Facebook crawls links in PDFs you send in Messenger(twitter.com) |
Facebook crawls links in PDFs you send in Messenger(twitter.com) |
It's apparently not my data and privacy and I have no say in it at all when someone uploads their goddamn contact list to these frickin' crooks. Is that your understanding too?
So This solution is not a solution. This solution only works if we stop other people from using it. How's that going to work? Well it isn't.
Cool? Now welcome to the "what regulation is appropriate" debate because this is clearly an example of market failure, same as national defence, same as national parks, same as pollution, same as any other. The sooner we treat "...using computers" exactly the same as any other industry the better. This is nuts.
Afaik that's actually the legal situation in the US due to the third-party doctrine [0]. It's one of the ways government mass surveillance has been "legalized" without having to comply with the Fourth Amendment.
No, not a complete solution, but it's a step in the right direction. One of the reasons advertisers as well as ordinary users come to FB is to be in contact with you -- to have your attention. Stop using FB and you take that away. FB ends up with less of an audience with which to entice others.
I quit several years after being on the platform for nearly a decade, which I mainly used to communicate with classmates.
Over time, I realized the platform was only good for pushing false information and giving a platform to people who shouldn't be sharing their thoughts. I also became more aware that I was a product, and it infuriated me to no end.
I'm glad to not be on it anymore. What a waste of time.
If we'd be talking really malicious stuff like chid pornography then in the context of filesharing these companies already have systems in place to distinguish content, so blanket banning of torrent files seems blatantly unnecessary.
This is the real strawman, as nobody on this entire thread is talking about illegal music. On the other hand, there's a strong and persistent thread of calls for tech platforms like Facebook to control "malicious or illegal" information being spread on their platforms: an obvious example is the NZ shooter's manifesto + video.
I’ve had Facebook block several links sent in private message groups, to completely legal and safe sites (Messenger prints out an obscure API error and refuses to send the content). They have done this for a long time.
I mean almost all of the time that PDF will be malware designed to trick the reader into clicking that link and it did the right thing.
If you search for a text string in Gmail, it will return emails that contain that text only in scanned images or PDFs that are in your mailbox.
The amount of time I've gotten those obviously spammy links form people I have never talked to in a decade plus.... cant be hard to red flag these.
You gotta assume they will reconstruct generations of your family tree if they can from your chat history.
Once a service starts blocking malicious links, the obvious next step is to conceal the link through some sort of indirection.
Would be interesting to see if Facebook has a maximum number of links it'll follow.
https://news.ycombinator.com/item?id=1
https://news.ycombinator.com/item?id=2
https://news.ycombinator.com/item?id=3
and so on, until 10,000,000? Perhaps Facebook starts opening every link using 10,000 parallel threads. Can you really replicate that from your connection at home? Perhaps even the sysadmin of your victim site has whitelisted all Facebook IP addresses so their crawlers get a free ride.
EDIT: Actually they already did, it's called Facebook Instant Articles.
I am not personally affiliated with them, but I believe they are South African.
I can totally understand scanning a PDF for links to look for malicious links to protect users.
But that wouldn't involve actual HTTP requests to them.
I'm struggling to imagine what purpose this could have.
1. Compress the file you want to send in an password protected zip. 2. change the extension of the Zip file (.zip) to text file (.txt). 3. Send the file trough Messenger.
I already did it to send MacOS application to a friend. To avoid size restriction, compress in several zip parts, rename the extentions to .txt and send.
File size can be as high as 50mb+.
https://support.signal.org/hc/en-us/articles/360022474332-Li...
The service being previewed doesn't know who you are because Signal acts as a proxy, Signal doesn't know what you previewed on that service because their client deliberately sends overlapping Range requests so that the preview size is rounded.
(And, I don't use Facebook, anyways.)
stop using facebook. and no, there is not a single reason for you to be there. trust me. how do you think we lived our lives before there was a facebook?
They can then have a single map of phone num -> links rendered between fb and whatsapp.
Give it a few second after pasting it and you'll get the preview, because it gets it from your device.
The only conclusion: it takes a little time for a file that's flagged - based on its language - to pass the scanners?
It might be, IDK, but if it’s all inside their system, how could you audit that?
They do this already in WhatsApp for instance.
It's what else might be going on with the link analysis that's worrisome.
Example, Facebook asking for phone numbers in the name of “security” when they don’t give a shit about security. They wanted to tie a phone number to the owner, and create a social graph based on their contact uploads.
One of the things that phishers and others do is use link wrapping and other services to hide malicious links. So, I get something.wordpress.com/something-clean. I then put in an HTML or JS redirect on that page to something malicious. Given that browsers don't warn about HTTP, HTML, or JS redirects, it's an easy way for scammers to get around a list of malicious pages.
These kinds of attacks are very common in the email space.
look-alike domains are phishing vector that don't require you to make an http request.
Or link support requests to people who received a certain link via message.
So basically data mining to feed a model that takes future actions in consideration.
Just in case you didn't follow any of the previous HN discussion of how that's done
consider the URL https://accounts.example.com/tmp/badmojo.exe
You (Facebook in this case) run a hypothetical method SafeSearch('accounts.example.com') and also SafeSearch('example.com') and SafeSearch('accounts.example.com/tmp') and SafeSearch('accounts.example.com/tmp/badmojo.exe')
SafeSearch(string) is defined as, you do SHA(string) and that's your hash, you compare the start of this hash to a huge list of prefixes that Google provides, which you fetch updates for every few minutes. If there's no match, fine, done. If there's a match you ask Google OK, I saw this Prefix you sent me, what hashes should I be scared of? Google gives you a list of hashes with that Prefix. If your hash in this new list, the original URL was scary, warn users not to visit, otherwise continue what you were doing.
I'm sure if they're pulling data to do this analysis, it's not the only analysis they're doing.
People might pay good money for that!
Thinking that you can make an HTTP request using this method and that that means you can unleash a DoS is... worth a try, but not something you can take for granted.
It's better than no encryption, but not what technical people usually mean by e2e encryption
I doubt Facebook only wants to detect old threats, reliant on a competitor's standards & practices.
This solution is not a solution. Definitely do it, and you'll really enjoy doing it too - life improves! Just don't think it's any kind of solution to any of the systemic problems that are being discussed because it isn't. Not even a partial solution. Not even a meaningful start of one.
If you need to expire links then make the initial link display a form with a submit button (which does a POST) to reveal the content (and expire the link). Legitimate crawlers don’t submit forms so it should be safe.
There is a non-price, non-market mechanism imposing a cost upon us. Just like if your neighbour at the restaurant lights up a cigarette and you hate that and it spoils your meal. You can't very well "give up smoking" to fix that. Just like any public good - eg national defence, it can't be done by a free market alone and so never is. Just like if a factory opens and pollutes a river killing all the fish, the fisherman can't stop transacting with the factory to get their livelihoods back. Just like any natural monopoly - eg piped drinking water supply and distribution to buildings in a city which is heavily regulated everywhere on earth, (often really badly, sure) because you can't change providers at will and you can't do a startup and get into that market. Proprety rights and enforcement - we don't do private courts and police as a rule and laws are not supposed to be for sale to the highest bidder.
Facebook have my data, they use it, without my consent and I have no way of taking my business elsewhere to remedy that. This is one of the many costs facebook impose on all of us. These are costs that not all of us feel we want to bare or feel there is a benefit from it. Us stopping using facebook does not fix that cost, we continue to incur it. That meets the textbook definition of "market failure".
Just by the by, this is not simply "my claim", this is the normal, definition of market failure in any economics textbook and regardless of political leaning. Whether you think that this market failure is an important one or not certainly can be debated. Eg it's market failure if I don't like the color my neigbor paints their front door - the response to which is usually "so what, get over it." You can, and facebook do, make that kind of argument here. Facebook PR will avoid "market failure" as it sounds somehow worse than a technical description of the situation to much of the public, as it does perhas to yourself. But there's not much doubt about it (at least as far as I'm aware), that it meets that usual, and well understood defininition among ecomomists.
But you can go to another restaurant that doesn't allow smoking. If enough people don't like having smokers around that those restaurants goes out of business, then eventually you will see a shift in the market of available restaurants with non-smoking sections.
Or is my news old and that's no longer the case?
When a secret chat is created, the participating devices exchange encryption keys using the so-called Diffie-Hellman key exchange. After the secure end-to-end connection has been established, we generate a picture that visualizes the encryption key for your chat. You can then compare this image with the one your friend has — if the two images are the same, you can be sure that the secret chat is secure, and no man-in-the-middle attack can succeed.
Newer versions of Telegram apps will show a larger picture along with a textual representation of the key (this is not the key itself, of course!) when both participants are using an updated app.
Always compare visualizations using a channel that is known to be secure — it's safest if you do this in person, in an offline meeting with the conversation partner. Q: Why not just make all chats ‘secret’?
All Telegram messages are always securely encrypted. Messages in Secret Chats use client-client encryption, while Cloud Chats use client-server/server-client encryption and are stored encrypted in the Telegram Cloud (more here). This enables your cloud messages to be both secure and immediately accessible from any of your devices – even if you lose your device altogether.
The problem of restoring access to your chat history on a newly connected device (e.g. when you lose your phone) does not have an elegant solution in the end-to-end encryption paradigm. At the same time, reliable backups are an essential feature for any mass-market messenger. To solve this problem, some applications (like Whatsapp and Viber) allow decryptable backups that put their users' privacy at risk – even if they do not enable backups themselves. Other apps ignore the need for backups altogether and fade into oblivion before ever reaching a million users.
We opted for a third approach by offering two distinct types of chats. Telegram disables default system backups and provides all users with an integrated security-focused backup solution in the form of Cloud Chats. Meanwhile, the separate entity of Secret Chats gives you full control over the data you do not want to be stored.
This allows Telegram to be widely adopted in broad circles, not just by activists and dissidents, so that the simple fact of using Telegram does not mark users as targets for heightened surveillance in certain countries. We are convinced that the separation of conversations into Cloud and Secret chats represents the most secure solution currently possible for a massively popular messaging application.
https://telegram.org/faq#q-what-is-this-encryption-key-thing
Every other telegram feature has no security.
If (E2E_ENABLED) {
SkipCrawler();
SkipContentChecks();
}