Facebook Founder Accused of Hacking Into Rivals' Email

An anonymous reader notes a long piece up at BusinessInsider.com accusing Facebook founder Mark Zuckerberg of hacking into the email accounts of rivals and journalists. The CEO of the world's most successful social networking website was accused of at least two breaches of privacy. In a two-year investigation detailing the founding of Facebook, Nicholas Carlson, a senior editor at Silicon Alley Insider, uncovered what he claimed was evidence of the hackings in 2004. "New information uncovered by Silicon Alley Insider suggests that some of the complaints [in a court case ongong since 2007] against Mark Zuckerberg are valid. It also suggests that, on at least one occasion in 2004, Mark used private login data taken from Facebook's servers to break into Facebook members' private email accounts and read their emails — at best, a gross misuse of private information. Lastly, it suggests that Mark hacked into the competing company's systems and changed some user information with the aim of making the site less useful. ... Over the past two years, we have interviewed more than a dozen sources familiar with aspects of this story — including people involved in the founding year of the company. We have also reviewed what we believe to be some relevant IMs and emails from the period. Much of this information has never before been made public. None of it has been confirmed or authenticated by Mark or the company." The single-page view doesn't have its own URL; click on "View as one page" near the bottom.

And you thought Mob Wars was nasty

Lawyers throughout the US just had orgasms....

Re:And you thought Mob Wars was nasty

[apostrophesemicolon]

so is this gonna be a case of United States vs Mark Zuckerberg, Since everybody and their neighbor's dog is on facebook?

Re:And you thought Mob Wars was nasty

[mrclisdue]

imho, if you're over 30 and dedicated to facebook, well then, nevermind.

obligatory lolcatz:

http://i50.tinypic.com/15eipo8.jpg

cheers,

And what will the Register say?

Facebook Founder Accused of Hacking Into Rivals' Email, Bitches.

Re:And what will the Register say?

[Kartoffel]

If at all possible, they'll use the word "boffin" in there somewhere, too.

Re:And what will the Register say?

[Hecatonchires]

I'll get my coat, it's the one with the ww2-era spy-plane plans

Re:And what will the Register say?

[should_be_linear]

...and something will go "tits-up" too.

Re:And what will the Register say?

[Philip_the_physicist]

Of course, otherwise where's the Paris Hilton angle?

Re:And what will the Register say?

[spun]

I eagerly await their Playmobile recreation of the scene.

1st..

poke

What's that saying...

Oh yeah: "Timber!!!!!!!!!!!!!!"

Wow..

just wow.

So will he get a mug shot now?

[Joe+The+Dragon]

So will he get a mug shot now?

Re:So will he get a mug shot now?

[longacre]

It's a civil case.

Re:So will he get a mug shot now?

[Brian+Gordon]

Unauthorized access sounds criminal to me. Penalty ceilings probably go way up too, and Zuckerberg's billions are probably starting to look tempting.

Re:So will he get a mug shot now?

[longacre]

If it happened in 2004, the statute of limitations is long gone.

Re:So will he get a mug shot now?

[sthomas]

IANAL, but the window of limitations for criminal prosecution doesn't begin until the crime is (or should have been) discovered. Just because it was hidden for so long doesn't mean he gets away with it.

Re:So will he get a mug shot now?

[GigsVT]

Good thing you are not a lawyer, it's from the date it was committed.

The point of such statutes is because after a long time has passed, the defense is less able to form a coherent defense since a lot of the evidence is gone.

Re:So will he get a mug shot now?

[ehrichweiss]

Actually, it can also be the case that the statute of limitations applies when the crime was discovered, not necessarily when it was committed. I am told this is especially so if they're trying to convict someone of "habitual criminal". I only know of this because a friend had to file embezzlement charges against an employee who had been stealing from him for longer than the statute of limitations and he was able to get them convicted of the entire string of crimes stretching back several years.

In civil court one only need look at The Knack v. Run DMC where it's been since 1986 but The Knack are able to sue, so far, because they claim they knew nothing of the song "It's Tricky" until recently despite its massive popularity at the time.

Re:So will he get a mug shot now?

[yuhong]

What about anti-trust, though? Because the attempt by Zuckerberg to sabotage ConnectU would be an anti-trust violation.

Re:So will he get a mug shot now?

[zill]

Anti-trust laws only apply to corporations. Zuckerberg wouldn't face any charges personally in that case.

Re:So will he get a mug shot now?

[yuhong]

But the corporation will, of course.

Re:So will he get a mug shot now?

[Third+Position]

So will he get a mug shot now?

If he does, do you suppose he'll use it for his Facebook profile?

Re:So will he get a mug shot now?

[JackieBrown]

The staue of limitations kicks end after the crime is completed.

If it is ongoing, then it would kick in when over.

IANAL but I have watched Law and Order. The sound wasn't on but I think I got the gist of it.

Re:So will he get a mug shot now?

[blackest_k]

I couldn't find a resolution to that case however recently

On February 14th, 2010, lead singer Doug Fieger died in Woodland Hills, California after battling both brain and lung cancer for several years.

Bruce Gary died from lymphoma on August 22, 2006 at the age of 55.

Of the four original members of The Knack (Fieger, Berton Averre - Guitar, Prescott Niles - Bass, and Bruce Gary - Drums), only Averre and Niles still currently play as The Knack.

http://en.wikipedia.org/wiki/The_Knack

Re:So will he get a mug shot now?

[ultranova]

So will he get a mug shot now?

Why would he? He's a CEO, he's supposed to act like a cartoon villain.

The world makes a lot more sense when you stop assuming that various businessmen, politicians etc. are trying to further their self-interest in a rational, if ruthless, manner, and instead treat them as villains in a farcical drama movie. That way you don't have to wonder why someone who already has three billions would risk everything to get a fourth, or something to that effect. The implications of that are somewhat... disturbing.

Re:So will he get a mug shot now?

[micheas]

Good thing you are not a lawyer, it's from the date it was committed.

The point of such statutes is because after a long time has passed, the defense is less able to form a coherent defense since a lot of the evidence is gone.

I Am Not A Lawyer, but I have a reasonable amount of experience doing legal research:

Actually both parent and grandparent are correct. Generally, in civil cases where the standard is preponderance of the evidence or which was more likely, the statute of limitation is from the discovery of the damage, most of the controlling case law in the US in civil matters was established in the dalkon shield cases against A. H. Robins Company. a three year statute of limitations was held to not protect A. H Robbins 16 years after the faulty product was sold, and 15 years after the initial discovery of injury, but less then three years after the discovery of severe internal damage.

The standards for criminal law are not preponderance of evidence, but beyond a reasonable doubt, and in criminal law, the statute of limitations are a way of saying that there is reasonable doubt by the passage of time, so we will not even try the case because the burden of proof cannot be met. Therefore criminal matters tend to have a statute of limitations that runs from the commission of the crime.

Re:So will he get a mug shot now?

[wisty]

The best indicator of future behavior is past behavior.

Re:So will he get a mug shot now?

[ArsenneLupin]

the defense is less able to form a coherent defense since a lot of the evidence is gone.

But wouldn't the same also apply for the prosecution? So both sides would again be on equal footing. And a thinning of evidence on both sides would actually favor the defense (in dubito pro reo), wouldn't it?

Re:So will he get a mug shot now?

[ehrichweiss]

Yeah, it's still an ongoing case AFAIK. I've been scouring the news every few weeks in hopes of finding a resolution(hopefully that it is thrown out of court) but so far it hasn't been dismissed due to the statute of limitations so it seems a valid point.

Re:So will he get a mug shot now?

[ehrichweiss]

From http://en.wikipedia.org/wiki/Statute_of_limitations

"A crime (in the case of a criminal prosecution) or a cause of action (in a civil lawsuit) is said to have accrued when the event beginning its time limitation occurs. Sometimes this is the event itself that is the subject of the suit or prosecution (such as a crime or personal injury), but it may also be an event such as the discovery of a condition one wishes to redress, such as discovering a defect in a manufactured good, or in the case of controversial "repressed memory" cases where someone discovers memories of childhood sexual abuse long afterwards."

Re:So will he get a mug shot now?

[kdemetter]

No , because reasonable doubt means it can't be proven whether someone if guilty or not , and in that case , the ruling is in favor of the defense ( the idea is that it's worse to lock up an innocent man , than to let a guilty man go free ).

Re:So will he get a mug shot now?

[dreampod]

Of course in the US this only applies to whites and asians, while the opposite the situation for blacks and latinos applies - presumably to balance out the impact.

Re:So will he get a mug shot now?

[drharris]

Of course in the US this only applies to whites and asians, while the opposite the situation for blacks and latinos applies - presumably to balance out the impact.

Yes indeed, witness the O.J. SImpson criminal trial.. Oh wait..

Re:So will he get a mug shot now?

[AG+the+other]

It's been in litigation for two years already. Once the litigation starts the statute of limitations is meaningless.

Re:So will he get a mug shot now?

[ginbot462]

Bomp! Bomp!

There's your sound.

Serious Allegations

[Afforess]

This is a serious allegation. With all of the information Facebook aggregates, they potentially could unlock many people's emails and various other accounts with the family and personal information. Lots of people use simple things like their pets or parents birthdays as those reminder question answers, and Facebook could easily hold all the correct information to gain access to those accounts. If this case is proven true, I can see some new laws on how companies with this kind of information have to structure and protect it. Hopefully people will wake up and stop putting their personal information where Facebook and others can see...

Re:Serious Allegations

[jo42]

What about all the e-mails, calendars, documents and what not else that people store with Google? Are they no less to be wary of?

Re:Serious Allegations

Yeah but Google is different. They are nice. They do no evil, right?

Re:Serious Allegations

[icepick72]

Don't forget the facebook Friend Finder asks for your email account password to log into your email account automatically and match your contacts against the facebook user base. Although they promise not to keep that password, they could.

Re:Serious Allegations

in case you guys need another reminder on NOT putting your personal information out there:

http://www.pleasrobme.com

Re:Serious Allegations

[Draykwing]

Why do you think that when I used it, I changed my password, gave them the changed one, and immediately after changed it to a third, unrelated password?

Re:Serious Allegations

Whoosh.

Re:Serious Allegations

[Selfbain]

Do they have sarcasm on your planet?

Re:Serious Allegations

[Capsaicin]

Do they have sarcasm on your planet?

Sarcasm?!!

Sarcasm is prevarication and prevarication is sarcasm. Wake Up! Sarcasm is just as evil as all the other rhetorical devices.

Re:Serious Allegations

[Mitchell314]

Who wasted their mod points on "Interesting"?


Slashdot seriously needs a "-.5 Woosh" mod.

Re:Serious Allegations

[im_dan]

typo in your url points to an ad farming website
http://pleaserobme.com/

Re:Serious Allegations

[Hecatonchires]

and yet again, WHOOSH

Re:Serious Allegations

[gparent]

Because you're Jason Bourne?

Re:Serious Allegations

[Jeff+DeMaagd]

My only question is, the alleged hacking took place in 2004, how does it take until 2010 for it to be presented as news on Slashdot?

Re:Serious Allegations

[TehDuffman]

My only question is, the alleged hacking took place in 2004, how does it take until 2010 for it to be presented as news on Slashdot?

Sounds about right for Slashdot.

Re:Serious Allegations

[Sir_Lewk]

If you were paranoid about it, why bother even giving them your password in the first place?

Re:Serious Allegations

Because you're a paranoid schizophrenic?

Re:Serious Allegations

Ah, so you only gave them access to all the email you had at that time.

Re:Serious Allegations

[yuhong]

And the founders of Google did not do any of these shenanigans that the founder of Facebook did.

Re:Serious Allegations

I think you may have been sarcasmed.

Re:Serious Allegations

[EdIII]

Sarcasm is prevarication and prevarication is sarcasm. Wake Up! Sarcasm is just as evil as all the other rhetorical devices.

Wow. That was *so* insightful.

Re:Serious Allegations

What does Google have to do with this? Zuckerberg, is that you?

Re:Serious Allegations

[Kreigaffe]

Amateur. I created a whole new one-time-use email account for that. You're totally going to get hacked, and I'm gonna laugh. You have viruses in your chips!

Re:Serious Allegations

[oji-sama]

If you were paranoid about it, why bother even giving them your password in the first place?

I must have missed a memo somewhere if changing password after giving it out somewhere counts as paranoid. Also, apparently I'm at least twice as paranoid, as I will never give out my e-mail password.

Re:Serious Allegations

[hatsch]

and of course you should not trust this function which says you can remove all your imported contacts

Re:Serious Allegations

[Idiomatick]

Mark created facebook by stealing it out from under his friends (seriously, proof has come out about this), believes that people don't want privacy and now hacks other people's accounts.

Re:Serious Allegations

Although they promise not to keep that password, they could.

For a very specific definition of "keep". This definition may not be the same definition you understand.

Take for example, ISPs definition of "unlimited bandwidth".

Re:Serious Allegations

[Philip_the_physicist]

Of course we should be wary of them, but hopefully this sort of thing will help drive enough people to use secure email to get a critical mass.

As it is, I can't encrypt most of my outbound mail, because people don't have public keys (even unsigned ones are a lot better than nothing), and most people's clients don't seem to automatically save keys and then apply them when replying, which is really needed if we want non-technical people to use encryption.

IMO, all mail programs should prompt the user to choose a key when they add an account, and if they don't have one already, create one and start using it.

Re:Serious Allegations

[Philip_the_physicist]

You assume he hadn't cleared out his mailbox first, then they only get whet comes in before he changes his password again.

Re:Serious Allegations

[gbjbaanb]

Lots of people use simple things like their pets or parents birthdays as those reminder question answers,

and more importantly, lots of people use the same password for a lot of sites. If the passwords are not stored securely then he could quickly query the facebook DB and read the password.

Re:Serious Allegations

[Sir_Lewk]

I wasn't using the word paranoid in a way that implied anything negative. I certainly consider it a justifiable paranoia.

Re:Serious Allegations

[Dishevel]

Because you think that you are so smart that they cannot possibly have taken all the info they want from the account you gave them the first time they went in?

Re:Serious Allegations

[Dishevel]

Wait till its reported again in 30 minutes with a different title.

Re:Serious Allegations

[BobMcD]

And we know, from the Chuck Norris story, that they were not being stored securely. Allegedly they now are, but without oversight, I'd assume they still are not.

Re:Serious Allegations

[turbotroll]

This is a serious allegation. With all of the information Facebook aggregates, they potentially could unlock many people's emails and various other accounts with the family and personal information.

What makes you believe they already don't do it?

Facebook, just like many other similar sites, has a feature which allows import of contacts from third-party mail accounts if given necessary credentials, and most people are stupid enough to actually use it. Who can guarantee that those credentials aren't cached and used for any other purpose than advertised?

I will be probably modded down as a troll for saying this -- but Facebook users are stupid for ignoring all the evidence of Facebook's true nature and they actually deserve whatever Zuckerberg does to them.

Re:Serious Allegations

[turbotroll]

Mark created facebook by stealing it out from under his friends (seriously, proof has come out about this), believes that people don't want privacy and now hacks other people's accounts.

Thank all the sheep for enabling Mark.

Re:Serious Allegations

[turbotroll]

Why do you think that when I used it, I changed my password, gave them the changed one, and immediately after changed it to a third, unrelated password?

What about your correspondents? Did all of them agree with your intention to submit their email addresses to Facebook?

I, for one, tend to become extremely pissed whenever somebody does this to me -- most of those who have are no longer on my list of friends.

Re:Serious Allegations

[hesaigo999ca]

You know, i think people get what they deserve, if you go ahead and open your facebook account as paris hilton, and then go ahead and post all the info and stuff personal enough to set you up for stalking or fraud or even privacy invasion. You deserve it, no one explained the internet to you, once it is out there, it does not belong to you per se, only virtually.

So if you know someone could at some point working for facebook only for the sole purpose to find stuff like this, gets caught after selling some illegal pictures to people magazine or something, then repeats with diff. company when he gets canned....sounds to me like paparazzi tactics.

If you are paris hilton, and name your facebook account H_queen_B or something like that, also making sure not to put too much info that could leave the idea it is celebs, I guess it would be less evident, then say the rest of the 10 million facebook users, someone would really have to have nothing to do to go through all the stuff from 10 million users before
getting lucky.

Anyways, I am sure that if someone posts also from celeb locations like Palm springs, and has the ip address to match, then again that would be up to them to hide their ip through Tor or something....

Re:Serious Allegations

[StikyPad]

I'm not condoning misuse of personal information by any means, but anyone who uses a shared password for all of their accounts is making themselves an easy target, as are those who provide their password(s) to a third party to "retrieve contacts" or the like. Just because a site is legit doesn't mean that there aren't people working for the site (or running it, as the case may be) who are less than scrupulous. Would you give your banker the keys to your house and car just because you trust him with your deposits? Or give your mechanic your PIN just because you trust him with your car? Most people would not, yet they do the online equivalent every day, and the effects can be nearly as damaging. Sure, you could try to sue the company for damages after the fact, but a) these things can be very difficult to prove, and b) lawsuits can't put the genie back in the bottle, so to speak. What's done is done.

I used a dedicated e-mail account just to establish my Facebook account, with separate pseudorandom passwords for each login. That may be going a bit farther than most people want to go, but the ability to prevent a cascading effect from any single security compromise is important to me.

Re:Serious Allegations

[opposabledumbs]

I remember seeing an article, either on Wired or here (too lazy to google it right now) that was allegedly an anonymous insider's account of facebook's upcoming changes. They were quite adamant that there has always been a super-password - it used to be "Chuck Norris" - which has access to ALL of the accounts on facebook.

But it does seem terminally stupid of the competition to open facebook accounts. Surely they should be aware of the lack of privacy inherent in making that move? After all, they're trying to do build similar systems.

Re:Serious Allegations

[lonecrow]

If this case is proven true, I can see some new laws on how companies with this kind of information have to structure and protect it.

I think there already is (SoX)

The Sarbanes-Oxley Act may have come about because of financial mismanagement at a handfull of accounting companies, it contained a lot of data access control and auditing requirements. Causing much pain in the DBA community.

So perhaps new rules are not required, simply compliance with existing ones.

Re:Serious Allegations

[Capsaicin]

Wow. That was *so* insightful.

So was that.

Ai

[santax]

He probably can write a book about what he's gonna face now.

Re:Ai

And with a bit of luck, he's going to make an awful lot of new "friends" where he's going.

Re:Ai

He probably can write a book about what he's gonna face now.

I can't take pity on men of his kind, even though he'll now take it in the behind. Email hack!

Re:Ai

He probably can write a book about what he's gonna face now.

I can't take pity on men of his kind, even though he'll now take it in the behind. Email hack!

Bradley Nowell you are not...

Different password

[JimboFBX]

This is why I use a different password on facebook than anywhere else.

Actually it was when my account started spamming wall postings with links to Chinese drug sites I changed my password to something unique, but still, virtually the same thing.

Re:Different password

[santax]

And what if all those other sites have a admin that can't be trusted? It's really not about facebook this issue. It's about broken trust and you can't really protect yourself against it. At least not if you want to use their services.

Re:Different password

[Bronster]

Facebook also had a thing "give us your gmail or hotmail password and we'll log in and retrieve your contact email addresses and offer you to add them as friends if they have a Facebook account already" - presumably they stored those passwords as well.

Re:Different password

Facebook also had a thing "give us your gmail or hotmail password and we'll log in and retrieve your contact email addresses and offer you to add them as friends if they have a Facebook account already" - presumably they stored those passwords as well.

And I had a thing, "Anyone who asks for your password is lying. Don't give it to them. And if they say they really need it, don't do business with them."

Of course, it was 1989. But the neckbeard taught me right.

Re:Different password

[Troed]

Correct. http://lastpass.com/ is one of very few cloud services that actually understands that for me to have trust in them they must design the infrastructure accordingly.

There ought to be more than a few people at Slashdot working with cloud companies. I'd love to hear some explanations as to why they believe "oh don't worry, your data can only be seen by our admins and we trust them!" should satisfy the needs of a large corporation :)

Re:Different password

[santax]

You trust that site (or any site) with all your passwords? Ouch.

Re:Different password

[MikeUW]

So what you're saying is that you use the same password for everything else? I guess that means whoever guesses your email password now also has your online banking password...but whew, your Facebook account is safe. :)

Re:Different password

[Troed]

Feel free to study how it works before replying ;) They have all my passwords - encrypted. They cannot decrypt them.

That's how cloud services should work.

Re:Different password

[hughperkins]

Given that the admins in a cloud company have access to the guest os's memory, there's no way of fundamentally making the infrastructure secure enough that you don't have to trust the admins.

You can encrypt stuff all you like, but things will be in the guest os's memory in an unencrypted state, at least some of the time.

Re:Different password

[Like2Byte]

Yeah, Linkedin.com also asks for passwords to your multiple email accounts to scan them for contacts. Wow. What a gold mine that could be. If there's an email addy that they don't know or a name they don't recognize, they could start spamming them for registrations and, potentially, saying a friend or colleague provided your email address to us thinking you might be interested in joining our social club....

Re:Different password

[Troed]

That depends on the type of service. Agree, some cloud services do need to perform manipulation of client data - but not all. Those that don't only need to expose APIs but allow all manipulation to take place client side, with client side decryption (just like lastpass).

Moving from symmetric to asymmetric cipher would increase the amount of services that can be encrypted even further. Yes, it would be computationally more expensive, and storage requirements would increase, but it would at least mean that cloud services (I'm looking at you, Yammer) would be a viable solution to running everything internally.

Re:Different password

[swimin]

I just looked at the link. The unencrypted passwords are intended to never exist on last passes servers, the encryption and decryption is done locally.

Re:Different password

[funkyhat]

All it would take is for the JS that powers the site to be modified to send your passphrase(s) back to them. If at some point they wished to go back on their word not to ever look at your passwords. At that point you'd be safe until the next time you needed to log in to retrieve a password.

Re:Different password

[Troed]

"If" is a very powerful word. There are many possible "ifs" that can protect against an evil cloud service provider as well (hashed snippets of code, client side verification of updates etc) if we would feel the need.

The point is, it's not possible for a rogue admin at Lastpass to sneak a peek (or copy) user data. At most cloud companies, it's routine.

I'm somewhat amazed this isn't a huge topic for discussion in the SaaS space.

Re:Different password

[hughperkins]

I was basically thinking about services such as Amazon EC2 et al, and the possibility of outsourcing computing power from inside an organization into the cloud, and my observation that such an organization cannot really escape having to trust the administrators of the cloud facility, since there is no way of securing a cloud server's memory against the cloud organization's administrators.

Yes, Lastpass does not fall into this category at all, and seems potentially secure.

Re:Different password

[chimpo13]

I don't think they stored the passwords (even so I changed my password after letting fb have it), but I'm pretty sure they keep track of everyone you have emailed. I started a work email and it suggested most of the same friends. Even though it was in a different country with a slightly different name. Unless of course, they figured someone with the rare last name of "Smith" must know all the same people.

Re:Different password

[mirix]

I'm still stunned that people would actually give out their passwords.

Re:Different password

Actually, according to TFA he got into those email accounts by looking for failed logins where someone had mistakenly entered their email password instead of their facebook one.

Re:Different password

[hairyfeet]

That is why they make wonderful little FOSS programs like keypass my friend. The only thing the "bad admin" is gonna get is the single password for the single site he/she has access to, nothing more. Put in on a thumbstick and you are good to go, and even if someone gets it thanks to AES good luck getting your passwords out of it.

Re:Different password

[santax]

You don't get my point. Unless you actually have read and fully understood the source of keepass and build it yourself with your own handcompiled(!) compiler you are depending on someone in that chain. And we should be able to do so! But if this story is true, when the bigshot at Facebook does it, who says the bigshot at gmail isn't doing it. I don't know that, I trust them not to do so though. Same goes for keepass. You probably downloaded the binary (be honest here) and you trust them to be honest and fair.

Re:Different password

Question remains, who is so stupid as to actually give out a password?

I think there's a bash quote for this.. http://bash.org/?4753

Re:Different password

I remember reading somewhere saying that it seems people's IQ lowers a good amount when they are in front of a computer (don't remember the original quote and source unfortunately... must be my IQ).

This is so related to this give-password cases. Imagine that a random guy goes to your house selling knifes (or whatnot) and he asks for your house's keys to check what kind of knifes you have, so that everytime he gets a new knife he can see if you have it or not. The guy of course "promises" not to "share" your key with anyone and not to do anything wrong with your stuff.

Would the general public give the keys to him??

xtracto -posting anon 'cause I've modded-

Re:Different password

[Philip_the_physicist]

ITYM http://www.bash.org/?244321

Re:Different password

[BobMcD]

What non-vendor information do you have about the prohibitions and controls?

Facebook said they wouldn't use our email data.

Taking a vendor at their word is not good security, and you're a staunch defender, so I assume I'll get a hasty reply.

Re:Different password

[BobMcD]

I'm still stunned that people would actually give out their passwords.

That must be because your passwords are dumb. If you disagree, post them here and we'll decide publicly.

Re:Different password

[Troed]

Sorry, I don't want to write a hasty reply but I actually don't get your point :) What I'm discussing and proposing is indeed that the cloud infrastructure should create security instead of cloud clients just having to rely upon vendor information.

It's technically possible, but no one seems to .. care.

Re:Different password

[BobMcD]

To wit:

Correct. http://lastpass.com/ [lastpass.com] is one of very few cloud services that actually understands that for me to have trust in them they must design the infrastructure accordingly.

and

Feel free to study how it works before replying ;) They have all my passwords - encrypted. They cannot decrypt them.

My question:

Eliminating any and all information from lastpass.com or an associate, how do you know your position is grounded in fact?

Re:Different password

[Troed]

I've studied the infrastructure and the code as parsed by my web browser. The client does the encryption/decryption. The only thing LastPass gets is an encrypted list of passwords. I.e, they cannot see them in cleartext even if they would want to.

Thus, security is created by their cloud infrastructure and not with lofty promises.

Re:Different password

[BobMcD]

Who selects the keys?

Re:Different password

[statusbar]

In the beginning of Facebook you were not allowed to join unless your email account was on hotmail or yahoo or gmail AND you provided your password so it could mine it.

--jeffk++

Re:Different password

And that is exactly what they do.

Re:Different password

[Troed]

The symmetric cipher uses a master password I select as the key. That key is used locally.

I'm not sure what you're after, but I'm going to assume you haven't looked into it. If so, please do first - else I will be spending time writing what others have already written. If you're already well versed as to how LastPass works and know something I don't I'd be very interested in hearing about it though :)

http://devilsadvocatesecurity.blogspot.com/2009/04/lastpass-answering-security-questions.html

http://ubuntuforums.org/showthread.php?p=5901550

Re:Different password

[BobMcD]

Cypher algorithms work by obfuscating an essential part of a mathematical equation. You're stating that a master password is that part. Your control is limited to the password you use for input.

It would be possible, then, for the algorithm to be reversible, or even keyed against a master password. E.g. 'ChuckNorris'

You're getting the algorithm and the storage from the same source, are you not? And beyond the passphrase you're not allowed to select the actual encryption keys?

I did read both links you posted, and didn't see that in either link.

 

Re:Different password

[asylum_street_blues]

I'm sure I'm just being paranoid, but the fact that the lastpass offices are just down the road from Ft. Meade gives me the willies.

Re:Different password

[Troed]

I'm still confused as to whether you've looked into this or not. The answers to what I think you're asking is AES-256 and hash(pw+salt).

Again, if you know something not explained either in text or by studying the code feel free to let everyone else know :) Else I don't really understand what you're after.

https://lastpass.com/support_faqs.php#aes
https://lastpass.com/support_faqs.php#salt

(That the above is true can be verified by looking at the JS sent to the client. Whether the salt is random or not might be interesting to look at - was that your point?)

Re:Different password

[turbotroll]

Question remains, who is so stupid as to actually give out a password?

The feature Like2Byte talks about seems to be fairly common these days, not only on Facebook or LinkedIn, so I'd say many people are dumb enough to use it. Sadly, many of them work in IT.

Re:Different password

[BobMcD]

You broke the rule, there.

If one assumes that lastpass.com cannot be trusted, because you're trying to independently vet them, you can't use them as a source.

That being said, they state that lastpass.com has implemented the AES standard.

Prove it.

Prove, otherwise, that they have not implemented a custom 'AES+backdoor' standard. Or prove that there are tests that can show this is not the case.

I'm not arguing that this is 'better', I'm arguing that this is not entirely the way it 'should be done'.

Re:Different password

[Troed]

From the post you replied to:

"That the above is true can be verified by looking at the JS sent to the client"*

I'm unable to understand what you're trying to achieve with your rants, sorry.

*) http://tinisles.blogspot.com/2010/01/should-you-trust-lastpasscom.html

Re:Different password

[Zaiff+Urgulbunger]

I guess the only other thing you could do to ensure security (aside from writing your own client extension) is use Chrome rather than Firefox since (AFAIK) Chrome provides better protection between extensions.

Stupid Users

[muphin]

using the same password for their email account as they do with their social networking sites then people should expect to be compromised.

I suggest you use 4 types of passwords, one for accounts that wouldnt effect u much, one for email, one for social sites and IM, and one for bank accounts; with none of the passwords having anything to do with each other, e.g redball, orangeball,greenball... or whiteball, soccer, redflag ... as this limits the guess work.
this "hack" was probably just stupid curiosity which will probably get him arrested, and once that happens he will loose a lot of control of the company.

Re:Stupid Users

[Torodung]

Actually, Facebook directly asks you for your email password so it can "Automatically connect you to others" through your ISP information (phonebook, etc.). They get quite clever with it, even using the ISP's logo, making it seem like it is an official service of the ISP.

This goes a bit beyond, "stupid." This is a confidence scam.

--
Toro

Re:Stupid Users

[quantaman]

using the same password for their email account as they do with their social networking sites then people should expect to be compromised.

I suggest you use 4 types of passwords, one for accounts that wouldnt effect u much, one for email, one for social sites and IM, and one for bank accounts; with none of the passwords having anything to do with each other, e.g redball, orangeball,greenball... or whiteball, soccer, redflag ... as this limits the guess work.

Supposedly they did,

"Here's how Mark described his hack to a friend:

Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them."

this "hack" was probably just stupid curiosity which will probably get him arrested, and once that happens he will loose a lot of control of the company.

I have no idea whether this stuff it true or provable, but if the article is accurate this wasn't curiosity. This was some seriously immoral/dishonest stuff.

Re:Stupid Users

[Culture20]

Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

This is why I always have an "OH &*#$#^!" moment whenever I accidentally enter the wrong password into the wrong form. It's a mad rush to change the password to whatever service/server the password really belongs to. Thankfully, it's usually different usernames...

Re:Stupid Users

I've accidentally announced my password in a chatroom, instead of typing it in the other window running SSH. Definitely had to go change that in a hurry.

Re:Stupid Users

[GraZZ]

This is why SuperGenPass is your friend. Using one (or more) master password, you quickly generate a unique password for each domain you log in to, all through a handy bookmarklet. Also there's no password storage (except an optional hash for validation), so you don't have to worry about password product XYZ being hacked.

Re:Stupid Users

[butlerm]

If HTTP was designed correctly, web sites would never have a copy of a password you typed into a password entry field, ever. Secure hashing would be trivial, for example, making it a practical impossibility for a web site to determine what the original password was. All that would be stored would be a hash that was only good for logging into that web site.

Re:Stupid Users

Or better yet use a product like 1Password to have a different strong password for every website. The best part of using password managers like this is that I don't even know what my password to a site like Facebook is except that it is 20 random letters, numbers and punctuations that is different from every other site I connect with.

Re:Stupid Users

On the basis of ignorance, I will refrain from entering a discussion into HTTP design constraints (no jokes, please ;-), however, the point is a valid one, sites themselves should under no circumstances be logging "bad" password attempts in any form other than a simple failed attempt count number. I doubt there are many on here that have not inadvertently used a password for one site that was actually the password for another, particularly a problem with email-based logins. Until such time as site operators recognise the value of privacy security for their customers and are slowly made to realise that the consequences of failing to take adequate steps to provide this can and should be severe, they leave themselves open to all the charges the lawyers can bring.

In this particular case, anyone using Facebook demanding Privacy is probably well into oxmoryonic newland, should these accusations prove true however, I indeed hope they throw a very, very large book at Mr Zuckerberg. A site operator getting involved in such nonsense is not just a grevious breach of privacy, it is criminal behaviour and should be handled accordingly.

Re:Stupid Users

[Bob+Cat+-+NYMPHS]

>one for accounts that wouldnt effect u much

YOU are the CANCER that is KILLING the INTERNET

Re:Stupid Users

Bah. If you type in your pw in a /. post it will show as stars.

******* see!

Re:Stupid Users

[advocate_one]

Actually, Facebook directly asks you for your email password so it can "Automatically connect you to others" through your ISP information (phonebook, etc.). They get quite clever with it, even using the ISP's logo, making it seem like it is an official service of the ISP.

one thing I've flat out refused to do... unfortunately, my daughters had already gone through this step when setting up their accounts so I've told them to change all their passwords.

Re:Stupid Users

[Tim+C]

even using the ISP's logo, making it seem like it is an official service of the ISP

What that tells me is that they are doing it with their blessing. Otherwise, they would not be allowed to use the logo, no?

Re:Stupid Users

[betterunixthanunix]

That is in HTTP, it is called Digest Authentication. The real issue is that Facebook does not use it.

Re:Stupid Users

[techhead79]

Well not only that but why the hell was he recording plain text passwords?!?? Before it reaches the database it should have been already md5 or hashed in some way.

Re:Stupid Users

[garaged]

that's pretty much what I do, something like:
easy) myname
meddium) myname82
hard) myname1234
impossible) mynamesurname

Re:Stupid Users

[butlerm]

Sort of, but not quite. HTTP Authentication of any type is sufficiently inflexible and user unfriendly that it is almost _never_ used outside of a Intranet environment. It is so bad that it is essentially hopeless. Login screen, what login screen? Web server control over what gets displayed on authentication failure? etc.

Not only that, HTTP Authentication is based on the idea that at least initially both the user and the server know what the plaintext password is. The fact that is hashed in transit or hashed in storage on the server side after that is immaterial. The web server operator _knows_ what your plain text password is.

In order to fix the second problem, at a minimum HTTP Authentication would require a mode for _establishing_ a user password such that the hash is transmitted rather than the plain text password. But making such a change would be a waste because HTTP authentication is almost useless anyway, for the reasons mentioned above.

So what I suggest is that the HTML standard be amended with an option such that password entry fields (input type="password") do not transmit the entered text to the server, but rather the entered text hashed with the server domain name. This hash would be sent both when the user initially enters his/her password, and when he or she re-enters it to authenticate later.

That would make it computationally difficult for a web server operator to ever know what the plain text password of the user actually was. Of course the hash would need to be kept secure, encrypted in transit, etc., in any non trivial application, because stealing the hash would be like stealing the password - with regard to that particular site only, not all the other sites where the user uses the same plain text password.

Re:Stupid Users

You want to use password authenticated key exchange, for example J-PAKE (should be patent free) but there are other algorithms too. Client proves the server that it knows that password and the server proves the client that it knows the password, but the actual password is never transmitted. You cannot MITM it or use the dump of the traffic to crack the password either.

Not Really Surprised

[Kartoffel]

When you look at Facebook's dismal history of privacy policies and changes, it's really not that surprising. A person with flawed ethical standards tends to do unethical things.

Re:Not Really Surprised

[Hurricane78]

Best comment on the story.

While we must note, that accusations are only accusations. I could accuse you of rape right now. Wouldn’t make it a single bit more true.

But Zuckerberg to me has no better moral standards than a criminal. You know. Like an agent of some totalitarian state. Or like someone who steals other people’s identities for a living.

I really want Facebook to die and be replaced by a version that honors privacy. Something with an ethical code.
Oh, even better: A P2P social network. Wouldn’t that be something?

Re:Not Really Surprised

[TubeSteak]

A person with flawed ethical standards tends to do unethical things.

Gross abuse and misuse of electronic communication has been a staple of Government and Corporations for the better part of 170 years, starting with the telegraph system.

The only difference between then and now is that communications channels have become decentralized.
The ability and desire to tap into those systems still exists and has never gone away.

Re:Not Really Surprised

[Dracos]

A person with flawed ethical standards tends to do unethical things.

They also tend to gather people around them who have similar ethics. For everything he has done, who knows what his employees have done, either independently or at his request.

Re:Not Really Surprised

[daveime]

You want a *social* network where everything is private ?

Something like JohnDoe917 has just added you, JaneDoe375 likes this, etc ?

Finding friends will be a blast. Search for JohnDoe ... 7 million results, would you like to narrow your search ? Sorry, no extra criteria available, everything is private.

It's supposed to be public that's the whole point. If you don't want it public, don't post it in the first place.

Re:Not Really Surprised

[im_thatoneguy]

And that's not even mentioning the history of accusations against Zuckerberg for questionably ethical behavior:

http://www.rollingstone.com/news/story/21129674/the_battle_for_facebook

Re:Not Really Surprised

[Pecisk]

About P2P social network - XMPP aka Jabber just allows that :)

Re:Not Really Surprised

[daver00]

The point is to honour what the user wishes to be private. Facebook lured people in by saying everything you post is private if you wish it to be, or only available for your friends to view. But then it became obvious how much money could be made by targeted advertising if this were not the case, and suddenly the rules changed mid game.

Re:Not Really Surprised

[digitalchinky]

WTF is wrong with having some information public, some information accessible to your friends, other information only for your family, etc. The parent said nothing at all about wanting a social network that is entirely private. He wants a social network that honors its privacy protocols and access controls. For the duration. Is that too much to ask? Apparently you are incapable of comprehending there might just be an option B somewhere between A and C.

Since when did social networks have to be everything or nothing?

Re:Not Really Surprised

[RobVB]

Exactly. I laughed when I read this:

The CEO of the world's most successful social networking website was accused of at least two breaches of privacy.

I'd find it strange if he hadn't committed more breaches of privacy than you can count on two hands, even when counting in binary. But then again, maybe we should just listen to what he said earlier:

Privacy is no longer a social norm.

After all, how can you breach something that no longer exists? And if that doesn't work, who said anything about doing no evil?

Re:Not Really Surprised

[adona1]

I really want Facebook to die and be replaced by a version that honors privacy. Something with an ethical code.

Give it time. FB will be overtaken by the next big thing, the way Myspace was & all the social networking sites before that.

Just don't expect any of them to give a damn about privacy...at least not after a pile of cash gets invested into them.

Re:Not Really Surprised

[daveime]

Because, as I've already said, it's a "social network", and these work best when everything is public.

People are by nature nosey-parkers, and it's more interesting looking up someone (even a stranger) when you can see *all* their details, not just a name and avatar.

Some people don't even bother posting a profile pic, and their name is Smith. How the fuck is anyone supposed to work out if you are the Smith they are looking for ?

I guess the proof of the pudding is in the eating. Every wonder why Friendster has been abandoned while Facebook continues to grow ? Possibly because it is the most social (details exposed), people can find each other easily. There are privacy controls at the basic level, but giving you minute control over every damn detail of what you want published is nonsensical. The whole point is for people to find you based on those details, if you want it suppressed so badly, don't put it up on the first place.

Re:Not Really Surprised

[lwsimon]

Perhaps I see this differently, as I play both sides of the field (as a user, and as an advertiser).

The privacy controls on Facebook are sufficient from my perspective. As a user, I can be confident that what I post will stay within my circle of friends. As an advertiser, I can target down to a few hundred people - but I cannot determine information on an individual.

It seems a good balance to me - though I would certainly try a different service if one is out there.

Re:Not Really Surprised

[Hurricane78]

Hmm, you are right. Thank you! That was a thing I was wondering about for a long time! :)

Re:Not Really Surprised

[Hurricane78]

No. You oversimplified it. I want a social network where you can CHOOSE who you trust with what information about you.
Like a firewall for your privacy. Like in [fitting inner model] life relationships.

Re:Not Really Surprised

[daver00]

I agree that the privacy controls on Facebook are sufficient (hence I use it), but Zuckerberg has publicly stated that he does not think this is good enough, and that he does not think people should expect privacy at all anymore. He essentially stated his wish to simply take what data he wishes from your interactions with facebook and claim it as his own. Now fair enough if thats his stated goal, but to lure people in by saying it is NOT your stated goal, then attempt to change the rules mid course is disingenuous at best, downright criminal at worst. (See facebook IP fiasco for more details)

Re:Not Really Surprised

[cavebison]

From that page:

"If there's going to be another Bill Gates," says former Harvard president Lawrence Summers, "Mark is as close as anyone."

Of course the Harvard president would say that. Mark only made FB. Gates made a tad more. Mark used existing tech to make what - a web app. Wow. Any team of coders can do that. Gates, along with others, helped create the foundation for all these things.

What about the next Gates being someone from Google, since they make real product that help people do a whole lot more that Mark's fancy web site. The next Gates my ass.

Re:Not Really Surprised

[sowth]

I'm sure there have been many P2P social networks. Usenet is one of them--spam, trolls and FAQ Nazis destroyed it. I was on another called "The Circle"--but it never took off.

The problem seems to be massing enough people together to make the system useful. Designing something which would mitigate the problems of bad acting users is the next problem. Coding is the easy part.

Though really in a way, the internet is a massive p2p social network, only everything being pushed onto the web and floating IP addresses/dialup (and ISP policies) so users can't run their own daemons has made it so you can't use it that way.

These were before my time (got on internet@1995), but... Unix talk was used for IM. You'd type 'talk user@computer' and talk to them. No server, they were just there. Email was the same way: user@computer, no servers. When the message was delivered, the recipient got it instantly. Polling wasn't done over the network, the biff program polled the filesystem, so it could ask once a second, no problem.

Look at the NNTP protocol for Usenet. It was designed so everyone was a peer. From what I've read, most computers would have an nntp daemon connected to other Usenet peers and the newsreaders would read from spool files on the hard drive. It you look at the old Unix cli/curses (terminal based) newsreaders, most of them work that way. Dialup appears to have changed that. The ISPs started running the daemons and most MSWin newsreaders would get news via NNTP from the isp's servers.

Maybe all which needs to be done is make it so anyone can easily find their friend's IP address. I suppose the dynamic DNS services (like dyndns) will do it. Then people need an easy way to be accessible. Probably a universal daemon which accepts email, nntp, and unix talk, does not require additional configuration (uses reasonable defaults and config info already on the machine), and is reasonably secure and has ways to block out spammers and the like.

Re:Not Really Surprised

[sowth]

I should add the universal daemon's NNTP would be for private newsgroups, not part of global Usenet. There should probably also be something to make files available (ftp or web or ssh?) because email and NNTP are inefficient for it. Though the program should also make it clear what they are sharing isn't supersecret, so no copyright infringment or illegal things. ;-)

Breach of privacy

[SilverHatHacker]

Kinda puts his comments that "No one has any reasonable expectation of privacy anymore" into a whole new light, doesn't it?

Re:Breach of privacy

[Hurricane78]

Nah. Same old light. I kinda expected him to do even worse things.

And that’s why I am very cautious, since all that happened, is somebody accusing him. It’s illegal to leave out the “accused” (e.g. in newspapers) in Germany for a very good reason.

Let’s see how it turns out in court.
It could just still also be a competitor who tries not-so-nice methods to get some of Facebook’s user share.

Re:Breach of privacy

[SilverHatHacker]

Very true; let's be careful not to forget he is innocent until proven guilty, regardless of how likely this may seem given his recent words and actions.

Re:Breach of privacy

He was right, wasn't he? Who would still have any reasonable expectation of privacy on Facebook? And yet they all flock to give Facebook their most private data.

What else?

[spruce]

Did he offer to buy the Caprica Bucs as well?

Re:What else?

Brilliant.

Re:What else?

[im_thatoneguy]

Too soon!

He'll Probably Get Off Easy

[IonOtter]

A friend once made the observation that no big-time, fast-track success story in the world of IT ever makes it without doing something that gets them into serious hot water at least once. Once they do that, they offer a bunch of mea culpas, make a few donations here and there, then make bank. (The slow-track success stories don't usually fit that theory.)

This is a bit different, seeing as he's already made bank, and it's a skeleton coming out of the closet, but I still think he'll get off easy.

Remember, it's not how much justice you can get, it's how much you can afford.

Re:He'll Probably Get Off Easy

[phantomfive]

In fairness, in the corporate world there are so many pitfalls that it's essentially impossible to navigate through them all without a strong team of lawyers and accountants.

Laws in America are so complex and vague that the average american commits three felonies a day. The same difficulties apply to companies. Even something as straightforward as paying a CEO takes legal specialists dedicated to that specific area of law. Even think of the difficulties of complying with Sarbanes Oxley from an IT perspective. It takes time to set up all the infrastructure, and if you were a startup, you may not even have had a dedicated sys admin. Then suddenly you have all these regulations you have to comply with.

Not that I'm trying to excuse Zuckerberg. If he was stealing other people's emails, he should go to jail, a much better candidate for jailtime than Terry Childs.

Re:He'll Probably Get Off Easy

[GigsVT]

Yeah so many pitfalls like accidentally hacking into people's email accounts using stolen passwords.

Is that something like the woman falling on your cock and you accidentally raping her?

Re:He'll Probably Get Off Easy

Is that something like the woman falling on your cock and you accidentally raping her?

Why, that is like Getting Off Easy...

Re:He'll Probably Get Off Easy

[AshtangiMan]

I agree with your overall point, but that wsj link and the idea of three felonies a day is sensationalist. The article doesn't try to quantify the claim at all, but ends up making the point that the laws are too convoluted. Fine. But you lose all credibility when you have to hype it as titled.

Re:He'll Probably Get Off Easy

[phantomfive]

The article relies on research done in the book. I didn't link to the book directly because I don't like giving Amazon traffic. And B&N was too hard to find.

Now I understand the Facebook Privacy guidelines

[viraltus]

No wonder.

Nice hottie

Mail Online has a better article, because the third pic in the article is of a hottie using a laptop to browse Facebook:

http://www.dailymail.co.uk/news/worldnews/article-1255888/Facebook-founder-Mark-Zuckerberg-hacked-emails-rivals-journalists.html

Of course, she's even prettier naked:

http://www.crestock.com/image/2137917-diamond.aspx

Color me surprised...

[xlsior]

He isn't exactly known to believe in privacy in the first place, after all:

http://www.guardian.co.uk/technology/2010/jan/11/facebook-privacy
The rise of social networking online means that people no longer have an expectation of privacy, according to Facebook founder Mark Zuckerberg.
Talking at the Crunchie awards in San Francisco this weekend, the 25-year-old chief executive of the world's most popular social network said that privacy was no longer a "social norm".

Re:Color me surprised...

wow. imagine how much of a hipocrite he'd look like if the court case gets stalled because he refuses to release information from accounts like his email, facebook, IM, etc

Wasnt Mark

[gmuslera]

Was Chuck Norris

n00bsauce

[cosm]

The hilarity would be if his tracks could be traced down through their own system's perverse logging, maybe then would he regret his company's policy of practically 100% data retention. Pwned Mark Fuckerberg. Pwned.

Sad if true.

[__aazsst3756]

Sad if true. Although Silicon Valley Insider is one of the least reputable blogs on the net.

Re:Sad if true.

[BhaKi]

I've always thought of it as Google's mouthpiece.

This just in

[davidbrit2]

The CEO of the world's most successful social networking website was accused of at least two breaches of privacy.

In related news, something about hacking some email accounts as well.

New business card?

I'm a black-hat hacker...bitch.

inside job

gotta love the rogue admin

That's the issue with all those 'cloudy' things

[obarthelemy]

The issue is my ASS: Availability, Safety, Security.

I want my apps and data to be accessible at all times. Even when I'm off-line, or they are, or somethings dies in-between.

I want my data to be safe, which means off-site, off-line backups.

I want my data to be secure, which means no hacking. For every high-visibility CEO that gets caught, how many 3rd-world subcontractors' trainees don't ?

Re:That's the issue with all those 'cloudy' things

[dkf]

The issue is my ASS: Availability, Safety, Security.

Sensible things to want. Are you willing to pay what it takes to get them? Availability is expensive. So is Safety. And Security makes everything else more expensive and awkward (sometimes not much more expensive – ssh is very good for example – but the cost over being without security is still there, even if it is worth it).

Re:That's the issue with all those 'cloudy' things

[AioKits]

I thought it was well known that good ASS costs serious cash?

More to come

[oldhack]

Expect a lot more of these stuff.

The people who start social networks are a different breed than those that cooked up tech startups of past decades.

Well Duh!

[coaxial]

And this is why don't provide any site any more information that the bare minimum that it needs.

Nah. Facebook is a scam.

Now excuse me, I've got to update my status.

Re:Well Duh!

[yanyan]

I like this.

temporary password

[zlel]

i wouldn't entrust my passwords to a third party website, but if i had to do it, i guess i would have to change my password temporary, let the third party site access my account with the temporary password, and then change it back. but i've always felt very awkward that facebook is one website. Is it possible to make a distributed/cloud version of it using some form of client-side decryption, so that nobody "owns" any of the information in its entirety?

Here's my thought...

[BulletMagnet]

ANYONE who's silly enough to use a primary e-mail address where anything important lands for any social networking site is a fool. Hotmail, gMail, et al exist for a reason....If Suckerberg wants to read my Hotmail that's linked to my Facebook account, feel free. It's all facebook related trash anyway....since it's one of my many throwaway mail accounts, used for such activities.

Re:Here's my thought...

Anyone on slashdot who does those things is a fool. Regular users are not slashdot readers.

I hope you're not an IT guy, because if so, your attitude towards the people you are supposed to educate and support needs some work.

Reason #1352...

[Itninja]

...to avoid using Facebook.

Re:Reason #1352...

Filter error: Please use fewer 'junk' characters. What's Slashdot doing looking at my junk, anyway?

Rob Malda likes cock.

Anonymous Coward

Since when copy/paste a password is considered hacking?

Re:Anonymous Coward

[OrwellianLurker]

Since unauthorized access to anything computer related was equated with hacking.

Re:Anonymous Coward

[scdeimos]

Since unauthorized access to anything computer related was equated with criminal activity.

There, fixed that for you. Not all hacking is bad, nor is all hacking criminal activity.

Re:Anonymous Coward

[OrwellianLurker]

I don't disagree. Public opinion does.

Some financial insiutuion are already using this

[ub3r+n3u7r4l1st]

There are certain online stock broker, who use the same technique. In order to make a deposit directly with a bank account, this service needs to verify that you are the true owner of the bank account. This can be done by entering your bank account online user name and password. You only have to do this once however. So I change to a temporary one, confirm the bank account with the broker, and change it back.

Facebook users get what they deserve

Web 2.0 has proven itself nothing more than a private takeover of the public infrastructure of the net. FB wants to displace everything from email to irc. If people want to commit their information to sharks who want to mnetize their personal information, they get what they deserve.

Re:Facebook users get what they deserve

go back to bbs muds, neckbeard microprick assburger.

Show what you know. I play Trade Wars.

Re:Facebook users get what they deserve

The irony is that every mockery of social behaviour on Encyclopaedia Dramatica, the crowning achievement of Web 2.0 hipsters, was made at least 10 years ago by Chris Morris. Tfnnhe obscure sexual accounts intended to make the Internet seem racy and uninhibited are matched by Psychopathia Sexualis, published in 1886.

There is a subset of every new generation of kids standing up to proudly proclaim that tomorrow belongs to them, who think they have superseded the past and own the future, but they still look like pantomime dwarves clambering on each other's shoulders to pick the lowest hanging fruit to me.

no surprise

Anyone familiar with the mechanics of Facebook's rise to prominence should not be surprised at the alleged ethical and legal violations. Zuckerberg et al. hacked and social engineered their way into dozens of college freshman admit lists so they could be the first to get new students online. This is not speculation. The "virality" of early facebook was not viral at all, it was good old fashioned spam to ill-gotten mailing lists.

Re:no surprise

[turbotroll]

Anyone familiar with the mechanics of Facebook's rise to prominence should not be surprised at the alleged ethical and legal violations. Zuckerberg et al. hacked and social engineered their way into dozens of college freshman admit lists so they could be the first to get new students online. This is not speculation. The "virality" of early facebook was not viral at all, it was good old fashioned spam to ill-gotten mailing lists.

Interesting and relevant. Please mod up!

SaaS will suffer for this

[waTR]

The problem with what has been alleged is that it now gives more ammunition to those against SaaS over the web. On the other hand, it makes it all the more important that these companies be forced to use SSL for login sessions.

On a side note, this sounds way too stupid to have actually occurred. If Mark actually did these things, I feel much more confident in my own intelligence (in comparison to his own, and what I previously thought of it).

Re:SaaS will suffer for this

[socsoc]

SSL doesn't matter if they are logging bad password attempts. They aren't in the middle, they are the end.

Uh, where's the hacking?

[Jeian]

It took me about 10 minutes to skim through the backstory, but it's pretty sparse on the details and supporting evidence.

"Instead, he decided to access the email accounts of Crimson editors and review their emails. How did he do this? Here's how Mark described his hack to a friend:"

Oh, a friend said Mark said... right.

"Nevertheless, during 2004, Mark Zuckerberg still appeared to be obsessed with ConnectU. Specifically, he appears to have hacked into ConnectU's site and made changes to multiple user profiles, including Cameron Winklevoss's."

"At one point, Mark appears to have exploited a flaw in ConnectU's account verification process to create a fake Cameron Winklevoss account with a fake Harvard.edu email address."

It "appeared" that way? According to whom, and based on what?

Seriously, the whole article is a long string of "it looks like" and "he said she said Mark said" with nothing to back any of it up.

Re:Uh, where's the hacking?

[Culture20]

he said she said Mark said

So wait, Mark's not He or She?

Nothing about this is surprising

This doesn't surprise me, only confirms what I've thought about Zuckerberg.

1) I believe he stole Facebook from the ConnectU founders. I believe the assertions that he was hired as a developer and dragged his feet while forming his own company which eventually became Facebook.

2) I believe he has no scruples when it comes to Facebook users' data. He has publicly stated that he knows what's best for "his" users and this arrogance shines through every time the UI is abruptly changed.

3) I believe he will do whatever he pleases with users' information. I don't think that privacy laws provide guidance to him but instead are constraints that he will bypass given any opportunity.

I'm pleased to see that he is being publicly exposed - I doubt anything will come of it - but am glad for him to be seen as he truly is, an arrogant and unscrupulous bad person. This latest revelation may finally send him where he belongs . . .

banking.

Re:Nothing about this is surprising

[Idiomatick]

For /. users that don't know #1 is proven. This investigation brought some logs to light. Mark is quoted as saying he will "fuck them in the ear" referring to him screwing over ConnectU. And quotes about him slowing them down and fucking them over.

Re:Nothing about this is surprising

Indeed. More and more, Jew-bastards like Zuckerberg are convincing me the world would be a better place if Hitler had won the war.

Re:Some financial insiutuion are already using thi

[bkgood]

They can't just do it the way, say, PayPal, does it and make a very small debit (or deposit) with a unique authentication key in the memo line? I've done this with a couple of different companies, and I really can't imagine doing it the way you describe, it just seems silly. Just accounting for all the different ways a bank could do an HTML login process (mine will ask you a series of personal questions if you haven't authenticated with the same computer recently and told it to remember the computer) would be a nightmare.

Granted, they way PayPal now does the above process reeks of dung, as they process a small debit with the key and when you authenticate they credit that amount to your PayPal account instead of sending it back to your bank, but that's just an implementation detail.

Dentasmile Md

[brude]

Script Kidd if you use other peoples programs to steal password .Hacker if You do it by yourself. Denta Smile Md

Re:MARK ZUCKERBERG IS A JEW

[Dahamma]

Elwood: Illinois Nazis.
Jake: I hate Illinois Nazis.

Not to be an ass

Not to be an ass but I have to play devil's advocate here. How in the hell are we supposed to take what they say at face value? Supposing it really did happen, where's the evidence that proves they didn't make these dumbass mistakes on their own?

And you thought MS was bad...

[yuhong]

Or, as the HarvardConnection founders have alleged, was he stalling the development of HarvardConnection so that he could build a competing site and launch it first? Our investigation suggests the latter.

It also suggests that he had developed a strategy for dealing with his would-be competition: Delay developing it.

Next, Mark appears to have logged into the accounts of some ConnectU users and changed their privacy settings to invisible. The idea here was apparently to make it harder for people to find friends on ConnectU, thus reducing its utility. Eventually, Mark appears to have gone a step further, deactivating about 20 ConnectU accounts entirely.

And you thought Microsoft was the bad evil monopolist. Sure, it is all in the past now, but it was worse, I think.
Could this be turned into an anti-trust case?

Re:Now I understand the Facebook Privacy guideline

Regarding your sig, it's because your sig says you're one of those devices that injects soap and water into a woman's nether regions. I'm sure you said some sort of asinine thing and some intelligent person at /. modded you as such.

facebook is trash

who still uses that shit? what a waste of time!

Re:facebook is trash

I know. I spend all my time on Orkut and Friendster where the cool kids hang out.

So what?

He won. He's rich as hell now and can buy his way out of any trouble people try and make for him, and he's sitting on top of one of the modern era's most powerful web empires.

It's business, baby. The ends justify the means.

Re:Some financial insiutuion are already using thi

[ub3r+n3u7r4l1st]

Actually they do have the "micro-deposit" technique as a way to confirm your bank account, but it takes like 3 business days. The method I described works instantly, and only works with a handful of "big" banks.

Quote the complete picture

[ub3r+n3u7r4l1st]

Jake: Hey what's going on?
Police: Uh the bums won their court case so they are marching today.
Jake: What bums?
Police: The fucking Nazi Party.
Elwood: Illinois Nazis.
Jake: I hate Illinois Nazis.

VROOM!

Re:MARK ZUCKERBERG IS A JEW

[Shatrat]

Yeah, well you're a douchebag. I've suffered a lot more at the hands of douchebags.

excuse my ignorance

but I took gym instead of Talmud studies in highschool.

By hurling trite epithets about you are not really refuting any of his claims.

Re:excuse my ignorance

Look at his past comments. He's a mentally imbalanced racist, not someone worth debating. The thing that amazes (and disgusts) me is that he seems to actually think about and make his rants semi-relevant to the topic, rather than post the usual copy-paste trolls.

The difference

[copponex]

The heads of Google take their job seriously. Zuckerberg is just a douchebag who was at the right place at the right time.

Re:The difference

[Yvanhoe]

Just be prepared for the day they won't be in charge anymore.

Re:The difference

[neoform]

"____ is just a douchebag who was at the right place at the right time."

This is often the case with many very rich people.. (mark cuban and bill gates come to mind)

Re:The difference

[JonStewartMill]

Like Bill Gates?

Re:The difference

[turbotroll]

"____ is just a douchebag who was at the right place at the right time."

This is often the case with many very rich people.. (mark cuban and bill gates come to mind)

Or Steve Jobs.

Power corrupts . . .

[NicknamesAreStupid]

At least he wasn't having sex.

Re:MARK ZUCKERBERG IS A JEW

He's not wrong.

But, fortunately, there are ways of dealing with that.

So what?

[Gri3v3r]

I consider him untouchable.He owns a billion-worthy company which has serious investors (Microsoft?).His company is on the news every now and then.I can't imagine that he could easily be affected by law , for such things at least.

Direct link for the lazy.

http://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3

!hacking

[macro187]

For the love of christ, this site should know better.

Re:!hacking

[Tim+C]

You've lost that particular battle; time to save your energy for something you can still win.

Does what happens in the Facebook stay in ?!

Facebook is not about Mr. Zuckerberg.
If you want to know the real deal...
http://albumoftheday.com/facebook/

depends on his campaign contributions

[mosel-saar-ruwer]

If he forgot to donate to the Obama 2008 campaign, then this dude could be looking at some very serious jail time.

But seriously...

[magloca]

...did anyone think it was a good idea to give Facebook your webmail password, as they are constantly pestering you to do? "We won't store your password." Yeah right.

stupid is as stupid does

I'm wondering who is so fucking stupid as to put a non-clickable link in their post. Learn to HTML, retard.

Re:stupid is as stupid does

Select and drag to tab bar WFM, knothead.

Re:stupid is as stupid does

[BobMcD]

Insightful?

Dirty mouth...

No respect for cowards

[viraltus]

specially those that take pride on it.

Shocked...

[facebook]

I am absolutely shocked that someone would impersonate another human being for personal gain. What has the world come to?

Re:Shocked...

[thefacebook]

I agree wholeheartedly.

E-mail security = post-card

[DrYak]

Well, nicely done to avoid them having your password... ...except that e-mails transits in clear and have as much security as post-card.

If it's not Mark Zuckerberg reading your mail while pretending to "help you search for your friends", any node which relayed your mails between the author's machine and your screen could have done the same.

The only way to have really secure e-mail, is to use end-to-end encryption. Using mail client which support PGP or GPG (like Thunderbird). Encrypt the mail in the author's client, decrypt it in the recipient's.
Anything else short of that are just post-card. They might be slightly obfuscated (2 nodes could communicate using TLS, you could be accessing webmail over HTTPS), but that still leaves clear copies in the nodes or in the inbox.

Re:E-mail security = post-card

[BobMcD]

The only way to have really secure e-mail, is to use end-to-end encryption. Using mail client which support PGP or GPG (like Thunderbird). Encrypt the mail in the author's client, decrypt it in the recipient's.

Entirely true.

Also, this would be an excellent way to find yourself relocated to Sunny Guantanamo Cuba, all expenses paid, with free hydro therapy and all the McDonalds and Metallica you can enjoy!

In all seriousness, there's no better way to say 'this is critical data' than to encrypt it end-to-end. If your email wouldn't be worth reading, like mine wouldn't, you may be exposing yourself to more risk by making it seem attractive. Then when the attackers discover the time spent hacking your poems about your cat was a total waste, expect them to rain hell on your head. It might be better security, on an individual basis, to leave your email inbox a dull place bound to induce yawns. Stego the good stuff.

Security is an arms race AND a mental game. Particularly with governments hacking alongside the teenagers.

Hey buddy

you work for Goldman Sachs?

Earmarks of success in Corporate America

[nebular]

Nothing too suprising in the article. Mark Zuckerberg just came off as a guy who would screw over his own grandmother if it got him ahead. From what I've read those are qualities needed in the boardrooms of america. To have any kind of scruples at that level requires some serious business talent, if anything just to keep you from being screwed over by all the other asses.

Facebook has time and time again shown that it will push all boundries it can to gain users and gain assets from those users. Mr. Zuckerberg was just too young when founding facebook to realize that he needed to be a bit more subtle when talking to others as it could come back to bit him on the ass.

Ding!

[bdinger]

This is precisely why I'm moving back to hosting my own website on my own server and hosting my own email. Facebook has always made me a bit wary, and while I'm cool with Goog - their ads are just a little TOO targeted as of late.

ignorance of the law IS an excuse

[minstrelmike]

Eventually, some wise lawyer will realize that ignorance of the law _is_ an excuse.

Proof: have the judge read into the record every law, covenant, and government regulation that may apply (you don't know until you read it do you?) to a citizen at a specific location in America. Even reading 24 hours a day, I suspect you could not finish in a reasonable amount of time (read all the new laws in that have been passed since you started). Some folks think it would take years. I think given the state of jurisprudence in America, the process would never end.

Q.E.D.
(qed even if it takes more than a year at 24/7 because that places an unreasonable burden on the average citizen).

"everyrbody does it"

[warpuck]

He is just following the successful business practices of Microsoft and Norton. All he needs is good on house lawyers and capital to buy up or off those litigations that may be headed unfavorable endings.