Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Algeria Deleting Facebook Accounts?

Posted by timothy on from the yo-mark-got-a-minute? dept.

belmolis writes "Algeria is reported to be shutting down ISPs and deleting Facebook accounts in an effort to prevent anti-government protests from escalating as they did in Egypt. Is it likely that they are deleting FB accounts? Unless Facebook is cooperating, this would either require hacking FB to obtain administrator privileges or cracking the password of each account they wish to delete."

27 of 217 comments (clear)

  1. Unencrypted cookie auths by jroysdon · · Score: 4, Interesting

    The problem is that you may send your username and password over HTTPS, each page after that you send your auth cookie over plain ol' unencrypted HTTP. Someone is capturing those auth cookies and using them to send delete commands to Facebook (no doubt after capturing all of the info and friends).

    Use HTTPS Everywhere and force all your traffic that can be to be using HTTPS.

    1. Re:Unencrypted cookie auths by icebike · · Score: 3, Insightful

      That cookie is renegotiated after each https login, and it is specific to one session. You can't clone it from another station.
      Even if you do manage to intercept it, Man in The Middle attacks are notoriously hard to execute, (you have to actually BE in the middle) especially for a bunch of thugs in jack boots.

      Still, you can just look at press photos to see that the Algerian uprising will fail.
      In a Muslim country, you can simply count the number of women in the photos. If its not at least 10 percent, the police will use all force necessary, and will ultimately crush the protest.

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re:Unencrypted cookie auths by Anonymous Coward · · Score: 4, Informative

      That cookie is renegotiated after each https login, and it is specific to one session. You can't clone it from another station.
      Even if you do manage to intercept it, Man in The Middle attacks are notoriously hard to execute

      Quick, someone tell these guys that hijacking FB sessions should be difficult.

    3. Re:Unencrypted cookie auths by Frosty+Piss · · Score: 4, Insightful

      The problem is that you may send your username and password over HTTPS, each page after that you send your auth cookie over plain ol' unencrypted HTTP

      No.

      This is *NOT* the problem at all.

      The problem is that ridiculously entrenched tin-pot dictators continue to believe that they can control to populous like they did in the pre-Internet days when all you had to do was shut down a few newspapers and "disappear" their enemies.

      Sure, there's obviously a technical process going on, but the root of the problem has nothing at all to do with computers or networks, it has to do with a fundamental change in the dynamics of how populations are controlled by despots.

      --
      If you want news from today, you have to come back tomorrow.
    4. Re:Unencrypted cookie auths by icebike · · Score: 2

      Let's see -- you are in the government, facebook is outside your country, and it's _hard_ to ensure that all facebook connections get routed through your MitM box?

      Well in some governments, that would be far more likely than anyone using firesheep. But other posters insist that you are still asked for your password over a SSL connection when deleting accounts.

      I don't know about Algeria's internet structure, but something like this would be pretty hard to set up quickly if there were more than a few backbones. The traffic load would be enormous, you would have to filter every FB access and selectively delete the accounts, AFTER successfully pulling off your MitM.

      I seriously doubt there is enough in-country expertise to do this on any grand scale. (I don't discount that France might be helping them).

      In short, I suspect its far more likely they are simply blocking specific people, or routing certain internal IPs to a honeypot and some users are too dim witted to determine the difference, and obligingly key in their passwords.

      I also don't discount the whole story is apocryphal.

      --
      Sig Battery depleted. Reverting to safe mode.
    5. Re:Unencrypted cookie auths by SlappyBastard · · Score: 3, Insightful

      Somehow I suspect that controlling the ISPs makes a man in the middle exploit a tiny bit easier.

      --
      I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
    6. Re:Unencrypted cookie auths by mr100percent · · Score: 4, Interesting

      People over and over again seem to fall for this mistake. Saudi Arabia is the only country that requires women to be escorted with a "mahram." No other Muslim country makes this claim that it's a requirement, and Muslims worldwide have condemned Saudi Arabia for being too chauvinist. Muslim scholars and shaykhs far and wide have said that Saudi is taking things way too far and that the Quran doesn't call for such things (and it doesn't if you read the text). The Muslim world at large has no desire to oppress women the way Saudi does; more women than men work in Morocco, for example, and Pakistan and Bangladesh had women Prime Ministers, and even Iran has more women in parliament than the US does in Congress.

      If the protestors in Egypt were 100% Muslim only (and they weren't given than Egypt is 10-20% Christian), you'd still see women in the streets walking around uncovered. Cairo is the Hollywood of the middle east, home to a large music and film industry and even scantily dressed women.

    7. Re:Unencrypted cookie auths by mr100percent · · Score: 3, Informative

      Muslims inside Egypt and out condemned that attack. Fortunately, such attacks are few and far between. Look at the aftermath, when terrorists attacked a church around Christmas, thousands of Muslim Egyptians attended church services in Egyptian churches, in order to serve as human shields in case of another attack. They held candlelight vigils outside and put crosses on their facebook pages as well.

      Let's look to the last 2 weeks. A photo has been spreading all over Twitter of Egyptian Christians making a human chain to protect Muslims from police attack as they were praying in Tahrir square on Friday. On Sunday, Egyptian Muslims returned the favor, protecting them while they had prayer services. This is a great moment for Muslim-Christian unity in Egypt.

    8. Re:Unencrypted cookie auths by GuruBuckaroo · · Score: 4, Informative

      This entire thread, with one notable exception, is entirely, horribly uninformed. As the only other worthwhile poster points out, the Firesheep plugin proves that once you have the FB cookie (which can be sniffed via MITM attack or over Wifi), you can hop onto a Facebook session from any computer. Maybe not a shortcoming with the idea of login cookies, but certainly a shortcoming in Facebook's handling of them. Second, about two weeks ago FB started officially supporting an HTTPS-Always preference. There's a checkbox in Account, under Security, that forces all connections (and I do mean all, even connections to other subdomains) to use SSL. No plugin needed. As much as I enjoy Facebook, and correctly monitor both security settings AND what data I allow it to access, I'm really happy that Firesheep showed how piss-poor their security was. It gave the final push to my campaign to secure the "public" wifi hotspots our company offers to it's guests.

      --
      Poor means hoping the toothache goes away.
    9. Re:Unencrypted cookie auths by Brian+Blessed · · Score: 2

      The problem is that ridiculously entrenched tin-pot dictators continue to believe that they can control to populous like they did in the pre-Internet days when all you had to do was shut down a few newspapers and "disappear" their enemies.

      Enemies like Julian Assange? Despite not yet managing to disappear him, the US has had some success in controlling the bulk of the population to view him as an evil figure.

      - Brian.

  2. Users by Anonymous Coward · · Score: 5, Funny

    It would also require that 'users' have delete priviliges regarding their own account.

  3. Algeria Internet NOT shut down (yet) by mbone · · Score: 3, Interesting

    The consensus in the networking community is that the Internet to / from Algeria has not been shut down. See the Renesys blog for more details.

    The situation with regards to social media is more uncertain, with reports of both blockage and routine service.

  4. Impossible? by Shuntros · · Score: 3, Informative

    I thought it was impossible to actually delete a Facebook account? Sure, you can deactivate it, but not delete as far as I can remember.

  5. No password encryption by neo00 · · Score: 2

    Last time I checked, by default login credentials are sent without encryption over http. Stealing the password is very easy in this case. Everyone should make sure to use https instead. There's an option in the user account to enable https all the time.

    1. Re:No password encryption by emt377 · · Score: 5, Interesting

      HTTPS doesn't do much good if the country in question implements transparent proxies at the borders of their national network infrastructure that decrypt SSL traffic, inspect the contents, then re-encrypt it with an SSL certificate issued by one of the authorities registered for that country (which is certainly within the realm of possibility for most governments). Have you ever looked at (let alone modified) the list of SSL authorities that your web browser trusts by default?

      When I was in Vietnam recently, which blocks Facebook, they operated by intercepting DNS. They'd either make lookups fail or make them resolve to their own proxy. Before we realized this my wife uploaded a bunch of photos which then mysteriously disappeared overnight. We got around this by me firing up squid on my linode and using this as our web proxy, by IP address. (Authenticated obviously.) This way names are resolved in the good ole USA, geolocation says we're there (so get stuff in English), etc - AND the local government doesn't get to stick its grimy paws in my DNS lookups. To stops us they'd have to identify me personally, and spend resources on a single individual - and given we were foreign tourists they probably couldn't care less. After all, we'd leave in a few weeks and then we'd still post and say all the same things regardless. If we were locals we'd probably get on a watch list... They DID spend extra time on my exit processing at the airport, where the official wandered off with my passport and was gone 5-10 min.

  6. A third option... by Dhalka226 · · Score: 2

    Facebook must be cooperating or they're hacking each individual account? I think you're missing a third option.

  7. If it's even slightly true, Algeria is "next". by Anonymous Coward · · Score: 2, Interesting

    Dunno anything about facebook - who really gives a shit anyway, right? - but if Algeria really is trying to mess with its people's Internet activities, it all but guarantees they are the next regime to face the revolutionary wrath. So to speak.

    It's the Streisand Effect to the nth degree.

  8. Re:Sounds like a great way to... by fuzzyfuzzyfungus · · Score: 2

    I can only assume that the Algerian government is minimally concerned with the fact that Facebook can restore profiles from the bowels of their titanic data mines and maximally concerned with disrupting efficient organization among dissidents and potential dissidents.

    The jackboots start at a numerical disadvantage; but they start organized and comparatively well equipped. The dissidents enjoy potential numerical superiority and a PR advantage; but they start poorly organized and only partially mobilized.

    If communication is functioning at or above a certain level of efficiency(and people are, in fact, just that pissed off) the dissidents will make up the lost ground in organization and mobilization and move a serious volume of newsworthy photos and such. If, however, communication is disrupted beyond a certain point, odds are that the jackboots will be able to contain the ill-organized initial activity, "disappear" a few of the key figures as the situation permits, and retard the recruitment of potential dissidents into an active revolt.

  9. Probably "brute forcing" the facebook accounts by DustoneGT · · Score: 2

    Algerian .gov is probably just hitting them with wrenches until they give up the passwords.

    1. Re:Probably "brute forcing" the facebook accounts by jmcvetta · · Score: 2

      God I'm sick of that cartoon.

      Yes, it's fucking obvious that a government can send thugs to beat the crap out of a person until he divulges a password. However, this is expensive (wrench wielding henchman isn't exactly a career that makes mama proud, so you need to pay them a lot); intrusive (you need to bust into someone's house to do it, and you might just get shot in the process); and likely to provoke violent backlash from the beaten person's family & friends. Probably works great under normal conditions, when there are just a handful of activists to crush. In revolutionary times there are tens of thousands of dissidents active at the same time, and government simply doesn't have enough thugs to go wrench them all.

  10. More likely explanation by M.+Baranczak · · Score: 3, Insightful

    Some of FB's servers went down. Some paranoid Algerian guy, who may or may not have good reason to be paranoid, noticed this, and assumed that it was targeted at him personally. And a rumor got started.

  11. Re:Not deleting accounts, but hijacking groups by belmolis · · Score: 2

    What's the evidence for this?

  12. Re:Elections by fuzzyfuzzyfungus · · Score: 4, Interesting

    They do have elections, though I'm not sure how hiqh-quality they are thought to be. The fact that said democracy has been continually operating under emergency powers since the end of the Algerian Civil War probably doesn't make people entirely cheerful.

    Ultimately, though, I suspect that they are hitting the same demographic/economic crunch that has caused trouble for other states recently: Fairly high unemployment(particularly among the large portion of the population that is fairly young), rising costs of staple commodities, and the perception(generally accurate) that the state is corrupt and exploitative in favor of some well-connected elite. Even in well-functioning democracies, that demographic circumstance will produce substantial volatility. If the state is having any legitimacy issues: boom. (On the other side of the coin, as our dear friend Putin can attest, if you preside over a period of improved wellbeing for the population, people will eagerly forgive egregious corruption and repression...)

  13. Well by jav1231 · · Score: 2

    Anyone who would setup that hideous new photo viewer is capable of most any evil.

  14. An unsubstantiated claim? by benfell · · Score: 2

    I notice that the story linked above doesn't substantiate the claim. The only reference appears in a teaser (above the byline) which I'm guessing might have been written by an editor rather than by the reporter. It's a helluva rumor to start--I've been seeing all over the place all day.

  15. Dumbasses by bedouin · · Score: 3, Insightful

    When they shut the Internet off here in Egypt it only made people more pissed. Nothing to do inside then you go outside and join everyone else. If you work from home then you're even more pissed off.

  16. Re:why give the benefit of the doubt? by coolmadsi · · Score: 2

    I thought when they noticed the Tunisian government were doing bad things with their website they pushed HTTPS on all Tunisian users, which would have slightly hampered the governments attempt to control communications.