Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Algeria Deleting Facebook Accounts?

Posted by timothy on from the yo-mark-got-a-minute? dept.

belmolis writes "Algeria is reported to be shutting down ISPs and deleting Facebook accounts in an effort to prevent anti-government protests from escalating as they did in Egypt. Is it likely that they are deleting FB accounts? Unless Facebook is cooperating, this would either require hacking FB to obtain administrator privileges or cracking the password of each account they wish to delete."

8 of 217 comments (clear)

  1. Unencrypted cookie auths by jroysdon · · Score: 4, Interesting

    The problem is that you may send your username and password over HTTPS, each page after that you send your auth cookie over plain ol' unencrypted HTTP. Someone is capturing those auth cookies and using them to send delete commands to Facebook (no doubt after capturing all of the info and friends).

    Use HTTPS Everywhere and force all your traffic that can be to be using HTTPS.

    1. Re:Unencrypted cookie auths by Anonymous Coward · · Score: 4, Informative

      That cookie is renegotiated after each https login, and it is specific to one session. You can't clone it from another station.
      Even if you do manage to intercept it, Man in The Middle attacks are notoriously hard to execute

      Quick, someone tell these guys that hijacking FB sessions should be difficult.

    2. Re:Unencrypted cookie auths by Frosty+Piss · · Score: 4, Insightful

      The problem is that you may send your username and password over HTTPS, each page after that you send your auth cookie over plain ol' unencrypted HTTP

      No.

      This is *NOT* the problem at all.

      The problem is that ridiculously entrenched tin-pot dictators continue to believe that they can control to populous like they did in the pre-Internet days when all you had to do was shut down a few newspapers and "disappear" their enemies.

      Sure, there's obviously a technical process going on, but the root of the problem has nothing at all to do with computers or networks, it has to do with a fundamental change in the dynamics of how populations are controlled by despots.

      --
      If you want news from today, you have to come back tomorrow.
    3. Re:Unencrypted cookie auths by mr100percent · · Score: 4, Interesting

      People over and over again seem to fall for this mistake. Saudi Arabia is the only country that requires women to be escorted with a "mahram." No other Muslim country makes this claim that it's a requirement, and Muslims worldwide have condemned Saudi Arabia for being too chauvinist. Muslim scholars and shaykhs far and wide have said that Saudi is taking things way too far and that the Quran doesn't call for such things (and it doesn't if you read the text). The Muslim world at large has no desire to oppress women the way Saudi does; more women than men work in Morocco, for example, and Pakistan and Bangladesh had women Prime Ministers, and even Iran has more women in parliament than the US does in Congress.

      If the protestors in Egypt were 100% Muslim only (and they weren't given than Egypt is 10-20% Christian), you'd still see women in the streets walking around uncovered. Cairo is the Hollywood of the middle east, home to a large music and film industry and even scantily dressed women.

    4. Re:Unencrypted cookie auths by GuruBuckaroo · · Score: 4, Informative

      This entire thread, with one notable exception, is entirely, horribly uninformed. As the only other worthwhile poster points out, the Firesheep plugin proves that once you have the FB cookie (which can be sniffed via MITM attack or over Wifi), you can hop onto a Facebook session from any computer. Maybe not a shortcoming with the idea of login cookies, but certainly a shortcoming in Facebook's handling of them. Second, about two weeks ago FB started officially supporting an HTTPS-Always preference. There's a checkbox in Account, under Security, that forces all connections (and I do mean all, even connections to other subdomains) to use SSL. No plugin needed. As much as I enjoy Facebook, and correctly monitor both security settings AND what data I allow it to access, I'm really happy that Firesheep showed how piss-poor their security was. It gave the final push to my campaign to secure the "public" wifi hotspots our company offers to it's guests.

      --
      Poor means hoping the toothache goes away.
  2. Users by Anonymous Coward · · Score: 5, Funny

    It would also require that 'users' have delete priviliges regarding their own account.

  3. Re:Elections by fuzzyfuzzyfungus · · Score: 4, Interesting

    They do have elections, though I'm not sure how hiqh-quality they are thought to be. The fact that said democracy has been continually operating under emergency powers since the end of the Algerian Civil War probably doesn't make people entirely cheerful.

    Ultimately, though, I suspect that they are hitting the same demographic/economic crunch that has caused trouble for other states recently: Fairly high unemployment(particularly among the large portion of the population that is fairly young), rising costs of staple commodities, and the perception(generally accurate) that the state is corrupt and exploitative in favor of some well-connected elite. Even in well-functioning democracies, that demographic circumstance will produce substantial volatility. If the state is having any legitimacy issues: boom. (On the other side of the coin, as our dear friend Putin can attest, if you preside over a period of improved wellbeing for the population, people will eagerly forgive egregious corruption and repression...)

  4. Re:No password encryption by emt377 · · Score: 5, Interesting

    HTTPS doesn't do much good if the country in question implements transparent proxies at the borders of their national network infrastructure that decrypt SSL traffic, inspect the contents, then re-encrypt it with an SSL certificate issued by one of the authorities registered for that country (which is certainly within the realm of possibility for most governments). Have you ever looked at (let alone modified) the list of SSL authorities that your web browser trusts by default?

    When I was in Vietnam recently, which blocks Facebook, they operated by intercepting DNS. They'd either make lookups fail or make them resolve to their own proxy. Before we realized this my wife uploaded a bunch of photos which then mysteriously disappeared overnight. We got around this by me firing up squid on my linode and using this as our web proxy, by IP address. (Authenticated obviously.) This way names are resolved in the good ole USA, geolocation says we're there (so get stuff in English), etc - AND the local government doesn't get to stick its grimy paws in my DNS lookups. To stops us they'd have to identify me personally, and spend resources on a single individual - and given we were foreign tourists they probably couldn't care less. After all, we'd leave in a few weeks and then we'd still post and say all the same things regardless. If we were locals we'd probably get on a watch list... They DID spend extra time on my exit processing at the airport, where the official wandered off with my passport and was gone 5-10 min.