'Login With Facebook' Data Hijacked By JavaScript Trackers

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.

Why is this a surprise?

Even before the recent Facebook scandals, this should not be a surprise.

Re:Why is this a surprise?

[rudy_wayne]

Here is the real problem:

After TechCrunch brough the issue to MongoDB’s attention this morning, it investigated and just provided this statement “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”

You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????

What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.

Re:Why is this a surprise?

[_Sharp'r_]

So, moral of the story is to never sign into Facebook outside of a single sandboxed browser instance which can't reach the rest of your system.

I know, some people are going to shorten that down just to "never sign into Facebook"...

Re:Why is this a surprise?

You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????

What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.

The Slashdot page you are on right now runs scripts from nine domains totaling several thousand lines of executable code and a couple thousand other lines for formatting and data.

Dozens of people could make changes to any part of this common framework of frameworks and Slashdot proper wouldn't know any different. It would take weeks to review it all and by the time that was done, something would have changed.

Welcome to that web 2.0 all the old "luddites" of Slashdot warned about for years.

Re:Why is this a surprise?

[Waccoon]

Yeah, it's not like embedding 3rd-party advertising script code with FULL ACCESS to the main site's data has been a thing since forever.

Can we now get web browsers to block all 3rd-party scripts by default? Please?

Re:Why is this a surprise?

scripts from nine domains

Not for those of us who run NoScript.

Re:Why is this a surprise?

[phantomfive]

You wouldn't expect it for a database company, but Mongodb source code is surprisingly bad. The whole thing is just hacked together. It's not surprising that they don't know what's on their website.

Re:Why is this a surprise?

The problem with many web sites today is that they are put together by clueless tech noobs who just pile on third party libraries that they don't understand the workings of on top of each other. That's why they can't even display shit like text or images without JavaScript enabled and pages need to load 10MB or more.

The title "web developer" isn't what it once was.

Re:Why is this a surprise?

[pop+ebp]

Facebook may be evil, but I don't understand why we blame Facebook for this "exploit".

The user grants Website X permission to use their Facebook data. Website X obtains that data. Website X subsequently runs a malicious script on their own website which harvests that data.

Wouldn't this be, like, the fault of Website X?

Re:Why is this a surprise?

[sudon't]

Yeah, it's not like embedding 3rd-party advertising script code with FULL ACCESS to the main site's data has been a thing since forever.

Can we now get web browsers to block all 3rd-party scripts by default? Please?

Yes we can!

Well, I can. I’m still, after all these years, a bit shocked that not everyone uses even ad-blockers, let alone script blockers. A browser that automatically blocked all ads, beacons, scripts, etc, etc, would be nice, I suppose, but haven’t we dumbed-down the internet enough already? As it is, we have to put up with two-factor authentication because some people are too fuckin’ lazy to use password managers, and now they want us to hand over our phone numbers, too.

Personally, I think it’s smarter to be in charge of your own privacy, rather than trust that ten million different web sites will do it for you. I’m certainly not going to trust that these mega-corporations, whose sole business is selling ads, will do it for us. Install ad-blockers, Ghostery, and No Script, get a password manager and start using good, unique, passwords, and don’t use your real name online. Oh, and never use the credentials of one site to log into another. It’s not that hard.

Re:Why is this a surprise?

So, moral of the story is to never sign into Facebook

You're right, but there's more ... why do we allow third party scripts by default? Oh, wait, because ad companies control the internet and whine if anybody tries to make it safer.

So, you hit a website, it pulls in javascript from god knows where (including Facebook), it all runs and does stuff you have no idea about, and someone has figured out they can exploit other things because you're now running stuff from multiple parties.

This is why I whitelist javascript and cookies, block the shit out of third parties I don't need, give up on sites which require third party shit to work.

The default position of browsers has to change from "hey, join the party, run all the scripts and plugins you want", and move towards "who the fuck are you and why would I let you run code?"

So, yeah, not only does Facebook track you using this exact same mechanism, but since other sites are stupid enough to allow Facebook to be a login mechanism, and then yet another internet parasite can exploit that.

This was pretty much inevitable. This is why I don't trust third parties, and don't trust Facebook. Because if you're not blocking this shit, your privacy and security are in the hands of whatever random asshole a site links to so that your machine can run that code and do whatever it wishes.

This is a case where people like me have been saying for literally years that the trust relationship of the internet is entirely backwards, and the practice of cross linking to a bunch of external sites to drive ad revenue and other pointless shit is making it even worse.

You have no idea what all those embedded javascript things are doing, you sure as fuck never agreed to it, you definitely have never seen a TOS ... but what you've seen is a site whose TOS says "we're going to let other people do stuff to your computer so we get money".

Fuck that, it's really time we started treating web sites like we don't trust them by default, and third party shit not at all. Because over and over again we see these third parties being the source of security and privacy issues.

Re: Why is this a surprise?

Or Fuck the Zuck!

Re:Why is this a surprise?

[kelemvor4]

Here is the real problem:

After TechCrunch brough the issue to MongoDB’s attention this morning, it investigated and just provided this statement “We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down.”

You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????

What the fuck is wrong with you? Are you really that fucking incompetent? Seriously. What the fucking fuck.

Come on, man. Have you looked at modern websites? They include a shitload of scripts. Slashdot is trying to load 17. Seventeen! Do you really think someone at slashdot went out and read the code behind every one of those scripts in order to understand them? Do you think when a third party script is updated that the original site even is AWARE and looks at the updated code. If you're going to use third party scripts (for example a facebook login) on your website, you've already given up control of your website. At that point you're just playing "trust me" with the owners of those scripts.

I am not saying it's a good or right situation but almost every website on the internet does things this way.

Re:Why is this a surprise?

[kelemvor4]

Actually, I misspoke. Slashdot is trying to load 62 scripts from 17 unique domains. My point remains the same, I would bet a shitcoin that slashdot's human overlords is not intimately familiar with every script. It's just dumb luck (and probably a matter of time) that any given website wasn't included in this particular scandal while this madness continues.

Re:Why is this a surprise?

[bobby]

I've been railing against javascript for 20 years.

But the real problem is not javascript, but rather browsers and OSes that allow javascript access to that data on our computers.

Yes, we probably need a separate OS container for each website we use if we want some degree of safety.

But, facebork, et al, have our data (not mine- I don't use them) on their servers, and that data is being traded, sold, and stolen, so no matter how much we protect our own computers, there's nothing we can do about the server end.

Some day the US congress needs to wake up, do its actual job of representing We The People, and pass extremely strong criminal laws regarding our data privacy. I'd like to see a nationwide referendum.

Re:Why is this a surprise?

[bobby]

Old Luddite here. I told you (everyone) so. Look at my couple of original posts.

I learned of all of this quite by accident. 20 years ago I discovered Opera browser. In those days I had dial-up connections, and generally don't have the fastest broadband, so I've always cared about how fast a page loads. In those early days Opera would crash often, and I discovered 2 major things: if I disabled javascript, 1) pages loaded (often much) faster, 2) browser didn't crash.

Old Opera (versions 0 - 12.x) has always had lots of good per-site blocking, per-site cookie handling, per-site javascript / plugin control, etc. I would, and still run Old Opera, with javascript globally OFF, and enabled only for a few sites I'm reluctantly willing to allow it.

Of course we all know that more and more websites barely work, if at all, without javascript, so now we have to be bogged down teaching plugins like uMatrix, but at least we can get some control back.

To clarify my stance, I don't hate javascript, rather I'm troubled by the access it has to our computers' files.

Re:Why is this a surprise?

You are of course right, but I also sympathize with the other side. Sometimes you want to be able to put your trust in others and expect them to not royally fuck you over. Should people be surprised that Facebook would choose to go full on Google on everybody and scrape every little available detail about their existence with the intent of monetizing it? Of course not, but it sure would be nice to be able to trust somebody when they say that their scripts won't do all of these things that they're not telling you about.

Re:Why is this a surprise?

This is the cost of using ANY third party sourced code. If you're using Facebook or jQuery or anything sourced from a CDN, they could inject whatever they want in there. Either you don't do this, which is good, or you're guilty of the same damn thing you fuckwit.

Re:Why is this a surprise?

its cute you think your data is somehow worth protecting

Re:Why is this a surprise?

It doesn't matter if you use Facebook. They can fingerprint you pretty well across all of the websites that have their code embedded on their site for that stupid little like button. Any website widget that fires any kind of JavaScript event should be considered questionable. There are ways for them to make a 'like' button work without injecting code into your website, but they don't want that because they want to be able to track ALL of your visitors, not just Facebook customers.

Re:Why is this a surprise?

[datavirtue]

Marketing departments mandate all kinds of tracking services without vetting them with security or IT. Security usually bitches about it and it seriously slows the site down but it gets rammed through..."what could go wrong?" Essentially you place a snippet of javascript on your page that pulls down whatever code the tracking company deploys. It's like a box of chocolates...

Re:Why is this a surprise?

[datavirtue]

"The Slashdot page you are on right now runs scripts from nine domains "

Not on my computers.

Re:Why is this a surprise?

[datavirtue]

NoScript. ...and just in case....a big, fat HOSTS file.

Re:Why is this a surprise?

You were unaware? UNAWARE? You were UNAWARE of what's running ON YOUR OWN FUCKING WEBSITE?????

I bet you anything, it was running on users' browsers (when they visited the website) and actually never ran on the website.

Yes, this is pedantic, I know. But when describing mechanisms, pedantry is the difference between an accurate description vs misleading people into fucking up.

People are genuinely confused about the difference between websites and browsers, even here on "tech" websites. But for this stuff to work well, requires that people actually understand it.

Since people apparently don't understand how the web works, the web can't work for them. And that's a problem, unless we want to go back to the classic approach: just write off all the stupid people, since they can't be saved. You wanna go there? I'm tired of being flamed for going there.

Re: Why is this a surprise?

Any reason not to use EFF privacy badger?

I'm laughing my ass off !!!

Facebook has magnified the consequences of poorly placed trust far beyond most anyone's worst nightmares.

I never fell for the idiocy of Facebook myself, so all the suckers and chumps who did are just fools who provide me with a reason to laugh derisively.

Thanks for the laughs, you dumb fucks.

Re:I'm laughing my ass off !!!

[PPH]

I never fell for the idiocy of JavaScript.

Re:I'm laughing my ass off !!!

Actually, I think you're blaming the wrong person. Facebook providing an API so that you can log into [some website] using your Facebook credentials is not all that terrible.

But these websites should not be using 3rd party scripts for this. Period. The websites using these scripts are the ones who are to blame for this.

Re:I'm laughing my ass off !!!

Laugh it up, AC. You may be Anonymous here but you're not Anonymous to Facebook thanks to all of your Facebook-swilling friends whose Contact information has been slurped to build a profile with your name, address, date of birth, email address(es) and contact phone numbers. They probably know what type of porn you like too, based on your friends' porn preferences.

Re:I'm laughing my ass off !!!

I wonder how many goodies are burried in Server-Side JavaScript libraries

Oracle will fix that

[Tablizer]

I hear Oracle is trying to sue anyone publishing JavaScript because they own the trademark "JavaScript". Lawsuit fear may finally end the organic mess of JavaScript floating around. Okay, I'm only dreaming.

Re:Oracle will fix that

There is no "try to sue". Sue or not. In the case of Oracle, it always sues.

Re: Oracle will fix that

That brings up an interesting point. Why is JavaScript called "JavaScript" in the first place? It has nothing to do with Java in any way whatsoever. More idiocy.

Re: Oracle will fix that

[tomhath]

Why is JavaScript called "JavaScript" in the first place?

Marketing hype left over from when Sun was pushing Java as the solution to everything.

Re: Oracle will fix that

It was called LiveScript in netscape, but they decided to hit the hype train and call it JavaScript. However, there is a standard behind it now so it can also be called EcmaScript.

Re:Oracle will fix that

[Tablizer]

Well well, it's the Grammar Yoda (Writing Yoda?) Fockit

How hard can it be?

[msauve]

#deletefacebook

(meme from Twitter, and maybe that too) For anyone who cares the path is clear. If you don't care, do nothing and quityerbitchin.

Do, or do not. There is no try.

Re:How hard can it be?

$DO || ! $DO ; try
try: command not found

One of my favorite shirts.

Re:How hard can it be?

The irony is: there's no deleting Facebook!

The "Delete Account" button only temporarily disables your account. There's no actual deletion of your past or current data going on. How could there be? It's not economically feasible for Facebook to restore all their database backups to scrub your data out of it and overwrite the old backups. And to ask all of their data partners to do the same? Surely you jest!

Sometimes you love

Being able to say 'HA! i told you so'. This is one of those.

Been blocking forever - Fanboys annoyances

Suck it Traitorberg!

Huh? Exploit?

If I give a site access to my data, how is it surprising that they might use third-party SAAS to process my data? Where is the exploit here? Is the endgame for this hysteria a complete ban on SAAS?

Re:Huh? Exploit?

If I know your birth date, mother's maiden name, first pet, street you grew up on, etc.,... because we are friends, does that mean the data is mine because I know these facts or does it mean the data is yours because they are facts about your life? If you're the one who's say, credit score could be ruined and identity stolen, shouldn't it be you rather than me that decides if that information is made public or given to third parties?

Should the fact that I decide to use facebook's broker logon service at a website you never visit allow that site and all of its 'partner' a way to profile you even though you don't have a facebook account?

If I give a site access to my data, how is it surprising that they might use third-party SAAS to process my data? Where is the exploit here? Is the endgame for this hysteria a complete ban on SAAS?

Since knowledge of information vs information about is used interchangeably, one can also phrase it this way:

'If I give a site access to important data about data you, how is it surprising that they might use third-party SAAS to process that data about you? Where is the exploit here? Is the endgame for this hysteria a complete ban on SAAS'

The exploit is that I gave them the data and you had no say and that even if you would have wanted to, you would have had no way to stop it. You may never have know it happened.

Blissfully unaware of the possible consequences, I upload info about you to the world and then call you up to see if you want to meet for dinner. As friends, you accept, blissfully unaware of what I just uploaded for the world to see. I never thought it important enough to mention let alone refrain from doing in the first place.

Re:Huh? Exploit?

[Sloppy]

If I know your birth date, mother's maiden name, first pet, street you grew up on, etc.,... because we are friends, does that mean the data is mine because I know these facts or does it mean the data is yours because they are facts about your life?

The experience of obtaining that data from your friend is yours and nobody has the right to take it away from you. And they won't do it, unless our society decides it appropriate to use force to damage your brain.

If "privacy" is ever protected to quite the degree that some people are advocating (e.g. the right to be forgotten) then it will have to come with the downside of degrading human dignity, by insisting people pretend they don't know things they know (i.e. cause a festing mess that always arises from a web of lies, "oh, I forgot that I was pretending I didn't know that!") or actually doing it (either through some sci-fi memory wipe, or just putting a bullet through their head). All solutions to that are horrible. Letting people keep their experiences and acknowledging that learning things about other people is a part of life is the only approach I have ever heard that I don't totally hate.

If you're the one who's say, credit score could be ruined and identity stolen, shouldn't it be you rather than me that decides if that information is made public or given to third parties?

If your identity can be stolen by people knowing your mother's maiden name, first pet, street you grew up on, etc, then your identity is a fragile thing indeed. If anyone issues credit in your name to someone who knows those things, then that creditor is irresponsibly negligent to a comical degree, and they deserve to lose their money, and it's not your fault. They should have checked to make sure they were giving the money to you instead of just some random person who happened to know a few bits of trivia.

If the law pretends it's your fault, then the law is at fault. We either have to live with unjust laws or do something about them. It's up to us.

Some of your friends do know your mother's maiden name, first pet, street you grew up on. They really do. They should. They were there! It was their life too! Therefore, those things do not authenticate you. (And other people, who aren't so friendly, also know those things. I know those facts about people I haven't seen in decades, with whom I no relationship at all.)

We need to stop pretending this information is sensitive, and stop trying to bend over backwards to create fake privacy rights. All in the name of making bankers' jobs easier, so they don't have to authenticate people, really? Think about what you're going to get out of this sacrifice.

With that in mind, I reject all arguments based on the premise that it's "important information." Treating it as though this trivia is important, is the real problem here.

It really pisses me off that this is lumped into "privacy." People are worrying about keeping it easy for bankers to issue credit without checking to see who they're giving money to, and yet your own family communications aren't even encrypted yet. Instead of worrying about facebook, where's my non-sucky phone that I can plug into the home OTP server when I'm charging it? Good fucking grief.

Huh? Exploit?

Where is the exploit here? How is it surprising or concerning that if I give a company access to my data, they might use third-party SAAS to process my data? Is the endgame of this hysteria a complete ban on SAAS?

Facebook is always bad news. Who uses this crap?

[Seven+Spirals]

Either the press has turned against them, they are the new Microsoft Evil Empire, or they are just real assholes, but there is a new "Facebook is Evil as Fuck - New Assrape Code" story every day!

LOL!

[MerlTurkin]

I don't do Facebook!

Re:Facebook is always bad news. Who uses this crap

[Narcocide]

Just you wait until they get around to auditing the banner ads.

"When you can't attack the message..."

See subject: "... attack the messenger" & use the truncheon in lieu of conversation via abused "downmods" in an easily cheated "moderation system" that sockpuppets galore can abuse w/ ease!

* RIGHT "whipslash" DUBAI boy (lookup BizX folks on that note)?

No matter - as I've been LAUGHING @ YOUR puny effete ineffective attempts @ surpressing me for a year now... so much for YOU, wannabe, lol!

(Besides - MOST here browse BELOW your "fixed" self-upmodded to promote YOUR BOGUS AGENDA 'moderation threshold' & see MY posts anyway, hahaha!)

APK

P.S.=> For that that do NOT know about the "mod threshold" hiding along w/ "first post" forums post burial methods? Hey - THIS post enlightens them & don't worry, I'll just post it again, DEFYING you chump (I can do this ALL DAY LONG just to BURN YOUR LOUSY ASS boy)... apk

Re:"When you can't attack the message..."

Your message is successfully attacked and destroyed all the time, but it isn't our fault you fail to realize you lost long ago. It is fun to see a loser like you complain about being squelched when you try to do the same to others. Did it ever occur to you that some people may just be sick of you endless parroting the same thing for years.

Re:Facebook is always bad news. Who uses this crap

[Seven+Spirals]

You are right! Not to mention anywhere they had access to a live mic.

Re:Facebook is always bad news. Who uses this crap

The press is just happy for any distraction from the constant (deserved) accusations of being fake news.

Never used this feature once

[AbRASiON]

Always felt it to be highly invasive, potentially insecure. The LAST thing I want, is to sign in to bloody sites with Facebook credentials.

Re:Never used this feature once

[140Mandak262Jamuna]

OK So you think these sites are slimeballs and blood. I find it odd you have a facebook credential to begin with. It is very inconsistent with someone who takes privacy seriously.

Re:Never used this feature once

[Solandri]

The feature itself isn't a bad idea. A trusted third party confirms the identity of both the store and the user wishing to login to the store, and can do it for all stores and all users. Done right, you could replace the hundreds of different passwords I currently maintain in my password manager, with a single password (passphrase) and key + certificate. It's basically what already happens with SSL (HTTPS connections), except instead of authenticating a browser for a single session, you authenticate a user for multiple sessions.

It's when trusted third party unnecessarily collects gobs of info about every user, what sites they're logging into, and what they're doing on those sites which causes the problem. "The exploit lets these trackers gather a user's username" is a non-story.

Re:Never used this feature once

It's not our fault you don't understand how Oauth works. Someone even less intelligent than you actually modded you insightful.

Re:Never used this feature once

Oauth is great, but it's hard to argue that training people to enter their credentials into any site that looks like Facebook or whatever is a good idea. Most "normal" people would fall for a fake authentication popup window, which makes the whole thing pretty damn insecure.

The invasion of the JUDENoids (like Zuck)

Khazar Talmudic Jews believe this of all they call goyim/gentiles (any non-jew): Jews = biggest racists of all for which they "jew guilt" you for no less! They're hypocrites known as thieves all thru history or were Argentines in 1940 under Peron, France (1306), Egypt (despoiled/robbed by jews), Arabs (pre & post 1948), England (1330 Edward longshanks), Romans under titus, Russia pogroms, Spanish inquistion & Spain 1492 and Germany who got rid of them from their nations nazi german's too? No. Driven into DESERTS ages ago! Don't wonder why after all those exilings above. Should anyone doubt any of this see Jacob Javits' crony Rosenthal spill the beans on it https://www.youtube.com/watch?v=D4zMVZ8HnFI/ where he called all Christianity fools for helping Israel and the biggest scam of all time per their beliefs below from their Talmud. This is the province of the synagogue of Satan (Pharisees whom Jesus Christ himself kicked to the curb out of the temple & they killed him for it. Jeremiah did the same to them also + the Essenes could not stand them either breaking away from the pharisee corruption):

Mark Zuckerberg who STOLE facebook's code from the Winklevoss twins (who dusted him in court on it) calling his users "DUMB FUCKS" & spied on his collegiate classmates via 'fakebook', home of bots and spying/tracking you, now in court FRYING (rightfully so).

Maria Abramovic satanist spirit cooker pal of Hillary Clinton the Voodoo queen is a jew https://www.google.com/search?...

Like Hillary Clinton's mentor Saul Alinsky author of rules for radicals book dedicated to Lucifer

John Podesta Hillary's pal again, is another JUDE with a pedophile brother (both = satanists too imo).

"Most Jews do not like to admit it, but our god is Lucifer â" so I wasnâ(TM)t lying â" and we are his chosen people. Lucifer is very much aliveâ Harold Rosenthal http://www.thetruthseeker.co.u...

Jewish rabbi openly admits to satan worship use white children's blood they kill for passover bread, infiltrating and subverting the catholic church, creating the Jesuit order https://www.youtube.com/watch?... and https://www.youtube.com/watch?...

Barbara Spectre, a jew, tells everyone it's jews orchestrating the muslim migrant problem in Europe https://www.youtube.com/watch?v=MFE0qAiofMQ/ . No migrant raping of women in Poland. Tons in Sweden. Do the math. Use common-sense. This is to get muslims and other goyim/gentiles to wipe one another out as incompatible cultures that will clash and always have.

Rabbi A. Finkelstein ADMITS their greatest enemies are ARABS and WHITES (blacks too) whom they wish to kill one another in a 'theater of war' which they find AMUSING https://www.youtube.com/watch?...

Finkelstein also admits JEWS DID 9/11 (perpetrated by the Mossad & Bebe Netanyahu of ISRAEL) https://www.youtube.com/watch?... profiting by it (and that 3,000 jews employed there did not show up for work that day knowing about it beforehand).

Finkelstein also admits JEWS are going to destroy the U.S. Dollar and dumping it for other world currencies and gold to destroy the United States.

George Soros who funds groups to create division in the USA?? A jew. One who sold his own jew people into death for the nazis.

Zucker now FIRED @ CNN is another frying publicly for lying about "russians" and John Bonifield a producer @

Hosts stop it & more the most efficient way

ÃPK Hosts File Engine 10++ SR-1 32/64-bit https://www.google.com/search?source=hp&ei=ZYrPWpW_H-ykggel7JLwBg&btnG=Search&q=APK+site%3Astart64.com/

Ads/script/malware rob speed/security/privacy/bandwidth.

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivir + less security bugs/complexity & faster vs. av/addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirect (99++% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster via local RAM!

* Viâ what u NATIVELY have in a FASTER kernelmode IP stack (does more w/ less).

APK

P.S. - Accept NO substitute for more speed, security, reliablity & anonymity that natively does more for less vs. ANY other single "so-called 'solution'"!... apk

Re:The invasion of the JUDENoids (like Zuck)

[Tablizer]

Goatse for you

Re:The invasion of the JUDENoids (like Zuck)

Suckerberg I see you post as "tablizer" on slashdot. Figures you use a false name and can't validly disprove what you replied to!

On a similar lane of thought on FB security...

[Vegan+Cyclist]

...how do we know when we're using a legit 'Facebook login' prompt on mobile devices?

For example, I don't have FB on my mobile, and I've linked my Instagram account to it, but every now and then I get a pop-up asking me to sign into FB. I'm not concerned there, since it's Instagram and they're owned by FB....but there are other apps and games that do the same thing.

I really have no way of verifying that the prompt is legitimately from FB. It would be trivial to create a game that asks you to tie it to your FB account to 'save data' or 'play against friends', etc, and display the same pop-up, and simply collect your FB credentials.

That seems like a pretty serious security issue to me....is anything being done to prevent that from happening, or that can verify that the prompt is a legit FB sign-in?

welp two decades now combine

The bane of the 90's and the bane of the 00's javascript and facefuck they deserve each other and anyone that uses either deserves what they get, back to terminals and dial up thats what is needed now

Re:The invasion of the JUDENoids (like Zuck)

[Tablizer]

I'll give you 3 ad-free FaceBook accounts if you keep quiet about this.

look at gmx

Look at their login page. It's a newspaper frontpage littered with ads and probably trackers and tons of 3rd party js. It would suprise me if it wasn't possible for those scrips to access credentials.

Add Other App Data To The List

[AncalagonTotof]

I never creates a Facebook account. The Facebook app is disabled in my phone. But ...
At our company, I used a test account created by a colleague, for the R&D team. I used it to log in an app under development.
So far, so good. Or so it seems.
But after the C.A. scandal, I was curious and downloaded the data Facebook has on this account.

1) reading the list of known items makes you think that for sure, they know much more than they tell you and give you in this archive

2) a small detail, but which means a lot : at the end of the profile description, there is something like : "Music: AONE". Now I know Facebook has used our team test account to suck data from my phone because AONE is a little known French metal band. Facebook pulled the information from Jet Audio, the player I use. Facebook got it behind my back, without my consent.

So, Mr Zuck., stop lying and pretend you know nothing about shadow accounts. Everybody except you knows, really !? You're either a liar or a dumb that has lost control on his company.
Shut Facebook down for good. The end. May be you'll be allowed to run with the money.

Solution? Delete facebook.

Even those who don't use it have their data collected, and it's been known for a long time that they do this. Please stop rewarding them for that.

I don't see how this new story changes anything really, it's just more of the same and people continue letting it happen.

Browser Weakness/Design Flaw

[mysidia]

Websites can always contain malicious code..... This should have from the start been designed so:
When a form element contains a PASSWORD field:

    1. The page displaying the form data needs to have been received over HTTPS with the same hostname that the POST operation will send the form to, and the form needs to be contained in the HTML; The browser should provide unique UI presentation for Password fields and normal Text fields, so it should not be possible for a JavaScript to "add a custom password field later" or change a normal Text field to look like password field after capturing data.

    2. When a password field is added using HTML, the Element's type becomes read-only, and the Form Post target URL becomes read-only.

    3. The Element's value becomes Write-Only. Javascript can SET the value of a password textbox or POST the form to the locked target URL, but cannot read the value, nor receive any keystroke events for the Textbox or the overall webpage.

So what?

[OneHundredAndTen]

If you use your Facebook account like a garbage can, to contain all the trash generated as a result of the privilege to log automatically with Facebook into some sites, the bad guys will only get garbage. That's what Facebook is good for. From my account, the bad guys will have obtained fake names, phone numbers, email addresses - and an untold and unknown - to me - amount of spam. Enjoy the junk, hackers.

Re:So what?

[datavirtue]

They will still get the data from the tracking javascript that forwards everything under the sun in an agreement with facebook. Given all of the other data they have from everyone else they will be able to accurately tell you things you don't even know about yourself. Play with machine learning...it will open your eyes. There are very few who are not able to be profiled...you are not one of them.

Sweaters

This data scraping thing is like a sweater unravleing.

Pretty obvious once you think of it, but the ramifications are nuts. If you can worm your way into some good data through any page with a facebook login it's game changing.

Single log-in vs same UID/PW everywhere

[WoodstockJeff]

One is obviously a bad idea. The other is just stupid.

My antisocial nature

Once in a while, my antisocial nature winds up serving me well.

I bailed in Facebook in 2009. It's been a long time, but what I remember was fucking Farmville and Mafia Wars, along with vapid uninteresting people who thought that somebody might care what they had for lunch and felt the need to post about it every single day. None of those things interested me in the least. All these years later, I don't miss it, and there's a decade worth of tracking info they don't have on me.

I'm also the super paranoid type who runs RequestPolicy, uBlock Origin, and disconnect, so those asshole Facebook scripts that track offline users have a harder time. Hell, I'm sure I stand out as one of the people who doesn't have a huge amount of history, but at least they don't (relatively speaking) have a huge history on me.

Anyway, there's no real point to this post. Fuck Facebook and fuck social media in general. Fuck you too, Google.

Another antisemitic rant from APK

Shut up APK, I see you are off on one of your antisemitic rants again. Funny how these only appear in threads where he posts and always right before or right after one of his posts. The format, structure, language, style of rant, capitalization, and bolding of the repeated posts is also a match for APKs posts, just like the random ACs that post from time to time to support him. He should really just claim all of his work so that all can see just what kind of person he is. I guess it is just that time of month for APK when he feels like he needs to rage across slashdot. I encourage everyone who sees these posts, or any of his unsigned work, to correctly attribute them to APK so that he will be forever immortalized for what he actually is.

Re:Another antisemitic rant from APK

I encourage others to see that post seeing that you don't invalidate its content. That would be impossible as it is fact jews supply. I took a few hours today to verify its content out of curiousity. I learned much I had no clue of before. It is spot on. You are also a hypocrite bitching that post unsigned and you post unidentifiably yourself. You must be one of the jews that don't want it seen in my opinion. I don't blame you but you do it to yourselves. You're going to get Zyklon B and furnaces probably since you don't learn from your constant historical mistakes you have made for millenia and you can't get over your delusions of "superiority" but if you are so superior? Why can't you accept yourselves? You cut your noses off in plastic surgery and try straighten your hair which tells me that you wish you were goy actually. I pity you. You expect others to accept you and it is clear from the nosejobs alone that you know you are not. Others dislike you when you wish them dead or raped or robbed. Don't you get it? That makes you stupid! Your book of law the talmud states things that make the rest of humanity shun you and many sources verify it as fact. In my estimation, that is how jews have destroyed themselves through history. I also see you harass apk constantly or try to put him down but I do not see apk in that post and he signs his posts. You are projecting what you do. Your unsigned post now proves it hypocrite jew. You must truly be stupid and know you are inferior projecting it as you just have despite your self deluding your satan worshipping selves.

The three letters you know and love

Say them in your head. Ess Pee Aitch.

MongoDB is spy scale

https://www.youtube.com/watch?v=b2F-DItXtZs

List of hostnames to block in hosts vs. this

0.0.0.0 api.behavioiralengine.com
0.0.0.0 behavioiralengine.com
0.0.0.0 cdn.augur.io
0.0.0.0 augur.io
0.0.0.0 c.lytics.io
0.0.0.0 lytics.io
0.0.0.0 p1.ntvk1.ru
0.0.0.0 ntvk1.ru
0.0.0.0 st-a.props.id
0.0.0.0 props.id
0.0.0.0 tags.tiqcdn.com
0.0.0.0 tiqcdn.com
0.0.0.0 cdn4.forter.com
0.0.0.0 forter.com

* SOURCE https://www.bleepingcomputer.c...

APK

P.S.=> For even more protection vs. other threats + more speed, reliability & anonymity, accept NO substitute for APK Hosts File Engine 10++ SR-1 32/64-bit /https://developers.slashdot.org/comments.pl?sid=12004123&cid=56461997/ ... apk

Re:List of hostnames to block in hosts vs. this

APK isn't smart enough to actually do the real work he needs others to do that. Instead all he can do is advertise a program that he probably created in one of his first windows class getting his AAS for windows administration.

Bullshit - hosts work vs. this for example

Bullshit - hosts work vs. this for example perfectly blocking it (as hosts do to tons of threats) per https://developers.slashdot.org/comments.pl?sid=12004123&cid=56467635/ shitbrain.

* As far as being "squelched"? A chump do-nothing "ne'er-do-well" ZERO like you can't ever get the better of me (see above as proof). My post MAY be unjustly downmoderated by you but that's nothing, I just repost after you're burned out of "downmod points" you abuse & that's that douchebag, lol! See-> https://developers.slashdot.org/comments.pl?sid=12004123&cid=56461997/

So you CAN'T stop me & that's why 100's of 1,000's of users of this particular program are aware of it - & YOU CAN'T STOP IT (lol, pisses you off, doesn't it? Yes, it CLEARLY does, hahaha!)

APK

P.S.=> I never complain about PUSSY LOSERS like you that aren't capable of creating useful things like I can - I just know that & it makes me LAUGH @ "your kind", chattering useless forums DILDOS (& I laugh as well as how easily I get the better of "your kind", & you are JEALOUS whimps that stalk me by UNIDENTIFIABLE anonymous posts & you lose everytime - it's just too easy for me to do to you & it's ALL YOU KNOW HOW TO DO - lose, lol!)... apk

I said all I have to say to "your kind" (lol)

I said all I had to say to "your kind" (lol) & you KNOW it's true https://developers.slashdot.org/comments.pl?sid=12004123&cid=56468529/

* Is THAT bs the "best ya got" vs. what I put up that works vs. this threat & TONS of others? Apparently so - guess what then?? You did your usual - you LOSE, loser!

APK

P.S.=> Truer words were NEVER SPOKEN on /. than what's in that link (regarding the efficacy of MY work that 'your kind' (lol) can't EVER manage to do or to do BETTER than I have & also the rest off what I directed "your kind"'s way (chattering do-nothing "ne'er-do-well" UNIDENTIFIABLE anonymous losers))... apk

I do more & better than "your kind" by far

See subject: I supply that data from reputable sources & a program that gets even more vs. threats many /.'ers like + use w/ 100's of 1,000's worldwide for the GOOD of others (the ABSOLUTE good, to be of service to others which you have no clue about OR the ability to do so, clearly) - how about you? You've done better?? I don't see it. I give you the opportunity now to do so (you can't & won't).

So you know - I'm also dual degreed in the art & science of computing (MIS bachelors & CS associates) + I've done pretty well (which I will supply in subsequent posts to see if YOU have done better, Mr. UNIDENTIFIABLE "ne'er-do-well", lol (you haven't - all you do is stalk me like the "jealous jowie" mere "ne'er-do-well" you evidence yourself to be by doing it, hahaha!)) - I'm also 11++ yrs. retired after a 23++ yr. long professional career in computing ranging from my start in the early 90's as a tech while in collegiate academia, then as a network admin, on to programmer/analyst & last a software engineer for the last 7 yrs, but I still do pet projects to help others in programming like the hosts engine. I run my own life & businesses (I recommend it to ANYONE - it is the way to go).

APK

P.S.=> By the way - It doesn't take much brains to setup either a VM (what I do now) or a 2nd system w/ a backup clean image (which I used to do) to to trace online threats you know (apparently, you don't)... I find roughly 250 threats this way myself everyday above & beyond security community sources my program uses to protect users do in fact... apk

You did more earlier & better than I?

Windows NT Magazine April 1997 "BACK OFFICE PERFORMANCE" pg 61

(For SuperSpeed.com PAID CONTRACT (wrote SuperCache 40% performance boost) & SuperDisk finalist @ MS Tech Ed 2x in a row 2000-2002 HARDEST CATEGORY: SQLServer Performance Enhancement)

WINDOWS MAGAZINE 1997 "Top Freeware & Shareware of the Year" issue pg 210 #1 entry

PC-WELT FEB 1998 pg 84

WINDOWS MAGAZINE, WINTER 1998 pg 92 MUST HAVE WARE

PC-WELT FEB 1999 - pg 83

CHIP Magazine 7/99 - pg 100

GERMAN PC BOOK Data Becker "PC Aufrusten und Repairen" 2000

HOT SHAREWARE #46 issue pg. 54 2001

Paid for article @ PCPitstop in 2008 http://pcpitstop.com/news/winn...

UltraDefrag64 Process Priority Control credited by lead devs of it in the programs credits section.

APK Hosts File Engine 10++ 32/64-bit is hosted & RECOMMENDED by Malwarebytes http://hosts-file.net/?s=Downl...

(That's only a FRACTION of what I can put out, some favs of mine)

APK

P.S.=> See subject & prove your worth (you can't)... apk

Do our /. peers say this about your work?

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

(APK's work), I've flat out said it's good by BronsCon February 11 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* Want more? Ask & see subject - answer it proving they do!

APK

P.S.=> You can't & you know it (this is in addition to my other post too https://developers.slashdot.org/comments.pl?sid=12004123&cid=56468879/ )... apk