Zuckerberg Gaslights Congress Before The Hearings Even Start


Zuckerberg Gaslights Congress Before The Hearings Even Start

Mark Zuckerberg swears he found out just two weeks ago that bad actors were harvesting users’ private info by the millions. But the company was alerted long, long before that.

By Kevin Poulsen 04.10.18 5:02 AM ET

Facebook was warned five years ago that the “reverse-lookup” feature in its search engine could be used to harvest names, profiles, and phone numbers for virtually all its users. But the company ignored the red flags until last week, after it happened.

In prepared testimony to Congress released Monday, Mark Zuckerberg acknowledged that malefactors had used the reverse-lookup “to link people’s public Facebook information to a phone number,” he wrote (PDF). “When we found out about the abuse, we shut this feature down.” He said that Facebook only discovered the incidents two weeks ago.

Zuckerberg is set to testify at a joint hearing before the Senate’s Judiciary and Commerce committees on Tuesday, and then return to Capitol Hill on Wednesday to appear before the House Energy and Commerce Committee. This will be the first time Facebook’s billionaire founder and CEO has ever appeared before Congress. Last fall the company’s vice president and general counsel Colin Stretch appeared at the hearings probing Russia’s election interference campaign.

“You could use this technique to build up a database of phone numbers and associated accounts without targeting any specific phone number or account.”
— Security researcher Bennett Haselton in 2013

The hearings are a response to last month’s revelations that Cambridge Analytica, a U.K.-based consulting firm that worked for the Trump campaign, harvested data on as many as 87 million Facebook users without their knowledge.

Facebook revealed the separate reverse-lookup data spill while responding to the Cambridge Analytica controversy.

The issue was that Facebook allowed users to find anyone on the site by entering either their phone number or email address. In 2010, computer science researchers in Greece showed how spammers could use that feature to validate address lists and “craft personalized phishing emails that are far more efficient than traditional techniques by using personal information publicly available in social networks” (PDF).

But Zuckerberg’s written testimony reveals for the first time that it was phone number lookups that were used in the large scale scraping. That’s a more potent weapon for bulk harvesting, because a data miner can programatically cycle through every possible phone number to get a complete corpus. With some exceptions—custom privacy settings or accounts with no phone number attached—sequential mining would yield every Facebook profile.

Facebook didn’t respond to inquiries for this story.

Though Facebook is professing surprise at the data spill, in 2013 security researcher Bennett Haselton warned Facebook publicly and privately of this exact scenario.

“You could use this technique to build up a database of phone numbers and associated accounts without targeting any specific phone number or account,” Haselton wrote in a prescient post to the technology website Slashdot. “Not only would you know the names associated with each of the numbers, you could associate the phone number with anything else that was discoverable from the person’s Facebook profile—which usually includes their location, their interests, and the names of their other friends.

“It would only have to be done once to put the users’ data permanently in the hands of the attackers, with Facebook unable to put the cat back into the bag,” he added.

Facebook’s primary countermeasure against bulk profile harvesting was rate-limiting, i.e., blocking rapid-fire search queries originating from the same Internet Protocol, or IP, address. The unidentified perpetrators bypassed that protection by cycling “through many thousands, or hundreds of thousands, of IP addresses to evade rate limiting,” Zuckerberg said last week.

“Facebook’s response to bad news has been more spin than win. When the company found hundreds of Russian fake accounts, it... published statistics that seemed hand-picked to minimize the Kremlin’s reach.”

In an interview with The Daily Beast, Haselton said Facebook never responded to his reports. He says removing the reverse-lookup search was the right move, even if it came five years late. “This is not functionality they had to leave in.”

Facebook removed the email and phone search capabilities entirely last Wednesday. “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” wrote Facebook chief technology officer Mike Schroepfer in a blog post.

Overall, Facebook’s response to bad news has been more spin than win. Zuckerberg initially scoffed at the notion that Facebook played a significant role in Russia’s campaigning. When the company finally found hundreds of fake accounts created by Russia’s troll farm it refused to publicly identify them, instead publishing statistics that seemed hand-picked to minimize the Kremlin’s reach—just $100,000 in ad spending, a mere 470 fake accounts. One oft-heard talking point noted “the majority of the Russian ad spend happened AFTER the election,” a stat that wouldn’t have worked if Facebook had cut off the Kremlin seven months after the election instead of 10. Eventually, last October, Facebook reluctantly revealed the number that mattered: the number of Americans reached by the Kremlin’s Facebook campaign—126 million.

There are signs the company is taking a more forthright approach now—when it booted another batch of Russian troll accounts last month, it identified some of them by name, and even showed screenshots of some content. The most promising indicator is Zuckerberg’s voluntarily appearance on Capitol Hill, under oath, where spin has a legal limit.

https://www.thedailybeast.com/facebook-knew-people-were-stealing-your-phone-number-in-2013

Comments

Post a Comment

Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that the patient is 3,000 kilometers away,”  he said.
Read more

Visualizing The Power Of The World's Supercomputers

Visualizing The Power Of The World's Supercomputers   BY TYLER DURDEN FRIDAY, JAN 21, 2022 - 04:15 AM   A supercomputer is a machine that is built to handle billions, if not trillions of calculations at once. Each supercomputer is actually made up of many individual computers (known as nodes) that work together in parallel. A common metric for measuring the performance of these machines is  flops , or  floating point operations per second . In this visualization,  Visual Capitalist's Marcus Lu uses  November 2021 data from  TOP500  to visualize the computing power of the world’s top five supercomputers. For added context, a number of modern consumer devices were included in the comparison. Ranking by Teraflops Because supercomputers can achieve over one quadrillion flops, and consumer devices are much less powerful, we’ve used  teraflops  as our comparison metric. 1 teraflop = 1,000,000,000,000 (1 trillion) flops. Supercomputer Fugaku  was completed in March 202
Read more

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke
Read more