Friday, October 15, 2010

Facebook's Real Privacy Threat: Your Friends

Here's how you can make your profile on Facebook perfectly secure. First, unfriend all the idiots you knew in high school. Second, unfriend all your friends from high school too. Next everybody you used to go to raves with. Next unfriend that really hot girl who dumped you because she thought you were an insane "genious" and who still hasn't figured out how to spell it. (Do I sound bitter?) Then it's time to unfriend all your relatives.

Continue unfriending until you've unfriended everybody who doesn't work with computers at a very high level of literacy on a daily basis. Then, of those remaining friends, unfriend everybody who knows they should floss, but doesn't do it, or who knows they should go to the gym, but doesn't do it, because chances are that they know they should be using strong passwords too, and they aren't doing it.

This image totally breaks the flow of my blog post, but I had to include it, because what the fucking hell is going on here? Why is this monkey flossing?


Imagine you're a black-hat hacker. You might want to target a specific individual to determine embarassing things about them for the sake of malicious social engineering, such as extortion and/or blackmail. You might want to sell marketing and demographic data to unscrupulous corporations and/or organized crime. (Tangent: is the difference between unscrupulous corporations and organized crime qualitative or quantitative? Read McMafia.)

Anyway, you're a black hat, and you're up to no good. You hit Facebook. Like a street thug in a city with a lot of street traffic, or a cheetah facing a gigantic herd of wildebeest, you have a lot of options to choose from, and you focus on easy targets for the sake of convenience and time management.

What do you do? The smart place to start is with a simple dictionary attack of common words. Try it, and if it doesn't work, simply move on to the next target. Eventual access is more or less guaranteed. Most people don't use strong passwords.

Bruce Schneier wrote:

passwords have outlived their usefulness as a serious security device. Over the years, password crackers have been getting faster and faster. Current commercial products can test tens -- even hundreds -- of millions of passwords per second. At the same time, there's a maximum complexity to the passwords average people are willing to memorize (.pdf [link to research]). Those lines crossed years ago, and typical real-world passwords are now software-guessable. AccessData's Password Recovery Toolkit would have been able to crack 23 percent of the [34,000] MySpace passwords in 30 minutes, 55 percent in 8 hours.

Now consider that the future holds a lot of parallel processing, peer-to-peer massively parallel computation, and virtual machines.

Even if Facebook fixes its issues with technical incompetence and suddenly (or not-so-suddenly) decides to take privacy seriously, its security model is still so stupidly flawed that all Facebook data should be considered effectively public.

Good news for anybody who engages in identity theft. Bad news for everybody else. All the Silicon Valley optimism could turn out to be correct, but if it turns out to be another extended sprint of irrational exuberance, Facebook could face (and be booked with) the biggest class-action lawsuit in American history.