Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Employees' Laptops Compromised; User Data Believed Safe

Posted by timothy on from the safely-exploited-by-facebook dept.

Trailrunner7 writes "Laptops belonging to several Facebook employees were compromised recently and infected with malware that the company said was installed through the use of a Java zero-day exploit that bypassed the software's sandbox. Facebook claims that no user data was affected by the attack and says that it has been working with law enforcement to investigate the attack, which also affected other unnamed companies. Facebook officials did not identify the specific kind of malware that the attackers installed on the compromised laptops, but said that the employee's machines were infected when they visited a mobile developer Web site that was hosting the Java exploit. When the employees visited the site, the exploit attacked a zero-day vulnerability in Java that was able to bypass the software's sandbox and enable the attackers to install malware. The company said it reported the vulnerability to Oracle, which then patched the Java bug on Feb. 1."

75 comments

  1. thats what happens when by Anonymous Coward · · Score: 2, Insightful

    you use windows as your dev environment

    1. Re:thats what happens when by Anonymous Coward · · Score: 0, Flamebait

      thats what you use windows as your dev environment

      why was this modded down? looks like the m$ faggots are around today

    2. Re:thats what happens when by Anonymous Coward · · Score: 0

      you must be new here..

    3. Re:thats what happens when by Anonymous Coward · · Score: 1

      or perhaps it's because the comment was trolling?

    4. Re:thats what happens when by drankr · · Score: 1, Insightful

      How was it trolling? Why doesn't the article state what OS those laptops were running? Hmm? Because it's the most insecure OS known to mankind, Windows, and it doesn't even have to be said any longer? Or because the writers are pathetically unprofessional and are deliberately withholding the facts here? Either way, I don't know.

    5. Re:thats what happens when by Anonymous Coward · · Score: 0

      The article clearly says that the exploits they were using work against Windows and Mac - together that is, oh I don't know, 98.5% of notebooks out there. So yes, they were using notebooks. The notebooks were vulnerable because they had Java enabled in the browser. Who cares if it was Windows or Mac? We know it wasn't Linux because a) they successfully attacked it and the attack was not crafted for Linux, and b) relatively nobody uses Linux. Duh.

    6. Re:thats what happens when by Anonymous Coward · · Score: 0

      I hate knowingly admitting this therefore I am ACing it.

      They use Macs, this case it would of been a MacBook.

    7. Re: thats what happens when by cyber-vandal · · Score: 3, Informative

      It's "would have" you ignorant moron.

    8. Re: thats what happens when by Anonymous Coward · · Score: 2, Funny

      What's a "beehive asshole"?

    9. Re: thats what happens when by YeeHaW_Jelte · · Score: 0

      English might not be his first language, you don't have to be rude.

      --

      ---
      "The chances of a demonic possession spreading are remote -- relax."
    10. Re: thats what happens when by Anonymous Coward · · Score: 0

      Beehive
      When your doing a girl from the ass, and before you cum you pull out and cum into her hair, and then with your penis you twirl her hair into a sticky hairdo resembling a beehive

      while doing the prostitute in the anus i gave her a good ol' american Beehive!

      Source http://www.urbandictionary.com/define.php?term=beehive

    11. Re: thats what happens when by Anonymous Coward · · Score: 0

      Stop modding grammar nazism up! Yes, the comment is correct, but it is entirely irrelevant.

    12. Re: thats what happens when by cyber-vandal · · Score: 1

      It's a common piece of UK English fuckwittery from semi-literate fuckwits who don't know their own language.

    13. Re: thats what happens when by greenfruitsalad · · Score: 1

      english IS his first language. nobody who learned english as their second language would write "would of". this is similar to "they're, their, there" type of mistake. only native speakers have a problem with this.
      first time i came across "would of", i had to look it up on google.

  2. It's good they'll protect your data from thieves.. by Anonymous Coward · · Score: 4, Insightful

    but who's gonna protect people's data from Facebook itself?

  3. Safe? by DoofusOfDeath · · Score: 5, Insightful

    Given Facebook's MO, users should assume that anything Facebook, Inc. had access to is already in the hands of people you can't trust.

    Them being hacked is pretty irrelevant.

    1. Re:Safe? by elucido · · Score: 1

      Are you accusing Mark Zuckerberg of being a hacker?

    2. Re:Safe? by KiloByte · · Score: 5, Funny

      Are you accusing Mark Zuckerberg of being a hacker?

      No, most hackers can be expected to have some basic integrity.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:Safe? by bjwest · · Score: 1

      Please tell me where in that statement you got the idea he was implying Zuckerberg is a hacker. Even using the popular, but incorrect, definition of hacker does not apply here as Mark Zuckerberg owns Facebook and I'm sure he has no need to "hack" into the system to get at any information he wants.

      --

      --- Keep the choice with the user..
    4. Re:Safe? by oztiks · · Score: 1

      What's more disconcerting is the incident being made public now. Why a month after the incident occurring? Are they afraid of an Anonymous Hacktivism style attack? are they trying to spare embarrassment of critical systems that may of been impacted?

      They did speak of source code snippets and internal emails being on these particular laptops, TBH, that's worse than what Sally did on the weekend IMHO.

      And the blame China point, another case of "here we go again", what is inferred by bringing this up?

    5. Re:Safe? by oztiks · · Score: 1

      Hacker Way, Hacker-Freakin-Way ...

      He just made real hackers around the world cringe after he did that.

    6. Re:Safe? by History's+Coming+To · · Score: 1

      "Owns" != "Has a right to the data". If the CEO of a major bank wanted to see every purchase his ex-wife makes he can't just call the data up, any sensible company will have need-to-know policies in place to prevent abuse and afford some deniability, regardless of how high up the request comes from. I don't doubt a bank CEO could get access to his ex-wife's data, but I'd be very surprised if any company would admit that policy is simply to hand over any data to the bloke in charge without any control or oversight.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    7. Re:Safe? by Runaway1956 · · Score: 2

      Zuckerberg has successfully social-engineered about half the people in the US. Social engineering is a hacker skill, isn't it? People fall all over themselves to provide Zuck with their personal details.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    8. Re:Safe? by bjwest · · Score: 1

      "Not having a right to the data but still having access to it" != "hacking" anymore than considering a janitor of a building a lockpicker if he has a master key and goes into a room he's been told to stay out of. It may get him in trouble, but he did not break into the room.

      --

      --- Keep the choice with the user..
    9. Re:Safe? by bjwest · · Score: 1

      Interesting way to look at it and something I didn't consider. However, even though that would apply to the overall picture of FaceBook, going back to the OC, it doesn't apply to my original question.

      --

      --- Keep the choice with the user..
    10. Re:Safe? by History's+Coming+To · · Score: 1

      Yeah, it all comes down to your definition of hacking, which as you point out, isn't well defined.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    11. Re:Safe? by tlhIngan · · Score: 1

      Well, if you meant to keep it private, why did you post it online for the world to see?

      Oh, right, so-called "privacy" controls. Which are a brilliant social engineering hack meant to extract more information from users who wouldn't otherwise readily give it up. Unless you can control all your friends, anything they can see, the world can see. All it takes is someone to re-post it, or mention it or something and the beans are spilled.

      Truth is, anything you post online is public. As someone's very famous sister found out when one of her "friends" re-posted a family photo and put it up on Twitter as well.

      Sorry, the old adage is still true - don't put online stuff that you want to remain private. And stuff that ends up on the internet, stays on the internet.

  4. Wait, this increased security? by squiggleslash · · Score: 2

    Facebook's users finally have privacy because someone got in and hacked into Facebook's laptops? What did they do, disable the graph API?

    --
    You are not alone. This is not normal. None of this is normal.
    1. Re:Wait, this increased security? by oztiks · · Score: 2

      The word on the street is that they tied FB profile authentication in with their lobby entrance security systems, so unless you have a FB profile you can't enter the building.

    2. Re:Wait, this increased security? by History's+Coming+To · · Score: 1

      True or a snarky comment about the ubiquity of "login with facebook"? I honestly can't tell any more.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
  5. No user data was compromised by 2phar · · Score: 5, Funny

    Well, that's good to know. I'd hate to think of all those sensitive personal data falling into the hands of some evil corporation that would exploit it to make money with no concern for the privacy of the people involved.

    1. Re:No user data was compromised by Barsteward · · Score: 1

      I want to know how they can say for sure that none of the data was lifted of the computers

      --
      "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
    2. Re:No user data was compromised by Anonymous Coward · · Score: 0

      Probably the laptop's user data, not facebook user data, I find it hard to believe they'd carry that in a laptop.

      Hmm, actually, thinking about it, they might be stupid enough to do it. After all, a company that makes the it's money entirely on the internet and has such weak training for their staff, wouldn't be a stretch.

    3. Re:No user data was compromised by Anonymous Coward · · Score: 0

      They stripped the systems of any copy instruction. Only moves are allowed.

    4. Re:No user data was compromised by Nidi62 · · Score: 1

      The data might be safer with hackers than it is with the corporations Facebook sells it to

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    5. Re:No user data was compromised by Anonymous Coward · · Score: 0

      Hopefully, either because (1) there was no user data ON the computers in the first place, or (2) what data was there was encrypted.

      TFA leaves both of these possibilities open.

    6. Re:No user data was compromised by History's+Coming+To · · Score: 1

      Or, if they've got any sense, they use dummy data for dev work like everybody else in the world.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
  6. User data should never be decrypted. by elucido · · Score: 2, Interesting

    I don't see why it would be so difficult to keep user data safe. Keep it encrypted, use a VPN, stream the data to memory but never store any of it unencrypted.

    1. Re:User data should never be decrypted. by Anonymous Coward · · Score: 0

      You do not see why it would be so difficult... No offense, but people who think like you are usually part of the problem, not the solution.

    2. Re:User data should never be decrypted. by Anonymous Coward · · Score: 0

      Bull Shit!

      I get that it's hard, but it isn't impossible. And most importantly, people who think like you are the problem (not part, the whole thing). Given the number of hacks, vulnerabilities, social engineering, and just plan EVIL in recent computer company history, it should be a company's number one responsibility to keep user data safe. Through whatever means available.

      1) Client data should never be on employee computers
      2) Client data should never be accessible by employee computers
      2a) If this is not possible, it should be never allowed on computers that the employee has any real control over. Put it on a machine that the employee has access to, but make it difficult

    3. Re:User data should never be decrypted. by Anonymous Coward · · Score: 0

      I don't see why it would be so difficult to keep user data safe. Keep it encrypted, use a VPN, stream the data to memory but never store any of it unencrypted.

      If you sit down and list the facebook use cases (including who needs access to, say, your photos), you'll quickly realize why what you said won't work.

    4. Re:User data should never be decrypted. by History's+Coming+To · · Score: 1

      Exposing user data is what Facebook's business is, just in a controlled manner depending on how much info or money you give them. Clients (eg advertisers), well that's a different matter, but this was user data, not client data.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    5. Re:User data should never be decrypted. by phantomfive · · Score: 1

      Is there any company in the world that encrypts more than password/CC numbers? I don't think many companies do that....

      --
      "First they came for the slanderers and i said nothing."
    6. Re:User data should never be decrypted. by Anonymous Coward · · Score: 0

      Look, I get your philosophical premise, but let's be a little serious here....

      Where do you recommend the key be stored? How much extra CPU time is this worth? Every single system will need the key in memory, and it'll have to be the same key.

      Now let's get really pragmatic. This is going into document databases.

      Things need keys (not crypto) for the docs. If the whole database is encrypted, building indexes gets /weird/ -- they're guaranteed to be well distributed, but sharding gets funky really fast. There are ways to rectify that, but it's really not even worth the time it takes to discuss them.

      Then we've got the fact that people need to query, run fast string operations in-database, andt the fact that you know... the application servers need the raw data to actually fucking... compute on. (Computation, you do do that motherfucker, right?)

      "Should never be decrypted" Why don't we just throw it out then, since we never do anything with it. Laugh.

      I don't know why you got any interesting/insightful moderation -- your proposal at a literal level is useless.

      The query interface, ORM, app server, reporting systems all need decrypted data. Or do you think the webpage shouldn't be able to retrieve your name and friends?

      No matter how encrypted your database is, retrieval of decrypted info still comes down to 'select * from users;"

      Yes, there's...ways to improve on this, partial tables, encrypted tables with some info, nega-databases, and homomorphic encrypted operations. I'm sure every single one of your developers has a PhD and is intimately familiar with zero knowledge proofs and protocols? No...? Well then, shaddup. No, you can't even train them or give them the papers to read -- they'll implement it wrong.

      But the bottom line is most encryption only protects data at rest. Stone cold rest in a drive that's powered off. Anything else -- we can get to. I don't mean hackers. I mean remotely competent sysadmins, devs, devops -- even management with a properly written disaster recovery document.

      You're probably the same type of person that told me my application, its data, and its caches had to be encrypted so that I as the developer and sysadmin couldn't get to the ever so precious customer data.

      Yeah, I could encrypt it, I could make it harder, I could make it more secure (and when presented with a quote to do exactly that people bawked, bitched, moaned, and said no). But you really can't secure your data against the sysadmin and developer. You can audit their access of it. But if they want it, or somebody impersonating them wants it -- and if the have any capability to impersonate a client or set a debug flag on production ... they can get it.

      You don't see why it should be so difficult...

      Do you see anything about development? Have you ever written a program? Hell, have you ever used a freaking program in a client-server relationship -- and if so, has it ocurred to you that you could replace the program with another one?

    7. Re:User data should never be decrypted. by elucido · · Score: 1

      Yes, there's...ways to improve on this, partial tables, encrypted tables with some info, nega-databases, and homomorphic encrypted operations. I'm sure every single one of your developers has a PhD and is intimately familiar with zero knowledge proofs and protocols? No...? Well then, shaddup. No, you can't even train them or give them the papers to read -- they'll implement it wrong.

      But that is the direction we should be going. If it's implemented wrong then the buggy code will be fixed and eventually it will be implemented right. It should be done and the only excuse you have not to do it is that it would cost too much in CPU resources or be too hard. What is more important than user data? The user is most important and the user data is sacred. That has to be protected and it's Facebook with their goddamn lax policies that help destroy the foundation of the internet itself.

      But the bottom line is most encryption only protects data at rest. Stone cold rest in a drive that's powered off. Anything else -- we can get to. I don't mean hackers. I mean remotely competent sysadmins, devs, devops -- even management with a properly written disaster recovery document.

      Encryption protects data in transmission over the internet all the time. When you transmit your credit card information it's encrypted via https/ssl. Asymmetric encryption also protects data fairly well. Fully homomorphic encryption is new but a company like Facebook has enough resources to start work on a practical implementation. The problem right now is it's incredibly slow and not very optimized but that could change.

      Your argument is that you can't train people to understand certain things or that there aren't programmers who can implement it? That is complete and utter bs. Facebook has the money and can hire whoever they want to hire and if you pay someone 100k a year to study and program it then I'm certain they could. It's complicated but it's not so complicated that you couldn't study it and be trained. So I say why not study it? Oh yeah, because Facebook doesn't seem to care about privacy, about user data security, about encryption, when they released they weren't even using https!

      Btw yes I have written programs and I know about the client server relationship. I also know enough about encryption to know that you actually CAN secure a laptop. If the data is stored elsewhere such as in the cloud and connected to via VPN and that connection is closed off and encrypted, that would be a start, but the best solution is not to give employees access to user data from their laptop. Go to the office where we can monitor every employee on every computer and where we can at least filter stuff like Java and other malware so it does not contaminate the environment. Letting anyone connect their laptop to the network then take it home and then on top of that allowing Java to run on it ? Just plain stupid. They should have removed Java and everything not absolutely required for the task.

    8. Re:User data should never be decrypted. by Anonymous Coward · · Score: 0

      I think you missed a lot here...

      The user is most important and sacred. Unfortunately, you as an individual logging into facebook are *a* user, but not *the* user... you're the marketed demographic sold to advertisers.

      So yeah... you're right, facebook doesn't care about your privacy. And they shouldn't.

      That it costs too much CPU is less relevant -- I have built in crypto in every processor I've purchased in the past five years. However, most software engineers aren't competent enough to use it correctly.

      As for encryption protecting data in transmission all the time. You're...basically only barely techincally correct. Asymetric encryption is slow, but that's irrelevant -- first, there's been huge speed boosts with ECC, secondly that's what TLS and secret key exchange is for...

      HTTPS/SSL has been dead as far as I've been profesionally concerned since 2001. If you believe otherwise, it's really just... further proof that the average or better than average programmer shouldn't be touching crypto, especially given that you are clearly at least literate in the field.

      There's been COTS products for even private industry to break it since at least 2005. I even bought one once. You call it protected -- and yeah, you're vacuously correct, it's encrypted and meets all of the definitions and standards that were appropriate, providing semantic security within a non-neligible margin of the keyspace (ignoring things like BEAST entirely for now). Unfortunately, the standards don't actually protect against /anything/ but a naive man-in-the-middle and brute force. They don't even provide a chain of trust through the CA. Calling HTTPS "protected" is borderline negligence.

      You know enough about encryption to know that you can secure a laptop? Really? Every definition of security that I've ever considered applicable, security means the absence of risk. Which means all you can do is mitigate risk to a laptop. Risk of what? Maybe you've got a military background where "secure" means "threat mitigation" -- I don't want to quibble that point. But you can't eliminate all threats to a laptop.

      Stop. No, you can't. If you think you can't, you don't know enough.

      If you think you can do it with cloud hosting, remote encryption, VPN clients and anti virus -- you don't know enough.

      If you think you can do it by locking down the admin account, you don't know enough.

      If you think you can do it with three bios passwords, DRM, secure boot over UEFI -- you still don't understand enough. They've already been defeated. All of them.

      Yeah, I'm serious.

      This is facebook. These people are fucking software developers. Very skilled ones. Nevermind all the corp best practice in the world -- a few of them actually need a debugger and the ability to run mv eax, ebx -- there you go -- DRM circumvented.

      You want to 'filter' and monitor Java? Good fucking luck with the 64 odd exploits released in the past week. You're gonna have to ban all of it. And flash, pdf, word, html, most mime encodings. Should I keep going? I've seen attacks directed against actual IPS and log analysis sytems....

      You want to run and IDS/IPS? OK -- here's your two choices:

      1) SSL goes through it, I can bypass it by delivering over SSL
      2) You inspect SSL -- thus decrypting the data. Congrats, your IPS is now a very valuable target.

      My argument isn't remotely BS. There's probably a dozen programmers in the world good enough to do crypto totally correctly. Facebook could hire them. Facebook could train them -- and guess what, it /still wouldn't matter/ Because some fuckup developer somewhere would use it wrongly and weaken the entire platform.

      You want to assert there's 50, 100, 1000....? Fine. This is security -- it takes one damned hole.

      You want to dream of their nega-database with homomorphic encrypted operations? Of some brilliant utopian star trek future with near ubiquitous computing, proper interfa

  7. LIKE! by Anonymous Coward · · Score: 0

    I bet someone beat my score at Bejeweled Blitz, too!

  8. law enforcement? by Anonymous Coward · · Score: 0

    So people call the police when they get a computer virus now? Losers, get off the internet.

  9. Useless articles by Anonymous Coward · · Score: 4, Insightful

    What's the point of these articles that announce that so and so company's systems have been hacked? They never contain any forensic information about the exploits other than to loosely identify the vulnerable software the bad guys used to get into the system. No identification of the malware installed, no identification of the OS's the laptop were running, no identification of any antivirus products that turned out to be completely useless in stopping the attacks. IOW, no goddamn information that would be useful to anyone who wanted protect themselves from attack, or at least detect whether their system were already compromised.

    The lack of forensic details about the attack provided by Facebook or any of the other companies hit with the java exploit causes great doubt about their claims that no user data was accessed.

    1. Re:Useless articles by Anonymous Coward · · Score: 0

      What's the point of these articles that announce that so and so company's systems have been hacked? They never contain any forensic information about the exploits other than to loosely identify the vulnerable software the bad guys used to get into the system. No identification of the malware installed, no identification of the OS's the laptop were running, no identification of any antivirus products that turned out to be completely useless in stopping the attacks. IOW, no goddamn information that would be useful to anyone who wanted protect themselves from attack, or at least detect whether their system were already compromised.

      The lack of forensic details about the attack provided by Facebook or any of the other companies hit with the java exploit causes great doubt about their claims that no user data was accessed.

      To fuel the public fear and increase the budget for the "cyberwar"....... haha
      It's all fake.

    2. Re:Useless articles by Anonymous Coward · · Score: 0

      Facebook are listed on NASDAQ.

      NASDAQ Listing Rule 5250(b)(1) requires that, except in unusual circumstances, the company shall make prompt disclosure to the public through any Regulation FD-compliant method (or combination of methods) of disclosure of any material information that would reasonably be expected to affect the value of its securities or influence investors' decisions.

  10. Re:No user data was compromised ( of course ) by Anonymous Coward · · Score: 0

    That would be totally unacceptable now would it ? Of course our data is safe of falling into the wrong hands.
    Goes without saying. They would never lie about a major data breach.

    ahhhhhhhhhh .. the smell of fresh bullshit in the morning hmmm mmmm ;)

  11. Re:Safe? Sure ! by Anonymous Coward · · Score: 0

    No just someone that exploits the people's ignorance for his benefit.
    And the greatest spy in modern history. All that data is the hands of the
    American secret services. Thanks to him , the USA is safe. ! .

    .

       

  12. In other news by houghi · · Score: 1

    A man gave way to a car and no accident happened.

    Are we in such a bad shape that NOT compromising personal data has become the news worthy factor?

    --
    Don't fight for your country, if your country does not fight for you.
  13. "zero day" is as bad as l337 speak by Anonymous Coward · · Score: 3, Interesting

    Can we all stop saying zero day? it's just an attempt to sound cool and hackish and it means nothing. it's a vulnerability, and it has an exploit and no patch is available, as opposed to unpatched.

    if they release new software that they brag is secure, and you have an exploit that already compromises a vuln, ok, you have a zero day because that's day one of something. then it makes sense. otherwise, it's false street cred and bravado.

    1. Re:"zero day" is as bad as l337 speak by Anonymous Coward · · Score: 0

      1t's, 0dayz spl0it j00 n3wb!

    2. Re:"zero day" is as bad as l337 speak by Anonymous Coward · · Score: 1

      You might not be old enough, but "zero day" originally meant that software was cracked and distributed via BBS on the same day it was released. That is what zero day meant. Zero-day warez was the status groups like Quartex and Fairlight aspired to achieve.

      THAT is what zero day meant.

    3. Re:"zero day" is as bad as l337 speak by Anonymous Coward · · Score: 0

      That IS old! Now if you can't break the street date, its late.

  14. How about embbeded devices by Anonymous Coward · · Score: 1

    Ok, Java is hosed, most of Adobe is hosed etc...

    But has anybody ever considered the dangers of embedded linux devices in a company? Some of these things are pretty powerful with the right ARM socket, shady firmware and make the perfect backdoor in whatever corporate infrastructure. It's not that everybody is equipped with the latest firewall, the latest IDS or latest Layer 7 proxy or DPI on SSL and even then, DPI on SSL or Layer7 proxies can be performance hogs in a time that end users want to have a webpage loaded in 0.0000001 seconds. /conspiracy-theory: Make some overhyped BIG Ltd with cheap embedded solutions, send demo units to the whole world and your backdoor/botnet is in place. Don't put a real backdoor in it, just make it 'vulnerable' and if someone would find an exploit, patch it, like the good guys, and introduce another one.

  15. Hey Timothy, how does Zuckerberg's cock taste ? by Anonymous Coward · · Score: 0, Insightful

    SMART people don't use Facebook and smart people ARE NOT INTERESTED
    IN FACEBOOK.

    How much does Facebook PAY you sorry dickeating morons to continue
    to post drivel about Facebook every fucking day ?

    Do us all a favor, Timothy, and drink some Drano.

  16. people still run java apps in browsers? by Anonymous Coward · · Score: 0

    Seriously? Why would anyone in this day and age run unknown and untrusted programs from the internet, even in a so-called "sandboxed" environment? It's long past time to disable java, javascript, (and ActiveX back when that was a thing) by default. Not doing this seems to be the cause of a large fraction of all the pwnage that people end up subjected to.

    Have we learned nothing from the last decade?

  17. How's your fancy pants coding parties now? by Anonymous Coward · · Score: 1

    Turns out Facebook employees don't know what the fuck they're doing. Keep drinking the beer, at least that'll give you good memories later in life.

  18. Re:It's good they'll protect your data from thieve by oztiks · · Score: 1

    A photo of the hacker planting the malware can be found here.

  19. Check their closets? by Anonymous Coward · · Score: 0

    Maybe they'll find a Harvard staff sneaking out, covering their face with a bicycle helment? Or would that be a zombie process?

  20. Isn't the bigger news... by amightywind · · Score: 0

    That Facebook paid no taxes in 2012 and will receive a $400 million refund. Hypocritical liberal scum.

    --
    an ill wind that blows no good
  21. oh the irony by milkmage · · Score: 1

    http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-backdoor-code-bring-war-games-drill-to-life/

    "The FBI e-mail, zero-day exploit, and backdoor code, it turns out, were part of an elaborate drill Facebook executives devised to test the company's defenses and incident responders. The goal: to create a realistic security disaster to see how well employees fared at unraveling and repelling it. While the attack was simulated, it contained as many real elements as possible."

  22. Yet another Twitter Sockpuppet. by Anonymous Coward · · Score: 0

    Looking at the UID, almost 3M. Check
    Obsessive hatred and FUD against Microsoft. Check
    All that is missing is M$.

  23. I'm glad that on Facebook... by Anonymous Coward · · Score: 0

    I'm glad that on Facebook, I use a fake name, and only a small group of close friends know about it.

  24. Who cares? by ilsaloving · · Score: 2

    Your data was spread across the 4 winds as soon as you started using Facebook.

    The only "problem" here is that your data has now been around the globe without Facebook getting to monetize the transaction.

  25. "User Data Safe" by Mark+Rawls · · Score: 3, Insightful

    I think that's the first time that the phrases "user data believed safe" and "Facebook" have been uttered in the same sentence.