Thanks to Security Nirvana the program and abstracts of password 11 are available.
Browsing Posts in Social
Today I got the confirmation for attending password 11, a conference on password security. It is done by Selmer Centre a part of the university of Bergen, Norway. I am looking forward to some interesting talks. In the mean time check out what happened on password 10, which happened in December 2010. For those of you unable to participate take a look at upstream.tv, there will be a recording/live stream of at least some of the talks.
Additionally I plan to write about the talks afterwards.
See you at password 11
Some words about comments on this site. You might be wondering that there are nearly no comments at all on the site. The reason for this is very simple. I approve comments only from people I know. I do not want my readers to be spammed. In the case you think your comment should appear on this site, even while I do not know you, send me an email, so we can discuss on the topic. There is a good chance to convince me about approving your comment.
Last night I took the opportunity to download the leaked data via Torrent service.
To make it short the data contained:
- the full names of the available profiles.
- some agregated information like first names, sorted and counted
- a script to crawl by yourself.
- a list of 170.879.859 URLs leading to a miniature picture of your profile image and a list of 8 of your friends.
At the end the profiles were just user names. To have a look at a profile you need to be loged in.
What Ron did was similar to automatic scans of phone books and publishing them to Internet.
On 28th of July 2010 a news was spread that 100-170 million sets of “user data” was leaked from facebook [see arstechnica, bbc, heise (german) or skullsecurity]. Ron Bowes, a security researcher, created a program, which crawled through the public available User directory of facebook. The crawler checked each and every profile, which was mentioned there and stored the available information. Since then I heard a lot of people speaking about a privacy problem on facebook.
But what happened really?
Facebook and some users have a huge interest in being found by Google and other search engines. Therefore there is a switch inside the profiles which allows the users to define, which part of information is available to whom. There is also a special switch inside the privacy setting to make the profile public searchable.
To make the users public searchable, facebook opened a directory: Facebook directory
In this directory every user is listed, who allowed facebook to make the profile public searchable.
Beside this option there are others, through which the facebook user allows people to view certain details. This begins with pictures and ends with contact information. All the informations the users added and allowed for all people to view end up in the public searchable profile.
This leads to the point, that it is up to the user if he is available to search engines and being available to search engines means being available to crawlers.
The rest is simple programming and scripting. The attacker write a small crawler which visits each page and saves it to the disk. There are even tools available, which can do the task out of the box. Ron made the data afterwards available via Torrent, a common filesharing system.
It you want to check which information is available there, go to the Facebook directory and have a look by yourself.
Another interesting aspect of this issue is that some big companies downloaded the crawled data. According to gulli.com inside this list are also organizations like scientology. For a full list of companies visit gulli.com. Unfortunately the link is in German.
