We are speaking Greek, remember?
Dad, what's the answer? You know, I'm actually going to have a hard think about that one because I feel like I should know.
Maybe just ask Google during the show.
All right. It's really ridiculous.
Shall we move on?
Apparently it is uteri.
Right? I stand corrected.
Or uteruses. That might be the American influence because we don't know. Anywho.
If it helps, just consider your Facebook departure as “temporary” while you complete a “thorough security review.” You may find you don’t miss it at all.
"According to Facebook, the vulnerability in its code was introduced in July 2017, and on September 16th it saw a massive spike in traffic on its servers as hackers exploited the flaw"
Is this a typo, or did they keep it quiet for more than a year?
No, the feature was introduced July 2017, we don't know just when hackers discovered the bug in the feature, but assume it was recently. Perhaps within days of the spike in traffic.
I'm going to kill my account now, even though I hardly use it, my total data they claim to have on me was only 467kb, which is not much, and I downloaded to review it too. It's nothing compared to what's been revealed now, that they collected without our knowledge. Trust is gone.
I read it that they discovered it in September 2018, but the vulnerability had existed since a code change in July 2017.
So they didn't keep it quiet but have been able to establish how long the issue existed for,
That's correct John.
Facebook introduced the flaw in July 2017.
There was a lot of traffic exploiting the flaw on September 16 2018.
Facebook investigated the traffic spike, and determined that someone had been exploiting the flaw, on 25 September 2018.
On Friday 28 September 2018 – coincidentally (?) while the whole world's media were distracted by the ongoing circus around the Brett Kavanaugh hearings – Facebook went public.
There's nothing to suggest that Facebook knew about the problem before September 2018.
Personally, I would consider Facebook to be a public platform, no matter what security restrictions you enforce on your FB accounts. Someone somewhere is going to read your details eventually. This is probably true of any data you enter onto the web. Ultimately, it will be hacked open and plundered by black-hatters. The web has made the world and all of its transactions transparent. Personally, I don't mind because it's stupid trying to keep secrets nowadays. The web and the ubiquity of surveillance technology mean you're always being watched, investigated and anticipated. The watchers have not changed my life or actions therein. The watchers have no lives of their own!
Mr. Jacobs: You're welcome to believe that "it’s stupid trying to keep secrets nowadays", but your sanguine attitude will change quickly if you become a victim of identity theft.
I can tell you from personal experience that the watchers will change your "life or actions therein" significantly, and you won't like it.
I expect that you'll suddenly acquire a vastly different perspective about what you're now calling "stupid".
The thing that continues to bother me with Facebook and Messenger is that, although I've disabled targeted advertising, I still get adverts targeted to my country and age. Out of the last two adverts, one said I may be seeing it because I'd recently been near their business, which I had but I don't share my location with Facebook, Messenger, WhatsApp or Instagram; the other was MuleSoft and it suggested I was similar to their customers, which I probably am. None of that seems like non-targeted advertising to me.
Facebook aren't alone — Twitter also shows me ads based country and age when I've opted out of targeted ads.
The problem is going to be when they start changing your pages, wait and see its coming. My take no ones opions nor lives are that important it's all self adulation