Facebook's Mandatory Anti-Malware Scan Is Invasive and Lacks Transparency(wired.com)
wired.com
Facebook's Mandatory Anti-Malware Scan Is Invasive and Lacks Transparency
https://www.wired.com/story/facebook-mandatory-malware-scan
36 comments
This is a new low. They have no shame.
I didn't realize Facebook did this. I feel like the spirit of the idea is from a good place, though, even its the implementation and messaging have flaws. The article has a bit of a "it's evil" slant that I'm not entirely sure I agree with.
That said, I'm on Linux, so it would be pretty tricky for me to fix this issue if it happened to me.
That said, I'm on Linux, so it would be pretty tricky for me to fix this issue if it happened to me.
The one part that struck me as genuinely evil is refusing to offer a guarantee about the data use.
I realize internet companies all always hate offering info about data use, much less binding agreements. But "let us and a third party touch and modify every single byte on your machine to use our product" is a gigantic ask, and deserves at least some good-faith effort to keep the results walled off from everything except security initiatives.
Beyond that, the intent seems fine. I still think it's hubris, though - Facebook is ostensibly just a website, and attempting to remotely diagnose and treat malware is something they ought to acknowledge they're not going to do well.
I realize internet companies all always hate offering info about data use, much less binding agreements. But "let us and a third party touch and modify every single byte on your machine to use our product" is a gigantic ask, and deserves at least some good-faith effort to keep the results walled off from everything except security initiatives.
Beyond that, the intent seems fine. I still think it's hubris, though - Facebook is ostensibly just a website, and attempting to remotely diagnose and treat malware is something they ought to acknowledge they're not going to do well.
Well that's easy: They guarantee they will store and use all the data forever, and they guarantee they will lie to both you and the authorities about what they have used it for and whether it has been deleted.
Ok, fair point. A data-use guarantee would only reassure me if I didn't expect outright lying, and that's more faith than I have at the moment.
I guess it's russian roulette for how long till I permanently quit Facebook then.
Personally quite shocked that anyone in this community would endorse FBs behaviour in general by being users.
A closed version of the internet controlled by a corporation? We should be yelling from the rooftops not nitpicking things like this story
A closed version of the internet controlled by a corporation? We should be yelling from the rooftops not nitpicking things like this story
I keep it for family. It does allow me to connect with relatives I otherwise wouldn't hear from. However, I've deleted my Facebook before (for over a year even), and I'm waiting for a good time to wipe mine officially. I'll lose touch with a lot of relatives is the downside. Facebook makes it almost effortless to communicate with family.
If you're waiting for a sign, here's one:
just get it overwith, you'll be better off.
just get it overwith, you'll be better off.
I think the Russians already won ;)
1. create (or download) a fresh windows VM
2. run the malware scan
3. everything shows up as clean
4. ???
not defending facebook or anything, but that seems relatively easy to bypass.
2. run the malware scan
3. everything shows up as clean
4. ???
not defending facebook or anything, but that seems relatively easy to bypass.
To the common person, what you have outlined is rocket science. You have to remember that most people are not as advanced in computers as you are. What Facebook is doing here is wrong. They are actively indexing files on people's machines and sending that data back to Facebook and their partners. This is a gross invasion of privacy.
Another reason not to use Facebook.
Another reason not to use Facebook.
Yeah, totally. I’ll just tell my grandma who uses Facebook to look at family pictures that she just needs to spin up a new VM if she gets locked out.
You will be the one spinning VMs to unlock facebook for your whole family.
Is it? Since Facebook knows which browser you used to login, it would be reasonable to expect one scan for each computer you sign in.
I guess you could copy the entire browser profile so it thinks it's the same machine, but that's even harder for your regular user.
"Yes, father. VirtualBox.org... Yes, .org, not .com... Without spaces, yes... Remind me, do you have Windows 32bit or 64bit?"
I guess you could copy the entire browser profile so it thinks it's the same machine, but that's even harder for your regular user.
"Yes, father. VirtualBox.org... Yes, .org, not .com... Without spaces, yes... Remind me, do you have Windows 32bit or 64bit?"
As far as I could tell from the article, FB pops up this block each time it detects signs of an account being opened on a compromised device.
So this would probably work, but if you go back to your main machine then whatever config was mistaken for malware will trip the alert again.
So this would probably work, but if you go back to your main machine then whatever config was mistaken for malware will trip the alert again.
>but if you go back to your main machine then whatever config was mistaken for malware will trip the alert again.
it should be pretty easy for you to match your host machine's browser config on the VM, so unless the scanner drops some sort of plugin/addon to signal the whitelisting, it should at least whitelist you for a while.
it should be pretty easy for you to match your host machine's browser config on the VM, so unless the scanner drops some sort of plugin/addon to signal the whitelisting, it should at least whitelist you for a while.
Run the antivirus in a qubes os disposable vm
I lack context. Can some Facebook user describe what this is about for non-facebook users?
The article fully explains it; using Facebook doesn't really provide any additional insight. Facebook has decided to lock people out of accounts if their undisclosed mechanisms of detecting a potentially compromised client machine is tripped, and will continue to lock them out until they run a Facebook supplied (but apparently sourced from one or more of a shifting set of partners) malware scanning application is installed on the users machine and run, with all the intrusive level of access that antivirus type of applications tend to have.
Training users to download and run dodgy antiviruses when some website says you're infected.
What could possibly go wrong.
I saw the screenshot of the FB anti-malware message being tweeted about and thought for sure it was a malware/phishing scam, so I was surprised to read that it is an official FB feature (admittedly I haven't been using FB much lately).
That the feature couldn't detect the user's OS (had her download a Windows binary even though she was on a Mac) doesn't lend much confidence though
That the feature couldn't detect the user's OS (had her download a Windows binary even though she was on a Mac) doesn't lend much confidence though
I thought the same thing. That's really bad. It's going to train users to be more susceptible to phishing attacks. I can't tell my grandmother that any site that tells her to install software is a scam, because Facebook just made this a legitimate user workflow
What's the best way to leave facebook while still retaining access to their advertising tools?
I have no desire to personally be on FB anymore, but I would like to maintain the pages + ads for business purposes.
I have no desire to personally be on FB anymore, but I would like to maintain the pages + ads for business purposes.
There's no other practical means, other than to create a separate account. Facebook in theory will kill your account if somehow it came to their attention that you operate a non-personal account for that purpose. If you kill off your personal account, set up a new account and link it fresh from day one to new advertising & pages, are they likely to ever know? Coin toss. It'll be suspicious to their systems that you don't have any friends, so it might get flagged as a fake account or similar at some point.
The first time I get a Facebook demand to scan my computer, while locking me out of the account, is the last time I use my Facebook account.
The first time I get a Facebook demand to scan my computer, while locking me out of the account, is the last time I use my Facebook account.
I have an account with no friends and that is an admin of one page, which I buy ads for. It’s not my real name, but obviously has my real CC info in there.
Interestingly, a friend showed me his contact list entry for me (I believe created through a 3rd party OSX app), and in the Facebook field it had the name used on the admin/ads account I have. Given I don’t use my real email address on the Facebook account I am amazed (but not particularly surprised) that the connection was made.
Interestingly, a friend showed me his contact list entry for me (I believe created through a 3rd party OSX app), and in the Facebook field it had the name used on the admin/ads account I have. Given I don’t use my real email address on the Facebook account I am amazed (but not particularly surprised) that the connection was made.
Might have tied it via your phone number.
Have you seen their VPN yet? Offers you "more secure facebook" while facebook tracks every site you visit instead of just facebook.
I figured this would be satire.
It's not satire. https://techcrunch.com/2018/02/12/facebook-starts-pushing-it...
Along the same lines, FTA: "An antivirus product can collect a lot of useful information from the user machine—telemetry data; beyond what Facebook gets through their website—and share it with Facebook. Facebook should make their agreements with antivirus partners public."
"Facebook's Mandatory Anti-Malware Scan" is something I expected to read only by 2026 or so, as the company, falling to hard times, would resort to dotcom bubble-era techniques.
How could Facebook detect an infected machine?
> A Facebook spokesperson said Charity may have been asked to download the wrong software because some malware can spoof what kind of computer a person is running
Just changed the user agent?
> A Facebook spokesperson said Charity may have been asked to download the wrong software because some malware can spoof what kind of computer a person is running
Just changed the user agent?
Maybe detect browser extensions that malware might drop? Other than that, no idea.
That scan is a .exe file, so it won't run on Linux. When I try to log in using Chrome on Linux, they ask me to run it; I can't, so I can't log in.
Happily, so far, they don't ask from Firefox.
Happily, so far, they don't ask from Firefox.