Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Facebook Responded To Tunisian Hacks

Posted by Soulskill on from the occupying-the-town-of-zuckerberg dept.

jamie writes "Facebook's security team opens up, shedding light on a revolution that could become a parable for Internet activism. Quoting: 'After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on. The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution — and fast. Though Sullivan said Facebook has encountered a wide variety of security problems and been involved in various political situations, they'd never seen anything like what was happening in Tunisia.'"

13 of 227 comments (clear)

  1. Require HTTPS for all connections... by Cryect · · Score: 5, Insightful

    Really is annoying that Facebook defaults to http

    1. Re:Require HTTPS for all connections... by Pojut · · Score: 4, Insightful

      I'd say baffling is more appropriate...as huge as the website is, and with as much personal information being slung around, you'd think they would make it ONLY https at this point...

      --
      Living With a Nerd
    2. Re:Require HTTPS for all connections... by Anonymous Coward · · Score: 4, Insightful

      you lose chat, you lose push notifications and profile editing.

      Awesome! HTTPS actually makes the application less annoying?!?!

  2. Kudos to facebook by operagost · · Score: 5, Insightful

    When Facebook does something right, they should be commended. They easily could have shrugged their shoulders and said, "Not our problem!"

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  3. HTTPS by gambino21 · · Score: 5, Insightful

    Article Summary: They switched facebook to use https in Tunisia.

    I wish facebook would consider just switching all traffic to https.

    1. Re:HTTPS by LWATCDR · · Score: 3, Insightful

      Wow $20 a year? You and five other people. They rake in more than that in ad revenue from each "prime" user. Also most people just don't care enough to pay for this service.

      What I find amazing is not that Facebook isn't secure but people expect it to be. This is a place where you "publish" information on the internet. It is not now and never should have been considered a secure communication channel.
      Why doesn't facebook default to https:? My guess is cost. It takes resources to encrypt data and for face book moving everything to https probably would cost a few million dollars in resources.
      And nothing stops you from using https://facebook.com/ does it?

      --
      See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  4. Pay Up by Anonymous Coward · · Score: 5, Insightful

    So Facebook's sales guy called the President of Tunisia and said "Dude, you have to pay for all that user data just like everyone else does. What makes you think you're special?"

  5. Light on details by sat1308 · · Score: 3, Insightful

    The article is a little light on details, but am I right in thinking that people's session cookies were being sidejacked? AFAIK, despite FB not sending everything over https, the password is sent over https. So I don't see how a keylogger like approach would work to intercept the pw, unless the Tunisian government was smart enough to run something like Moxie Marlinspike's sslstrip where they did a MITM attack and sent unencrypted http traffic to the user and then stole their password. I doubt this was the case because a) they don't seem smart enough and b) no security measure would circumvent this unless people knew not to log in over http.

    So now we just wait until the government uses sslstrip...

    P.S. - It's unbelievable that in this day and age FB doesn't encrypt the whole session given how trivial session-jacking is.

  6. Re:Duh by reaper · · Score: 3, Insightful

    As bad as every other site that doesn't require https:// for login.

    --
    - Dan
  7. Re:Duh by Locke2005 · · Score: 4, Insightful

    A valid point -- end-to-end encryption in both directions is required. Meaning the calls to always use https actually make sense.

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  8. Re:Executive summary by pitchpipe · · Score: 1, Insightful

    Parent is modded funny. It is not funny. It is insightful.

    --
    Look where all this talking got us, baby.
  9. Re:Duh by DavidRawling · · Score: 3, Insightful

    It *is* possible to encrypt the password for real before the password gets passed to the server, by means of using some javascript with a one-way encryption (think pgp) and a public key, but that would require disclosing the public key as well as the encryption algorithm being used, which isn't very good mojo.

    WTF? There's nothing wrong with disclosing the public key (hint: it's right there in the name. You can encrypt with the public key, publish the key on websites, in newspapers, hell broadcast it on national radio - it doesn't matter. That's the point. Just don't publish the private key.

  10. Re:Https as commonly employed isn't enough by Mysteray · · Score: 4, Insightful

    In theory, only one end needs to authenticate the other.

    In practice, the website depends on the client to do a good job of this. So if you're running MS Windows, the Tunisan government can put a trusted root certificate in your computer with the endorsement of Microsoft. So even running https everywhere will not save Facebook from Microsoft.

    Try it yourself. If you have access to a Windows machine, visit http://bit.ly/eWYRbA in IE then check your personal cert store for Agence Nationale de Certification Electronique.

    If you think this is a big deal, retweet it or spread the word in other ways. I'm at a loss to explain why people aren't realizing the magnitude of this.

    Of course, what's even better is that it's a CODE SIGNING cert. ;-) Now that's what I call pwned!