Articles

404 ERROR: REQUEST COULD NOT BE FOUND

The page that you have requested could not be found at this time. We have provided you a list of related content below or you can use our site search to find the information that you are looking for.

Facebook Employees Had Access to Millions of User Passwords Stored in Plain Text

In a new blog post entitled "Keeping Passwords Secure" Facebook VP Engineering, Security and Privacy Pedro Canahuati explains how the social media giant accidentally stored Facebook user's passwords on internal data storage systems in plain text. Pedro explains how "these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users." To keep your account safe, Facebook suggests changing your Facebook and Instagram passwords, pick strong passwords, use a password manager, and enable a security key or two-factor authentication. In recent months, Facebook has vowed to clean up its act as it has been accused of sharing user data, one click account takeover bugs, paying minors to harvest their data without parental consent, had its enterprise certificate revoked by Apple, access token hack, Cambridge Analytica, and many more fines and hacks. I would suggest picking a password so long and complex that Facebook employees would get tired from writing it down.

As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.

Discussion
Posted by cageymaru March 21, 2019 1:17 PM (CDT)

Facebook Unveils the Oculus Rift S

At GDC, Facebook unveiled their next PC virtual reality headset. Among other things, the Oculus Rift S features a "higher pixel density" and "improved optics," but doesn't divulge many technical details. According to UploadVR, the new headset now uses a single 2560x1440 LCD instead of dual PenTile 2160x1200 OLED displays. And instead of requiring external sensors, the new Rift uses built-in cameras for tracking. It also features "enhanced" comfort, integrated audio, a better passthrough feature to keep you from bumping into walls, as well as compatibility with the same game library as the previous Rift, along with the same hardware requirements. Facebook says that the Rift S is launching in Spring 2019 for $399 USD.

Oculus Rift S is our most advanced PC-powered headset. Take on VR's best games with improved resolution and comfortable new design. No external sensors. No complicated set up. Just hands-on action and interaction. Step into the game and the future of PC VR. Coming Spring 2019.

Discussion
Posted by alphaatlas March 20, 2019 10:47 AM (CDT)

A "Server Misconfiguration" Was Behind the Facebook Outage

Facebook and Instagram were down for about 14 hours earlier this week, and earlier reports suggested that the underlying cause was a BGP routing issue. As time went on without an official explanation, many started to suspect that the outage was related to an attack on the platform. But yesterday, Facebook tweeted that the trouble was a "result of a server configuration change." There's still no mention of the incident in Facebook's official newsroom, and some news outlets are starting to criticize the timeliness of Facebook's response and explanation. One security analyst told the BBC that "Facebook's motto always used to be 'move fast and break things'. That's fine when you're an innovative start-up, but when billions of people are using your site every month it's not a good way to run the business."

Yesterday, as a result of a server configuration change, many people had trouble accessing our apps and services. We've now resolved the issues and our systems are recovering. We're very sorry for the inconvenience and appreciate everyone's patience.

Discussion
Posted by alphaatlas March 15, 2019 9:00 AM (CDT)

Facebook is Under Criminal Investigation for Data Sharing Practices

Facebook's news coverage hasn't been particularly positive over the past few months, but they had a particularly bad day yesterday. Following a widespread outage that lasted over 14 hours, and likely cost the company millions in advertising revenue, the New York Times released a report claiming that the U.S. Department of Justice has launched a criminal investigation into Facebook over their data sharing practices. According to their sources, two major handset manufacturers have already been subpoenaed. At this point, Facebook's public image seems to be in "it couldn't possibly get any worse" territory, hence their stock price barely budged in response to the incident and the story, and is still significantly up since to the beginning of March.

"It's already been reported that there are ongoing federal investigations, including by the Dept of Justice. As we've said, we're cooperating with investigators and take those probes seriously. We've provided public testimony, answered questions, and pledged that we'll continue to do so."

Discussion
Posted by alphaatlas March 14, 2019 10:00 AM (CDT)

Facebook Outage Caused by BGP Routing Error

NETSCOUT has released a statement to BleepingComputer that the Facebook and Instagram outages were caused by a BGP routing error.

"'At approximately 12:52PM EST on March 13th, 2019, it appears that an accidental BGP routing leak from a European ISP to a major transit ISP, which was then propagated onwards to some peers and/or downstreams of the transit ISP in question, resulted in perceptible disruption of access to some well-known Internet properties for a short interval. While not malicious in nature, such events can prove disruptive on a widespread basis. It is very important that all network operators implement BGP peering best current practices (BCPs), including prefix-lists, max-prefixes, 'peer-locking' via AS-PATH filters, RPKI Origin Validation (RFC6811), and other techniques incorporated into the industry Mutually Agreed Norms for Routing Security (MANRS) detailed at .' -Roland Dobbins, NETSCOUT Principal Engineer"

Discussion
Posted by cageymaru March 13, 2019 5:30 PM (CDT)

Facebook and Instagram Are down

Facebook and Instagram are reportedly down. This probably means that your personal information will have to wait until both services are back up before it is harvested (sarcasm.) Facebook acknowledged the connection troubles on Twitter since it couldn't announce it on its own social media platform. Maybe this is part of Mark Zuckerberg's plan to shift Facebook to a "privacy-focused" platform?

We're aware that some people are currently having trouble accessing the Facebook family of apps. We're working to resolve the issue as soon as possible.

Discussion
Posted by cageymaru March 13, 2019 2:31 PM (CDT)

Facebook Acquires Interconnect IP Provider Sonics

Hot on the heels of Nvidia's Mellanox acquisition, EE Times reports that Facebook has acquired Sonics, a Silicon Valley-based IP provider that specializes in on-chip networking and power management. The report initially came from sources claiming "key Sonics executive members are now working for Facebook," but Facebook contacted EE Times shortly after the article went live and confirmed the acquisition. They said "we're rapidly developing new VR and AR products and deepening our technology expertise in silicon is an important step for our 10-year roadmap. We're excited to welcome the remarkable Sonics team and technology to AR/VR at Facebook." However, what's particularly interesting is what Facebook could do with the newly acquired company outside of standalone AR/VR headsets. The publication asked the social media giant if they intended to use Sonic's IP for datacenter chips, and Facebook said "It's too early to rule out anything. But our initial focus will be VR and AR." While that's certainly far from a confirmation, it's not a denial either, and the technology I see on an archived version of Sonic's website and their YouTube Channel seemingly lends itself to high performance datacenter chips. In other words, this could be evidence that Facebook is following in the footsteps of Amazon, and working on their own datacenter hardware to reduce their reliance on 3rd parties.

"It would indicate to me that Facebook is indeed working on its own multicore, and probably heterogeneous, processor," Krewell said. Of course, that's what all the cool cloud players are apparently doing these days, he added. Mike Demler, senior analyst at the Linley Group, however, is the only one who suggested, "Yes, Facebook designs ASICs for its data centers, but they also may develop chips for Oculus VR headsets." Surprising to Krewell, though, is that Facebook bought the company rather than just licensing the technology. Linley has another theory. "If the Facebook team decided to use Sonics IP, and Sonics was running out of money, Facebook could have stepped in to ensure the continuity of its design project." He said this would be similar to what happened in the case of Intel's NetSpeed acquisition deal last year.

Discussion
Posted by alphaatlas March 13, 2019 12:51 PM (CDT)

The Verge Investigates the Life of a Facebook Moderator

Here at HardOCP, I think the sheer volume of garbage that makes its way into Facebook posts before moderators take it down is common knowledge. Facebook itself has the daunting task of trying moderate all that content, and according to a recent writeup from The Verge, they subcontract some of those moderation duties out to a company called Cognizant. While Cognizant employees allegedly have to sign a strict NDA, The Verge managed to interview a few of them, and what they found isn't pretty. The moderation work itself takes a serious mental toll on Cognizant's employees, who don't enjoy the same generous benefits Facebook employees tend to get, but their descriptions also open a window into Facebook's internal moderation policies. For example, some posts that would seemingly violate Facebook's internal guidelines aren't arbitrarily categorized as a "protected characteristic" by Facebook, and therefore have to stay up, while other similar posts get taken down. Facebook reportedly updates their guidelines every day, and conflicting sources of information make it difficult for moderators to do their job consistently while trying to hit Facebook's target "accuracy" score. While a tour of the moderation facility didn't paint it in a particularly bad light, assuming any of these interviews are true, the work Facebook's moderators do is even harder than it appears to be. Thanks to cageymaru for the tip.

The fourth source is perhaps the most problematic: Facebook’s own internal tools for distributing information. While official policy changes typically arrive every other Wednesday, incremental guidance about developing issues is distributed on a near-daily basis. Often, this guidance is posted to Workplace, the enterprise version of Facebook that the company introduced in 2016. Like Facebook itself, Workplace has an algorithmic News Feed that displays posts based on engagement. During a breaking news event, such as a mass shooting, managers will often post conflicting information about how to moderate individual pieces of content, which then appear out of chronological order on Workplace. Six current and former employees told me that they had made moderation mistakes based on seeing an outdated post at the top of their feed. At times, it feels as if Facebook’s own product is working against them. The irony is not lost on the moderators. "It happened all the time," says Diana, a former moderator. "It was horrible - one of the worst things I had to personally deal with, to do my job properly." During times of national tragedy, such as the 2017 Las Vegas shooting, managers would tell moderators to remove a video - and then, in a separate post a few hours later, to leave it up. The moderators would make a decision based on whichever post Workplace served up. "It was such a big mess," Diana says. "We're supposed to be up to par with our decision making, and it was messing up our numbers."

Discussion
Posted by alphaatlas February 26, 2019 11:38 AM (CST)

How Facebook Tracks Your Ovulation and Heart Rate Through Apps

The Wall Street Journal is reporting that apps are sending sensitive information to Facebook through the Facebook SDK. The Facebook SDK makes it easy for app writers to share information with Facebook through a built-in analytics service called "App Events." 17.6% of the apps on Apple's App Store and 25.4% of the apps on the Google Play Store use the Facebook SDK. These apps are collecting your data to "allow apps to better understand their users' behavior or to collect data to sell targeted advertising." Facebook says it didn't know that health information was being collected and shared as this is violates their policies. Facebook collects the information for market research and advertising campaigns. Users do not even need a Facebook account for their information to be shared with the social media giant. Some of the apps analyzed by The Wall Street Journal shared information such as weight, height, women's period, length of cycle, ovulation, heart rate, when women desire to get pregnant, location and prices of home listings; including which were marked as favorites. Other information shared include; unique advertising identifier that can be matched to a device or profile, email address, which part of the body a person has issues with in regards to weight loss and many other interactions. Within seconds of entering information into an app, Facebook is sent a copy of the information. "Facebook can often match that data with actual Facebook users."

Facebook said some of the data sharing uncovered by the Journal's testing appeared to violate its business terms, which instruct app developers not to send it "health, financial information or other categories of sensitive information." Facebook said it is telling apps flagged by the Journal to stop sending information its users might regard as sensitive. The company said it may take additional action if the apps don't comply. "We require app developers to be clear with their users about the information they are sharing with us," a Facebook spokeswoman said. She said Facebook automatically deletes some sensitive data it might receive, such as Social Security numbers.

Discussion
Posted by cageymaru February 22, 2019 2:59 PM (CST)

Facebook Is Allegedly Working on Custom Machine Learning Hardware

Nvidia GPUs are the undisputed king of the machine learning hardware market today, but more and more companies are throwing their hat into the AI ring. Google has already introduced their machine learning-focused TPU, and other giants like Amazon and Intel are reportedly following suit, while a number of smaller startups are filling in niches or taking riskier approaches to compete with the bigger players. Last year, various reports surfaced claiming that Facebook was working on their own, custom ASICs, but an EE Times report said that it was "not the equivalent of [Google's] TPU." Now, according to a Bloomberg report published earlier this week, some of Facebook's upcoming custom silicon may focus on machine learning after all. Facebook's chief AI researcher says that "the company is working on a new class of semiconductor that would work very differently than most existing designs," and mentioned that future chips will need radically different architectures.

"We don't want to leave any stone unturned, particularly if no one else is turning them over," he said in an interview ahead of the release Monday of a research paper he authored on the history and future of computer hardware designed to handle artificial intelligence... LeCun said that for the moment, GPUs would remain important for deep learning research, but the chips were ill-suited for running the AI algorithms once they were trained, whether that was in datacenters or on devices like mobile phones or home digital assistants.

Discussion
Posted by alphaatlas February 20, 2019 9:35 AM (CST)

Facebook Bug Would've Allowed for One Click Account Takeovers

A security researcher spotted a bug in Facebook that would've allowed attackers to take over accounts from users that clicked on a single link. According to Youssef Sammouda, a vulnerable endpoint easily allowed him to makes posts on a user's timeline, delete profile picture, or delete accounts with a single, relatively simple URL. But putting up an external domain with a simple script allowed samm0uda to completely take over Facebook accounts. Fortunately, Facebook's security team is more diligent than most, as they immediately responded to his bug report and fixed it in a matter of days. This security researcher seems to be a particularly prolific bug hunter, as he's posted over a dozen separate exploits in the last month alone, and Facebook has officially listed him as one of their top security researchers. Thanks to The Hacker News for spotting the post.

This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could lead to takeover of victims accounts. In order for this attack to be effective, an attacker would have to trick the target into clicking on a link... The attack seems long but it's done in a blink of an eye and it's dangerous because it doesn't target a specific user but anyone who visits the link in step 1.

Discussion
Posted by alphaatlas February 19, 2019 11:08 AM (CST)

NATO Experiment Manipulated Soldiers Through Facebook

The NATO Strategic Communications Centre of Excellence published a report (PDF warning) on the challenges governments face with online security, and Wired managed to spot a particular interesting experiment within the multi-section report. As part of an experiment, the independent NATO organization used Facebook to to try to manipulate soldiers during a military exercise. Over several weeks, the researchers posted fake webpages and groups, promoted them with targeted advertising, and gradually lured members of the military exercise into them. Eventually, the researcher were able to identify "a significant amount of people taking part in the exercise and managed to identify all members of certain units, pinpoint the exact locations of several battalions, gain knowledge of troop movements to and from the exercises, and discover the dates and active phases of the exercises." The researchers note that several of Facebook's existing countermeasures were effective, but they weren't enough to stop the researchers from effectively infiltrating the exercise.

The researchers also tracked down service members' Instagram and Twitter accounts and searched for other information available online, some of which a bad actor might be able to exploit. "We managed to find quite a lot of data on individual people, which would include sensitive information," Biteniece says. "Like a serviceman having a wife and also being on dating apps" "Every person has a button. For somebody there's a financial issue, for somebody it's a very appealing date, for somebody it's a family thing," Sarts says. "It's varied, but everybody has a button. The point is, what's openly available online is sufficient to know what that is."

Discussion
Posted by alphaatlas February 19, 2019 8:30 AM (CST)