100 Million Facebook Pages Leaked On Torrent Site

Stoobalou writes "A directory containing personal details about more than 100 million Facebook users has surfaced on an Internet file-sharing site. The 2.8GB torrent was compiled by hacker Ron Bowes of Skull Security, who created a web crawler program that harvested data on users contained in Facebook's open access directory, which lists all users who haven't bothered to change their privacy settings to make their pages unavailable to search engines."

Well

[Spazztastic]

My only question is: Does it include pictures? That may be a deal breaker...

Re:Well

[Gi0]

No. This torrent contains: * The URL of every searchable Facebook user's profile * The name of every searchable Facebook user, both unique and by count (perfect for post-processing, datamining, etc) * Processed lists, including first names with count, last names with count, potential usernames with count, etc * The programs I used to generate everything

Re:Well

[Jedi+Alec]

It's 2.8 gigs as it is, imagine how big it would get if 100 million pics were added to it ;-)

Re:Well

[ultranova]

It's 2.8 gigs as it is, imagine how big it would get if 100 million pics were added to it ;-)

100 million pictures * 100,000 bytes per picture = around 10 terabytes. Not feasible yet, but soon will be.

Re:Well

[aliquis]

The pictures is available within Facebook.

As is the other data, so who cares? Nothing has been leaked, the data was already out in the open. If you don't want to don't spread it in the first place.

End of story.

Re:Well

[treeves]

Yeah, people will attach it in emails and forward it to a dozen people, saying something like "I normally don't forward these kind of things, but I thought you should see this...."

And now more people will know about it

[Hojima]

and get more information from those people. You stay classy slashdot.

Re:And now more people will know about it

[causality]

and get more information from those people. You stay classy slashdot.

Rest assured that the blackhats who want this information already know about it. As another user suggested, one potential abuse of this information would be to choose targets for social engineering attacks. But those who would exploit it did not just now hear about it. If anything it's the public that is often left behind.

If you don't want to see that reality then we cannot have a conversation about this. If you can see that reality, then I have one question for you: how do you propose we solve the bigger problem of raising awareness of the dangers and misuses of such databases without some publicity? The users who least understand how these things can be abused are generally the ones who are most actively making their personal information publically available. Everyone else either doesn't share the need for personal exhibition, uses false data, or takes a deliberate and calculated risk with any real data made available.

While I think it's an empty vanity personally, I'm not against someone making a public exhibit of themselves if that's what they wish to do. What I would like to see, however, is for those people to do this with a full awareness of how it could be used against them. The deck is somewhat stacked against them because the black hats thoroughly study how to misuse information, whereas the average user just wants to communicate with friends. That can change, and it really should.

Re:And now more people will know about it

[causality]

and get more information from those people. You stay classy slashdot.

I'm not crazy about making a second reply to this one post but I wanted this to be said.

I have some disagreement with this being modded -1 Flamebait. I don't think his intention was to start a flamewar, though I admit that's possible and an AC has already responded that way. Still, this is a genuinely held sentiment. A lot of people really do feel this way. It's as though they think that not talking about this problem and not making such information available will make it go away. That amounts to burying one's head in the sand.

I'd rather call it out and explain why this is false and shortsighted than bury the comment under negative moderations. Making the comment disappear for all users who are not browsing at -1 will surely reduce the audience of that one comment. What it won't do is persuade others who mistakenly feel the same way. So I don't think this is Flamebait. I think this is a false perception that can be corrected with a true perception.

Re:And now more people will know about it

[Mark+Hood]

and get more information from those people. You stay classy slashdot.

Rest assured that the blackhats who want this information already know about it.

I agree - and while it's good that more people know about this so they can protect themselves, it wasn't the case that every black hat knew about this already - there'll be a load of script kiddies giving it a go now, so the chances of getting hacked went up.

That said, the people who had a genuine malicious intent were more than likely doing this behind the scenes, while the 'kiddies' tend to go for vandalism and defacement. I'd rather that if I got hacked, it just said 'ask me about teh spam' on my wall, than it silently installed a data-tracking app or something...

But really, what's the issue here? That someone went to the trouble of scraping every public name and profile off the site, or that it wasn't Google?

Mark

PS Why doesn't Chrome recognise Google as a properly spelled word?

Re:And now more people will know about it

[ikarous]

While I think it's an empty vanity personally, I'm not against someone making a public exhibit of themselves if that's what they wish to do. What I would like to see, however, is for those people to do this with a full awareness of how it could be used against them. The deck is somewhat stacked against them because the black hats thoroughly study how to misuse information, whereas the average user just wants to communicate with friends. That can change, and it really should.

I agree that people need to be more concerned about privacy, but I don't think believe that the situation is without hope. My admittedly anecdotal experience leaves me with the impression that people are slowly becoming aware of the potential consequences of freely sharing information on public social networking sites. The easiest way to raise awareness with individual people, I've found, is to simply point to one of the plentiful news stories detailing a case where some individual was passed over for a job opportunity because of some mostly innocuous posting on Facebook or MySpace.

That strategy may not work with teenagers who have little yet to lose, but it usually makes their elders think twice about what they publish online.

Re:And now more people will know about it

[Michael+Kristopeit]

i don't think you know what "obscurity" means.

FTFA

[EricWright]

perhaps the existence of a stalker's online black book might finally persuade less security-minded Facebook users to get their arses in gear.

More likely it will precipitate a lawsuit. Why fix the problem when you can sue the pants off someone instead?

Re:FTFA

[TubeSteak]

More likely it will precipitate a lawsuit. Why fix the problem when you can sue the pants off someone instead?

Sue for what? Violating Facebook's ToS?

I'm surprised TFA didn't link to the guy's blog. He has a good writeup there
http://www.skullsecurity.org/blog/?p=887

The Torrent: http://www.skullsecurity.org/blogdata/fbdata.torrent

Re:FTFA

In this case I think it is a more of a matter of 'yeah so?'. I put my information on that website *SO* I could be found. Everyone else who links to me is doing the *EXACT SAME THING*. The whole point of this site as sold is to link you to your friends and family. Thats it. How do you find people? Oh yeah you search for them.

The usual internet problems exist. Do not put up there what you do not want other to know.

I am sure there are dozens of ways to abuse the information that is up there. But guess what *YOU HAVE DECIDED* to put it up there...

That you expect some sort of privacy from an application that by its nature is about being open and sharing whatever stupid thing you are doing is backwards.

If you do not want to be found facebook is not the place to be. It shares everything no matter what your 'settings' are. You have by its nature shared with at least 2 parties. Your friends and facebook. If you want to keep a secret you do not tell people who are known to tell others.

Re:FTFA

[pinkushun]

Well if Facebook's TOS includes them housing your profile data, does compiling publicly visible information into a torrent, shared and owned by everyone, breach their TOS?

Do Facebook even have any claims to that data, if it is publicly visible in the first place?

Re:FTFA

[timeOday]

The usual internet problems exist. Do not put up there what you do not want other to know.

I am sure there are dozens of ways to abuse the information that is up there. But guess what *YOU HAVE DECIDED* to put it up there...

The problem is that's not true. It is becoming increasingly easy to correlate all the information others have incidentally posted about you, and put together a pretty good picture of you, even if you personally have posted nothing at all.

I have no facebook account. Yet yesterday I got an email facebook invite from somebody I've never heard of, and it said "here are 9 other friends of this person you may know." I *do* know 7 of the 9, through different business dealings that have nothing to do with each other. They're sure not people who "friended" me, since we don't have that kind of relationship. It's creepy.

Re:FTFA

[Bing+Tsher+E]

At a certain point the government will discover they have a 'compelling interest' to confiscate and retain the entire Facebook database. At that point, we're all fucked.

Re:FTFA

[ukyoCE]

In this case I think it is a more of a matter of 'yeah so?'. I put my information on that website *SO* I could be found.

YOU may have. The issue here is that Facebook keeps defaulting more and more info to public. Many of these users may have no clue their information is currently public, nor how much of it is public.

At best it's a usability issue, where Facebook isn't making it clear to users what is private and what is public. At worse (and more likely) it's intentional obfuscation on Facebooks part to try to make money.

You have by its nature shared with at least 2 parties. Your friends and facebook.

If you talk on your cell phone you have by nature shared it with at least 2 parties. The other caller and your mobile carrier. This in no way implies you have no right or expectation to privacy.

Re:FTFA

[Provocateur]

Well, whoever is interested might be able to reply to some invites (in the negative, I hope) that I have received or respond to some of the causes they seem to think I'm interested in, or join the Mafia or some other game they think I have time to mess with.

I do like the fact that I can be found, but the rest of FB is a barrage that constantly reminds me of excess baggage. I would like to organize it somehow but that is daunting and might take up too much time as well. Time that could be better spent on, er slashdot.

Re:FTFA

[Anachragnome]

"I'm surprised TFA didn't link to the guy's blog. He has a good writeup there
http://www.skullsecurity.org/blog/?p=887 [skullsecurity.org]"

That is because Stoobalou wanted you to go to think.co.uk to read the story, spend 30-60 seconds looking for a link to the original source(viewing ads the whole time, he hopes)...kind of like EVERY other story he has posted.

I agree. He could at least provide the link somewhere. What a tease.

Re:FTFA

[joss]

Right, that's what we should be afraid of because the government is much more likely to try and screw us than Mark Zuckerberg who would never try to screw anybody. Or consider selling the info to anybody who would screw us. In other breaking news, unexpected rain could mean the Titanic is danger of getting wet.

Re:FTFA

[sinclair44]

At best it's a usability issue, where Facebook isn't making it clear to users what is private and what is public.

Have you gone through the new user flow recently? The amount of messaging saying "YOUR STATUS UPDATE IS GOING TO BE COMPLETELY PUBLIC, HERE IS HOW YOU CHANGE IT!!" is insane in my opinion. If someone writes a public update after that accidentally, they have bigger problems...

At worse (and more likely) it's intentional obfuscation on Facebooks part to try to make money.

How does that help Facebook make more money? Ads are targeted based upon demographics and interests without sharing information to advertisers (explanation of how it works) -- how does someone sharing publicly vs. privately help this?

torrent

[digitalsushi]

http://www.skullsecurity.org/blogdata/fbdata.torrent

Re:torrent

I'm bringing it on to a 1 Gbit, 10 TB/month seedbox...
Enjoy.

Re:torrent

[0111+1110]

TPB has it too.

Leaked?

[ikarous]

Misleading headline is misleading. These public profiles haven't been leaked. They've simply been aggregated.

Re:Leaked?

[jeffmeden]

They might as well have said "millions of home telephone numbers LEAKED via paper-based archive deposited randomly on doorsteps ALL ACROSS TEH COUNTRY!!!"

Worthless headline; it should read "Facebook name and URL database created from already public information, nothing to see here, move along"

Re:Leaked?

[holiggan]

You mean "curated"

Re:Leaked?

[ikarous]

I prefer aardvarks.

Re:Leaked?

[pinkushun]

Maybe they meant 'leaked' as in not through the Facebook channels or without their knowledge. Leaked is a strong word in this case.

Re:Leaked?

[ikarous]

Fucking stupid sentences are fucking stupid.

This isn't 4chan, take your meme shit back to the pedophile hole where it (and inevitably, you) belong.

I have attempted to do as you suggest, but I'm afraid I've been unable to locate either feces of meme or a perforated pedophile. Nevertheless, I appreciate your advice.

Re:Leaked?

[Surt]

You're supposed to perforate your own pedophile for this purpose, and help out with the grand pedophile perforation project.

Re:Leaked?

[ElectricTurtle]

You, sir, have written the only thing that need be said in this discussion. Congratulations are in order.

Re:Leaked?

[statueofmike]

Are people starting to lose touch with the basic definition of the term "leaked" as it relates to data? Now we have to watch out for any component of the impending headlines: "CYBER-WAR LEAKED TERROR PATRIOT"

Obvious next step

[Pojut]

Download the file and make sure I'm not in there. Onward and upward.

Re:Obvious next step

[betterunixthanunix]

Same here; I killed my Facebook account 3 years ago, but who knows how long these guys have been aggregating their data, or who else might have been posting information about me.

Security Research

[chebucto]

I'll bet there are about 100 million people who would like to test the security of Ron Bowes' nuts against a swift kick. I mean, he should be aware of the Extreme Pain vulnerability by now, and he should have taken the most basic security precautions by now, like wearing a cup. If not, well, he deserves what he gets, right?

Re:Security Research

[bsDaemon]

I doubt there is a significant overlap between the people who follow computer security and online privacy issues and the people who still leave their Facebook profiles open for search indexing. I would venture a guess that most of the people harvested will never know, or care. I mean, after all, it doesn't even really sound like this guy did anything more than Google already did anyway.

Re:Security Research

[gstoddart]

I'll bet there are about 100 million people who would like to test the security of Ron Bowes' nuts against a swift kick.

Purely playing Devil's advocate here ....

So, Facebook made this stuff public by default. The individual users didn't change their settings to make it private (either they didn't know, or didn't care). This guy collects all of the information which is open to him, and publishes it.

I'm not saying I agree with scraping all of this information, but I place much more of the blame on Facebook for their shitty privacy policies and making a change to the data which made it public by default.

This is a logical conclusion of having that much information public by default. It's scary to get that information on 170 million people, but, as TFA points out, this is hardly illegal.

I'm sure Facebook will say this is a good thing, and that those users wanted that information made available since that seems to be their default position on security and privacy.

Re:Security Research

[natehoy]

As long as Ron Bowes didn't uncheck the pre-selected checkbox "you allow random people to come up to you and give your nuts a swift kick", sure.

Look, I've been using Facebook for a couple of years now. Facebook is finally pretty forthcoming about telling their users what's accessible to the public in your profile. There's even a "see your profile as {friend|friend-of-friend|public} sees you" button so you can easily review who sees what.

It's pretty easy to mark things as "friends only", though I prefer the simpler step of not putting shit on Facebook that I don't want to become public knowledge in the first place. I still have mostly everything set as "friends only", but in case there is a leak I want to not have to care.

Having said that, I'm struggling with what Ron did that is considered kick-to-the-nuts-worthy. He published a list of URLs to people's Facebook pages that point to information that is set to be viewable by the public. From what I can see, he hasn't extracted any of the actual information. He's providing less information than Google would, and isn't caching anything.

I haven't owned a landline in almost a decade - I like not being in the phone book. But I'm not at all uncomfortable with this list, because it doesn't expose one goddamned thing about me that isn't already exposed by my specific request.

If anything, maybe a few Facebook neophytes will go through the handful of mouseclicks it takes to set some of their information as "Friends Only" at which point the URL will point to an empty (or at least less full) page and the user will be safer from strangers knowing every detail about their dog's bowel movements or their Farmville score.

Re:Security Research

[jeffmeden]

I'm sure Facebook will say this is a good thing, and that those users wanted that information made available since that seems to be their default position on security and privacy.

Mark Zuckerberg actually said exactly that in a recent interview (with NPR, google it) when confronted with the question of "why not just make the default 'private'?" he quipped "We think users want to be seen". He is probably right, but there are way more people out there who are clueless about their privacy and mistakenly disclose tons of information than those who are well informed and intentionally disclose tons of information. Assuming the whole world is made up of perfectly informed adults who consent to sharing all of their information is a pretty big reach.

Re:Security Research

[linzeal]

Who uses real information online anyways?

Re:Security Research

[bsDaemon]

Sometimes you need to prove you real identity, such as to verify an SSL certificate or OpenPGP key. But there is a difference between establishing you are who you say you are and telling the entire known universe about every time you went on a weekend drinking binge at on frat row.

Re:Security Research

[mlts]

The trick with FB is to have the default security settings set to only allow a certain group of friends see your wall, settings, personal info, pictures, and other stuff. This gives you two advantages:

1: Nobody sees your personal information unless you explicitly add them to the group. So if your professor or boss demands friend access, they can get it, but it won't give them much information.

2: You can remove people from seeing what you are doing without unfriending them. This way, someone you don't feel like speaking to can be off your list, and if that was a mistake, they can be re-added without the business of two-way re-friending them.

Re:Security Research

[gstoddart]

"We think users want to be seen". He is probably right, but there are way more people out there who are clueless about their privacy and mistakenly disclose tons of information than those who are well informed and intentionally disclose tons of information.

Oh, I think it entirely unlikely that 100 million people chose to disclose that much information.

I blame Facebook constantly changing things, and user apathy/lack of understanding in this case.

This is just one more example of why I don't use Facebook. But, the guy who scraped it was doing something in a gray area, but neither illegal nor against the ToS. Because Facebook themselves made this data public and left it up to the user to lock it down.

Re:Security Research

[natehoy]

Very true. I haven't gone to the trouble of setting up groups of friends, because the kind of information I share on Facebook is stuff I really don't feel the need to "segregate".

I always assume Facebook is selling everything I post or say to someone I don't like, so anything that I feel the need to keep in a smaller circle of friends is either emailed or said in person.

Re:Security Research

[mlts]

Another thing is to have two FB accounts. One a public profile for your boss, professors, and others to see which has nothing but some random intelligent comments on it. The other your private one for friends, where all the pictures of you with the beer bong are well secured (as well as they can be on FB) from prying eyes.

Like what the parent stated above, I've not bothered to do this because I feel that if it gets on FB, it will end up public anyways somehow.

Re:Security Research

[CraftyJack]

I doubt there is a significant overlap between the people who follow computer security and online privacy issues and the people who still leave their Facebook profiles open for search indexing.

...which is exactly why those people are less likely to see the "raising awareness" angle and more likely to see the "why the hell do you have my daughter's name on a list?" angle.

I would venture a guess that most of the people harvested will never know, or care.

Give it a month, then check snopes.

Re:Security Research

[natehoy]

I feel that if it gets on FB, it will end up public anyways somehow.

Right. I treat all of Facebook's controls as if they had no meaning.

I mean, I do secure it using their controls, but it's almost an exercise in security masturbation, and I understand that. I understand and acknowledge that the least trustworthy player in the game is the one who has the technical means to easily ignore the settings anyway.

It's like putting one of those "child on board" signs on your car to "protect your family". What, like I'm going to intentionally run into you if I don't know you've got a child in your car? Or is it to give me the opportunity to wave to the kiddies when you pull out in front of me and I can't stop in time?

Re:Security Research

[paeanblack]

I doubt there is a significant overlap between the people who follow computer security and online privacy issues and the people who still leave their Facebook profiles open for search indexing.

I would assume the opposite is true. People who actually understand computer security and online privacy issues would be more likely to realize that Facebook's "privacy settings" do not actually protect anything. Those people will only post content to Facebook that they intend to publish to the entire world and leave the settings to default open-access, since that's the whole point, and Facebook is a convenient place to publish.

The people who don't understand security and privacy will rely on the "don't let my ex see these photos" checkboxes to keep their data secure.

Re:Security Research

[Kvasio]

Who uses real information online anyways?

Idiots do. So probably at least 80% of users.

Re:Security Research

[John+Hasler]

Oh, I think it entirely unlikely that 100 million people chose to disclose that much information.

I have no difficulty at all believing that 100 million people chose to disclose that much information. (the information being a link to their public Facebook profile). Why do you imagine that everyone wants to be secretive?

Re:Security Research

[gstoddart]

Why do you imagine that everyone wants to be secretive?

Date of birth? Address? Phone number?

Some of that stuff gets up into the easy identity theft range.

It is possible that some people specifically wanted to give this information away, but it seems to fall more into the category of not being an informed decision.

No, It's Just a List

[eldavojohn]

If you go to the originator, here's all it contains:

This torrent contains:

* The URL of every searchable Facebook user's profile
* The name of every searchable Facebook user, both unique and by count (perfect for post-processing, datamining, etc)
* Processed lists, including first names with count, last names with count, potential usernames with count, etc
* The programs I used to generate everything

You're going to get a URL to pages. If the user has since made them inaccessible, you'll only get what you can from their public profile. Like, you cannot get to my friends list from my public profile. You'll get "potential" usernames to log into Facebook. Big deal. Remember when everyone could make a username for Facebook and that was also their profile URL? Well, now you can guess the most common names and add them to this list like david. Then you could use ncrack or whatever.

Not a whole lot in this file. Not like he scraped the pages of data and put that in a csv file for research or anything really interesting.

Re:No, It's Just a List

[Sockatume]

No good for attacking any individual user, plenty useful for anyone looking to streamline their search for soft targets for social engineering attacks.

Re:No, It's Just a List

[Sockatume]

(Which is to say, it's hardly a threat in itself, but it highlights one.)

Re:No, It's Just a List

[Spad]

Not like he *published* anything really interesting.

Re:No, It's Just a List

[RalphSleigh]

While yes you can set up your profile or page with a URL so it can be accessed at e.g. facebook.com/joe.bloggs Logins are done using email addresses, which have never been displayed publicly by default.

Re:No, It's Just a List

[TheoMurpse]

I'm not going to download this behemoth, but how the heck is a list of URLs plus some source code 2.8GB in size? Did he use PKgargantusplode to shrink it?

Re:No, It's Just a List

[Zcar]

I don't think it'd take much compression. That's a bit over 30 bytes per record. Strip out the common prefix to the urls and I think you'll find the average is something like 15-20 bytes per, leaving plenty of room for other data.

Okay, so...

[Revotron]

This guy wrote a script to crawl Facebook and download everything he could. So? Nothing is revealed here that we couldn't find manually ourselves by just looking at a person of interest's profile.

This story is about a glorified crawler. No actual hacking transpired. No personal information that wasn't already revealed has been revealed. This is not news. In fact, I had to go back to TFS and double-check that kdawson wasn't the editor - that's how terrible this story really is.

Re:Okay, so...

The point is you don't have to hack anything, facebook just defaults to posting stuff that a hacker might otherwise have to hack in to get.

For example, did you know that when you add a new email to facebook, it defaults to showing that email?

Re:Okay, so...

[eldavojohn]

This guy wrote a script to crawl Facebook and download everything he could.

It's not even about that, it's about a guy who wrote a script to collect usernames of everyone on facebook which double as the URL for their profiles. From there you can go and scrape everything you want. You don't even get their public information that they can chose to display on the front page like religion or real name. That's not even on there. No images, just URLs which double as logins.

This story is about a glorified crawler. No actual hacking transpired. No personal information that wasn't already revealed has been revealed. This is not news. In fact, I had to go back to TFS and double-check that kdawson wasn't the editor - that's how terrible this story really is.

It's worse than that. It's about a glorified crawler that was augmented with common names to create a list of possible usernames and URLs for Facebook. If you gave me a glorified crawler that collected interesting data inside a csv, I'd actually be a little interested in using it. Hell, anyone can do this in perl by coding for five minutes but it would take days for the thing to complete with a risk of banning from Facebook.

They say this in the article and from the original source. The summary is more than misleading and there's even less to say "big deal" about than you presupposed.

Re:Okay, so...

[John+Hasler]

> Until this data dump, the only people doing data mining were Facebook &
> their partners.

Do you seriously believe that no one has ever written such a script before?

Re:Okay, so...

[Skeptic+Ace]

Your right.

The only hack here is CmdrTaco's account by a one Mrs. kdawson, wanted in a string of internet highway robberies.

Re:Okay, so...

[BobMcD]

This story is about a glorified crawler. No actual hacking transpired. No personal information that wasn't already revealed has been revealed. This is not news.

To quote one of the genius minds of our era, 'no shit, Sherlock'. The cases of 'actual hacking' that transpire on a regular basis can be counted on one hand. Nearly all the major 'hackers' have in their hit lists mundane crap exactly like this. Do you think dumpster diving, social engineering, and using lists of common passwords are somehow any more romantic than scraping public pages?

Grow up. Security is about a lot more than terminals in a green font.

Re:Okay, so...

[Bing+Tsher+E]

This lowers the threshold. People who don't know how to write the script now can just help themselves.

Haven't you ever noticed that a lot of the malcontents on the Internet are script kiddies? The enabling of script kiddies is one of the worst crimes a tech-adept person can engage in.

Re:Okay, so...

[vlueboy]

Until this data dump, the only people doing data mining were Facebook & their partners.
Now anyone can. If you don't see the value in this aggregation of information, you're not looking very hard.

Do you seriously believe that no one has ever written such a script before?

The GP is correct. Nobody cares that out of 6 billion people a few might have written a script, like you expect.
What we care is that out of those few, this ONE researcher is the first to make it easy to find so 6 billion others can further digest the information. This allows mere John Does the liberty of looking themselves up without waiting for scripts to crawl for days / risking their prescious FB account ban or paying someone else.

John Doe mostly waits till some other Prometheus steals the first "fire" from the Olympian gods, and only approach to enjoy it after the fire is available to all. Now your coworkers can post in their blogs and twitter accounts linking to this torrent... and your generationally disconnected family from another country can use data to track you down by last name and location.

We don't know what good can be done from this data yet --just like legitimate Facebook data miners^W^W "partners" have to look at the data first and then make use of it. The bad that will come of it is allowing dedicated scammers to easily gather enough information about your general last name and location that you might believe they are really a long-lost relative trying to reconnect... but "needing a money transfer so they can make that trip from across the ocean to meet you."

Re:Okay, so...

[jgrahn]

This story is about a glorified crawler. No actual hacking transpired.

You're probably thinking of cracking. Hacking, in the sense "creative programming", may have been part of it.

Re:Okay, so...

[Revotron]

If I had long-lost geographically distant relatives who wanted to come visit, and wanted to do it on my dime, I'd politely suggest that they just stay on their side of the pond.

Anyone who falls for a trick like that deserves to lose their money. The only problem is that the people who play those tricks don't deserve the money even if someone was stupid enough to fall for it.

Where's the Pr0n?

[ArcherB]

Would someone create a list that only contains public profiles with NSFW images?

Thanx

Re:Where's the Pr0n?

[Abstrackt]

Would someone create a list that only contains public profiles with NSFW images?

Thanx

Sure, but they're all goatse.

Re:Where's the Pr0n?

[monkeySauce]

Sure, I'm working on it right now. The site will be up shortly.

http://wangbook.com/

Enjoy!

How do you "leak" public information?

[goldspider]

After my initial outrage spike, I realized that the only reason this guy ended up with this information is because these people INTENTIONALLY POSTED it.

See if anyone you know is on this list and educate them.

Re:How do you "leak" public information?

[natehoy]

Yup, this is less harmless than scanning the telephone book and making it available via a Torrent.

Anyone who gets the slightest bit upset about this should be hand-delivering Molotov Cocktails to www.anywho.com right now. They disclose your STREET ADDRESS AND PHONE NUMBER.

Well, if you're listed in it, that is. Personally, I'm not. One of the reasons why I dropped my landline ten years ago, actually. I saw that excellent security documentary with Steve Martin about the dangers of being listed in the phone book.

Re:How do you "leak" public information?

[twoshortplanks]

I saw that excellent security documentary with Steve Martin about the dangers of being listed in the phone book.

That wasn't Steve Martin, that was Arnold Schwarzenegger. If I remember correctly it wasn't just a pain for Linda Hamilton, but her roommate and date had an even worse time of too.

Re:How do you "leak" public information?

[natehoy]

Oh, yeah, there were two documentaries about that. I'd forgotten. Silly me!

I think it's because neither documentary ever had a sequel.

hmph

[shentino]

Considering that this information was already in the hands of a company whose CEO doesn't give two shits about privacy anyway I say no harm done.

Re:hmph

[John+Hasler]

Considering that these pages HAD ALREADY BEEN MADE PUBLIC BY THE USERS anyway I say no harm done.

Re:enjoy!

[djsmiley]

No pictures, just url's and text...

which means no many people will bother reading through it all....

However if he posted everyones pics, i'm sure people would love to look through it ;')

BFD...

http://youropenbook.org/

Sensational...ism

[RobM9999]

Sensationalism - A manner of over-hyping events, being deliberately controversial, loud, self centred or acting to obtain attention. It is also a form of theatre.

Yep, that's pretty much it.

Just because he found the super-secret directory, http://www.facebook.com/directory/ and wrote a program that would read it. Of all the evil, nefarious things to do.

Re:Sensational...ism

[Solandri]

Not only that, 2.8 GB / 100 million users = 30 bytes per user. The vast majority of those "100 million users" probably had nothing on their Facebook pages and were dummy or deleted accounts.

News flash: 400 million user profile pages leaked!

[thePowerOfGrayskull]

News flash: 400 million user profile pages can be found online at facebook.com.

I'm rooting for you

[stephanruby]

You only need 500 kazillion more leechers, and you'll be almost as big as Google/Yahoo.

This seems more like an awareness campaign

[Jetrel]

Most of the other post talk about how this is not a big deal and in the grand scheme of things it’s not but what he is doing is showing the world how venerable your information is on the web and FB. There are tons of people that really just don’t understand what it means when you post things like your address, email address, phone number, and full name for the world to see. Take this mix it with your likes and updates of your daily activities and you have a damn good profile for someone to steal your identity.

Think about it, there are family tree applications on FB which is a gate way to getting someone’s mother’s maiden name. While I think him posting all this information on the web is callous he certainly is taking steps to show the world exactly how venerable you are when you openly participate in sites like this.

Your Anger May Be Misdirected

[eldavojohn]

I'll bet there are about 100 million people who would like to test the security of Ron Bowes' nuts against a swift kick. I mean, he should be aware of the Extreme Pain vulnerability by now, and he should have taken the most basic security precautions by now, like wearing a cup. If not, well, he deserves what he gets, right?

+5 Insightful? Why is it that we regard Tavis Ormandy as someone trying to expose the insecurity of Microsoft when he releases a how-to exploit Windows hack but when a security researcher attempts to reveal how insecure Facebook's "Directory" service can be we attack him as the creator of that service and not Facebook?

I believe your anger would be better directed at Facebook. After all, this is posted in his blog for the world to see while a malware author could have just taken this list and run ncrack on it without anyone knowing.

I would also like to point out that, as mentioned many times in this thread, this is just a list. Not even real names but just usernames of people on Facebook. That means that if you find your username on this list, you can restrict your settings so that no one can see your public profile. Then if someone uses this URL list to look you up they get nothing.

So a security researcher tries to wake up Facebook users and he's the guy you want to kick in the nuts? Very curious.

Re:Your Anger May Be Misdirected

[John+Hasler]

> I believe your anger would be better directed at Facebook.

Why is there any need for anger at all? These users made their pages public. This guy created a list of public Facebook pages. So what?

Re:Your Anger May Be Misdirected

[Captain+Hook]

> Why is there any need for anger at all? These users made their pages public. This guy created a list of public Facebook pages. So what?

Technically, these users failed to hide their profiles, or to lock the privacy settings back down after Facebook opened them all back up earlier in the year. In fact, even if they did lock their privacy settings back down after facebook opened them all up the last time, the script might have just scrapped the information in the time inbetween.

You make it sound like the users made a conscious, informed decision to allow everyone to see everything when that is far from the only possible explaination.

Re:Your Anger May Be Misdirected

[Jeff+DeMaagd]

For the most part, I agree, this is all information you can get with Google.

However, Facebook's privacy settings are change often and can be confusing. The blame really should go to Facebook at least for that.

Re:Your Anger May Be Misdirected

[chichilalescu]

"So a [...] researcher tries to wake up [...] users and he's the guy you want to kick in the nuts? Very curious."

Welcome to Earth.

On a more serious note, in the final of MASH, a woman kills her baby (infant) because it made noise and the respective group of people wanted to be silent (soldiers outside the bus wanting them dead). Don't expect anger/fear to be rational; once you set off some feelings, a lot of people can't tell the difference between "our survival depends on hiding our weakness now and this guy is yelling about it" and "hey, this guy showed us that we are weak and we should solve the problem".

PS: I realize I might have given a stronger comment than might be required by the context... but the anger at this hacker might be related to this survival thing in a (faraway) way.

Re:Your Anger May Be Misdirected

[ElectricTurtle]

The users consciously joined facebook, consciously entered data into a service, probably didn't read the terms of that service (which is clearly the service's fault, not lazy users who skip every ToS and EULA as fast as humanly possible), probably don't monitor for changes to those terms (there is even an opt-in method defined in those terms to be auto-notified of all changes), and of course they feel after all this that they are the victims. Bullshit.

Breaking news! Facebook works as designed, public information is public, and it is leaking at all times to all people! More at 11.

Re:Your Anger May Be Misdirected

[John+Hasler]

You make it sound like the users made a conscious, informed decision to allow everyone to see everything when that is far from the only possible explaination.

I just created a dummy Facebook account (I've never bothered with it before). Anyone who is mentally capable of operating a computer and claims that they did not understand what would be public under the default settings is lying. It is extremely obvious from the start that what you are doing is creating a personal, public Web page with the option of restricting access to some parts of it.

Re:enjoy!

[shadowknot]

Can you imagine how huge it would be though? I'm currently working a digital forensics case in which a computer and a couple of USB flash drives have been seized and I've already got >6GB of images to go through with extraction only partially done, 100 million FB profiles with at least one image (often many more) would be fracking enormous.

Hopefully....

[fuzzyfuzzyfungus]

I hope that this will serve as a viable reply to the persistent "but you have no expectations of privacy in public in the real world, why worry online?" crowd.

The real world is(relatively) harmless because(outside of East Germany, and the UK) persistent, comprehensive surveillance is extremely expensive and/or time consuming. Only people with stalkers, secret agents, or private investigators on their tail need worry.

On the internet, which masterfully makes data collection and mining much easier, comprehensive surveillance, and making something of the results, is relatively trivial. Hence the concern.

Re:Hopefully....

[Gordonjcp]

(outside of East Germany, and the UK) persistent, comprehensive surveillance

Neither of these countries have any more comprehensive, persistent surveillance. Well, the former East Germany did, but it hasn't existed for 18 years. The whole "27 million CCTV cameras in the UK" was from an entirely fictitious article in one of the more rabid right-wing tabloid papers.

Re:Hopefully....

[fuzzyfuzzyfungus]

I was (mostly) joking. The licence plate tracking system they have for enforcing congestion charges in London(among other uses) is pretty spiffy...

Re:Hopefully....

[Gordonjcp]

Most large cities have ANPR, and it's pretty effective in solving car thefts. Mostly it can tell the police which approximate area to look for the burnt-out wreck in, and local knowledge of the hiding spots will take them right to it ;-)

The interesting thing is, it *doesn't* track all cars - only the ones they're specifically interested in. You can't tell where a car *was*, only where it went after you set it up on the tracking list. Now, I'd say that makes it *less* of a privacy violation than real live cops in cars, because the ANPR system never goes "Hm, don't like the look of that guy, let's watch where he goes..."

Re:News flash: 400 million user profile pages leak

zomg... somebody also already made a searchable version of the data...

http://www.google.com/search?q=site%3Afacebook.com

How is this a leak?

[EmagGeek]

How is it a leak if all of these pages are available publicly anyway?

Re:How is this a leak?

[Mr.+Freeman]

It's not. But this guy can get a lot of attention by claiming that he "exposed some new privacy threat". Privacy settings are all the rage right now and you can get a lot of attention with almost no work if you play your cards right.

Making a script to go search google and pull public profiles then calling it "OMG PRIVACY ISSUES!!" is one such example.

NOT A LEAK, title is -as usual- stupid

[xmousex]

A leak is something that happens when previously hidden information is then made publicly available by someone on the inside.

The information here is available to anyone that wants it, someone just spent some time compiling the data, who had no affiliation with facebook.

Phone book

[sh3rp]

It's called a phonebook. Figure it out.

The ultimate "you must be new here"

[Torodung]

FTFA:

...but perhaps the existence of a stalker's online black book might finally persuade less security-minded Facebook users to get their arses in gear.

A fine sentiment, but you must be new here. As in planet earth. Born yesterday.

Cue "I wanna be famous." or even the alternate: NSFW song (first time I saw that one!).

Think of it this way, Facebook might keep a John Hinkley from ever happening again. Naw, I'd have to have been born yesterday to believe that. ^_^

--
Toro

LOL oF Kill somebody important oF

What about:

[phyrexianshaw.ca]

What about those of us who CHOOSE to make their profile completely public and full of information about themselves?

Re:What about:

You're nominated for a future Darwin Award.

Re:What about:

[Yvanhoe]

Or get some job offers spontaneously.

The reverse-looker factor

[qwerty8ytrewq]

the news here perhaps isthat the marketing script-kiddies now have the data in a form they can go to spam-town with. Not really a leak, but an accessible-format conversion. I look forward to the statistics being crunched in amusing ways... % of "female" people who have the words "sex" and "city" and "2" and "terrible" in their data...98%

Just a spam List

[Alien1024]

Indeed, just a spam list but with facebook names instead of email addresses.

Shouldn't come as a surprise to anybody, really. The moment you create a searchable profile, you know that is bound to happen.

Wow! I'm somebody now!

[Orion+Blastar]

The new Phone Book is here the new Phone Book is here and my name is on it, so I am somebody now! Er ah Facebook Whitepages I guess? Oh yeah the words are backwards because it is a parallel universe that developed English a bit differently than ours did.

Anyway right now some Sniper is looking in the Facebook Phone Book and finds "Blastar, Orion" and then decides to look me up and get his rifle and start shooting at me. :) LOL

100 Million Sensational Slashdot Headlines!

[Domini]

Yet another blown out of proportion Slashdot headline which panders to the crazies.

Nothing to see here, please move along.

PS: I would be first to condemn Facebook. I don't like their management and lack of customer focus. But this headline is probably the reason I'll delete my Slashdot account just like I've deleted my Facebook account.

Re:100 Million Sensational Slashdot Headlines!

[ferd_farkle]

The other day, I used a wrong option for wget and downloaded the internet. Maybe I should post it on an Internet file-sharing site.

Re:100 Million Sensational Slashdot Headlines!

[MoeDumb]

"But this headline is probably the reason I'll delete my Slashdot account..." Let us know if you're successful.

Re:frist psot

[hkgroove]

that was my facebook password before I deleted my account after someone changed it to "no it's not"

Not following their robots.txt?

[palmerj3]

Facebook's robots.txt explicitly says that all web crawlers except for baiduspider, Googlebot, msnbot, naverbot, seznambot, Slurp, teoma, twiceler, and Yandex are forbidden from crawling the site.

So, this guy must have set his user agent as one of these in order to crawl all those pages, which goes against Facebook's TOS.

So, yes, downloading these torrents would be illegal since they were obtained in a way that violates Facebook's TOS.

Re:Not following their robots.txt?

ILLEGAL because it didn't agree with the tos? I didnt realize inventing new laws worked so easily. I'm starting my own tos right now.

Re:Not following their robots.txt?

[Bing+Tsher+E]

Can't you just bypass robots.txt with your ~/.wgetrc file?

I know I have. Put the line:
robots=off
in it.

I also put:
no_parent=on
and
recursive=on
to default to mirroring sites.

Re:Not following their robots.txt?

[John+Hasler]

So, yes, downloading these torrents would be illegal since they were obtained in a way that violates Facebook's TOS.

Robots.txt is just a convention, not a law, and Facebook's TOS is just CYA grounds for them to terminate your account. If they respond to my GET by sending me a page they just gave me a copy of the page and I am free to disclose the contents of that page.

A "hacker", huh?

[daschlag]

This is what passes for hacking these days? Scraping publicly available information and sharing it? Puh-leeze.

Good start

[tompaulco]

Now, if someone could complete the work of compiling a list of all the other boring and useless URLs into one spot, then we can use it as a blacklist of URLs not to visit.

Finding one's self.

[edthebedhead]

Fastest way to look through 2.8GB of data to find my name? -SQL? -Python? -Other?