This is, to my way of thinking, the best possible action that Facebook could take. As to whether the general public agrees, that's another story. The entire purpose for revocable credentials is to revoke them after compromise. Public release of IDs and passwords is practically the textbook definition of compromised credentials. For a company like Facebook, scanning those files is a key component of their internal intrusion detection. So it isn't a question of whether Facebook should look for those files because they would be remiss if they didn't. Rather it is a question of what their obligation is once they know for sure a user's credentials have been leaked. They could tell the user "hey, your email address was found in this data from a breach" based on nothing more than matching the email address. However, they don't do that, probably because it would be too much disclosure. Instead, they run the password against their own database so they know before alerting the user that the password is still valid on Facebook, at a minimum. People who sync passwords tend to change them all at once so if it's good here, it's probably still good everywhere. This is a practical compromise between over-disclosure (with resulting false-positives, user fatigue from repeated alerts, and diminished effectiveness) versus possible under-disclosure but ensuring all hits are known true positives. There's an alternative in that Facebook could themselves use the credentials to scan a list of high-value sites and tell the user specific places where the passwords are compromised. Although for some users this would be helpful (and necessary - some people need to be notified with a sledge hammer) it crosses the line to illegal. As currently implemented Facebook knows before alerting that a) the credential is valid on Facebook and at least one other site; and b) the user probably is in the population who reuse passwords broadly. Short of illegally scanning other sites with the credentials, this seems like the best approach Facebook can take. In all likelihood Facebook had previously been scanning and *not* notifying since, as mentioned, that's a way to detect your own breaches. So notification seems a step in the right direction to me and possibly mandatory from an ethical perspective. Incidentally, ID-theft and credit-monitoring services use this exact technique. Only they make you pay for it whereas Facebook does it for free. Users would have to be nuts or *really* paranoid to not want Facebook to do this but if they rose up in great numbers Facebook could always allow them to individually opt out. Because if someone takes the position that Facebook knows they've been compromised but should *not* tell them, I think they should be required to actively, deliberately select that option. And if they take the position that Facebook shouldn't scan for these credential dumps at all, they are naïve. Kind regards, -- T.Rob T.Robert Wyatt, Managing partner IoPT Consulting, LLC +1 704-443-TROB (8762) Voice/Text +44 (0) 8714 089 546 Voice From: M a r y H o d d e r [mailto:
] So what does this mean, ethically? Using hacked, stolen data, made public, to then check what you do, and send you a note (presumably to change your PW on FB to be more secure and unique.. but don't write it on a post-it note...) It's very clever, the data is out there.. but what a way to tell people they are part of a larger hacking somewhere. If seeing yourself tracked, because you searched on a product in one browser over there, and a week later seeing FB display the ad while using another browser shows people that something is going on with personal data, this has got to be even more shocking.. to the general public. mary "There's a reason you're not supposed to use same password for all of your accounts—large-scale data breachers are all too common. But in case you still refuse to abide by logic and reason (and many of us do), Facebook now uses those stolen-passwords-made-public to tell you what an idiot you're being. And to keep you safe. Basically, Facebook is taking advantage of the fact that hackers will often post their stolen cache of data on sites like Pastebin for all the world to see. So whenever a hoard of usernames and passwords leak from other sites, Facebook goes in, swipes the stolen credentials, and checks it against its own user database. Should it find two sets that match, the user will find an alarming little notification upon his or her next login." |
Archive powered by MHonArc 2.6.19.