Facebook Invites Hackers To Attack Its Network

An anonymous reader writes "Nearly a year ago, Facebook introduced its bug bounty program, inviting security researchers to poke around the site, discover vulnerabilities that could compromise the integrity or privacy of Facebook user data, and then responsibly disclose them to the company. Still, when the social network's security team received a tip from a researcher about a vulnerability in the company's own network which would allow attackers to eavesdrop on internal communications, they made an unprecedented choice by broadened the scope of the bug bounty program and inviting researchers to search for other holes in the corporate network. Nobody expects malicious attackers to have a change of heart and hand over information about a vulnerability for a few thousand dollars when they could sell the stole information for much more. It should, therefore, come as no surprise that Ryan McGeehan, the manager of Facebook's security-incident response unit, stated that if there's a million-dollar bug, they will pay it out."

Grammar!

[ThunderBird89]

Holy hellbore, editors! At least read through the summary before letting it out onto the page teeming with grammatical errors. It reads like it was written by a grade schooler.

Re:

[ThunderBird89]

Well that escalated quickly...

"Troll" moderation? Oh please, if anything, this is "Offtopic", but certainly not trolling. The summary is badly written, a grammatical wreck, there's no denying that. There's no denying that there are editors, either. And there's also no denying that as editors, verifying the accuracy, correctness, sources, and presentation of the summaries posted is their responsibility in the end. In this case, they failed their job, and I'm right to call attention to that.

As for your ad hom

Re:

[bryonak]

Seems like you're being trolled by someone with mod points copy-pasting the same ad hominem stuff anonymously and downvoting reasonable replies. Don't worry, it'll correct itself.

Personally my French writing sucks and I'm thankful for people pointing out possible corrections - they help me improve. Reading a correct and nicely formulated writeup is simply more efficient than having to figure out what the author is trying to convey. It's the editors' job to pay attention to that, so yes, your kind is welco

Re:

[ThunderBird89]

Check the UIDs: bryonak registered long before I did, and for the record, I don't play dirty like trolls do: everything I do on this site is connected to this single account, be it a good or bad thing, and I responsibly take all replies and karma-deltas for what I do and say.

However, it's not hard to notice that the replies are all the same, word-for-word, and all are attacks directed against my person, not against my points. As such, they carry no weight, only noise.

Re:

[ThunderBird89]

Says the Anonymous Coward, who's even afraid to show his handle. You don't know anything about people's usage habits and accounts, or if you're a site admin who does, prove it. You can do that by, say, publishing my IP address. You should be able to access the logs if you're an admin and know exactly who are my "sock puppet" accounts. So go on, prove it to everyone that I'm a dirty, cheating, sock puppet-using troll. I'm waiting.
Of course I'll be waiting a long time: if you do have access to those logs, and

AC off his meds

[bmo]

Your meds. Take them. Now.

--
BMO

Re:

[bmo]

I was joking before. I'm not now.

Take your meds.

AC off his meds

[bmo]

I would taunt you, but taunting the mentally disabled is considered bad form.

--
BMO

Re:

[ThunderBird89]

If you're going to quote my words, please give full context (since you seem to be so much into context), and include the rest of that paragraph, in which I explain just why I commented what I commented.

Re:

[bryonak]

Note: never directly reply to someone you have positively identified as troll (aka feeding), especially if it's APK... there will be no reasonable discussion and he's wasting a shitload of time twisting words (everyone may spend their time as they see fit though).
I even will not be going to read all that text in reply to your posting, because I'm sure there isn't anything worthwhile in there.

The UID thing is trivial enough for everyone to see, assuming the average /.er still has a working intellect as they

Re:

[Anonymous Coward]

A PhD in English is certainly not required to ensure good communication. You've fallen victim to the Fallacy of Grey [lesswrong.com] - "not a professional in English teaching" is not the same thing as "unable to communicate well". Strive for perfection in everything you do, as Sir Henry Royce tells us.

Re:

[multisync]

Do you have a PhD in English? Are you a certified and licensed instructor in that language in written form with many years of professional experiencing teaching it?? I doubt it. Go away troll.

I don't have a PhD in English, but I don't need one to tell you "broadened" is the wrong tense. The second sentence should read, in part,

they made an unprecedented choice by broadening the scope of the bug bounty program

instead of the way it is currently written.

This has nothing to do with language "evolving" or gramm

Re:

[RicardoGCE]

Your kind is NOT wanted here.

The average Slashdot summary makes this very, very evident.

Re:

[RobertLTux]

a big problem with "its not a formal document so FOAD" is that not making the effort can transfer to YOUR CODE the folks that try to use more formal grammar are just not wanting to let that kind of language laziness pass.

Okay so we shouldn't be arguing between NYT and Yale commas but dumping a complete trainwreck of language in and then claiming Not Formal so I CAN HAZ EROARS is Bollocks.

(and yes i know that i was not perfect myself but i at least used the Builtin spellcheck and tried)

Re:

[zippthorne]

Would you rather be corrected by well-meaning grammar lawyers, or continue making and compounding mistakes until you're writing in a language that may be difficult to receive by the intended audience?

Consider what a failure to communicate may mean. In the case of the summary, a failure to receive the communication would be more detrimental to the reader than to the writer, but those roles can also be reversed when the author needs to be understood more than the recipient needs to understand. Also consider

Re:

[electrons_are_brave]

Once more so it "sinks in" (drink this in and digest it): If you can't gather the meaning of words within the framework of the context they're used in, you're the problem. Incidentally, the topic here is not english grammar you know! Writing style is pure opinion, like who's resume is better or worse. As long as the audience gets the message that is what is most important.

Yes, the audience getting the message is the most important thing. Yes, people can get the message despite spelling and grammar. And yes (although you didn't say it) pedantry about grammar is often just snobbery about education, thinly disguised.

But none of the above dissuades me from prefering to a well-written sentence.

Re:

[Teresita]

I'd say Facebook was doing a very good job annihilating itself with their $38 IPO now down 37% and the clunky Timeline UI. I'd be hard pressed to think of an external black-hat operation that could top those two self-inflicted wounds. Maybe porn site ad popups with loud audio of womenfolk enjoying themselves which you can't turn off, even when you are at Mass or in a very important interview. That might be a worthy hack.

Re:

[TFAFalcon]

Wasn't the IPO a good thing for facebook?

Just think about it. They managed to trick people into putting much more money into the company then what it was worth. That money is still in the company now, even if the stock price crashed.

There's a bug

[vawarayer]

Annoying Facebook Games.

I can log in with someone else's cookie.

[DerUberTroll]

Plain and simple.

Re:

[DerUberTroll]

It is true. Make several accounts and try it. You'll see. I don't take credit for this find. I was told this and I tried it.

Re:

[John Holmes]

Without providing credentials?

Re:

[cheater512]

One remotely feasible attack to get someone's cookie?

Easy to do on your own computer. Trickier on any larger scale.

cost vs risk = capitalism?

[SpzToid]

OK, so I'm the Facebook corp. and I run a cost vs. risk analysis and come up with the numbers and resulting decision we see here today. Clearly they have the money, and the relative risk plus technical infrastructure so they figure this works out for them.

OK, let's say I'm a Blackhat criminal hacker, poking around the Facebook network doing nasty stuff all the time, as best as I can, because this is what I do. And one day I get caught by Facebook or someone else along those lines. I am so busted. But wait, I can explain I was really a white hat all along, just trying to feed my family the best I can. Whatever happens next can't be too bad, and I'll live to fight another day. So then I figure capitalism rocks. Also maybe I'll see what Facebook offers when I really find a big hole worth exploiting.

Win, win, and so captilism = security?

There must be something I am not seeing here. Could such pure capitalism do something about all those evil Chinese and Russian and Ukranian hackers too? That which laws and police cannot really do very well at this time?

To look at this another way, the US/Israeli State Resources behind Flame and Stuxnet (etc.) seem to have been fairly successful doing harm.

Re:

[NettiWelho]

There must be something I am not seeing here. Could such pure capitalism do something about all those evil Chinese and Russian and Ukranian hackers too?

If the payout for playing for white hat team was guaranteed to be better, I could see a lot of those motivated by money to be swayed over.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Fairly cynical view...

[mspohr]

"Nobody expects malicious attackers to have a change of heart and hand over information about a vulnerability for a few thousand dollars when they could sell the stole information for much more. "
I really don't think that all hackers are greedy. While there are hackers who are willing to take the risks of selling hacks to criminals, there are probably many hackers who would be interested in exploring vulnerabilities for a modest legal reward.

Re:

[jones_supa]

And how many actually have contacts to sell that kind of stuff?

Re:

[Capt. Skinny]

Agreed. This won't cause black hats to have a change of heart, but it will bring more white hats to the table by giving them more of an incentive.

Makes sense

[JanneM]

Just count each successful attack as another active user. I guess every bit helps when your stock value is on the line.

DNS hack

[ralferix]

I tried going to Facebook today, didn't come up so decided to checkout Slashdod since I could see other sites, I find this story about Facebook inviting hackers on DefCON weekend. Well, seems my DNS doesn't resolve them, is this widespread? C:\Users\r>ping facebook.com Ping request could not find host facebook.com. Please check the name and try again.

Re:

[Anonymous Coward]

Can't you give me some information about the hosts file? You probably don't know about that, maybe a little too advanced for you.

Facebook needs a GOJF card "ap"

[RobertLTux]

I if i was going to try for the money then i would detail my efforts and then not give the info to FaceBook before i get issued a GOJF card (i would also have a Trusted Third Party monitor things so FB can't say "you used your hack to steal X from us beyond what was needed to prove the hack")

If FB won't play ball then the info goes up on "HackBay" on a 12 million dollar reserve

Cheap

[Patch86]

Although I can see the appeal of something like "bug bounties", I can't help but feel that it's basically testing on the cheap. As an IT professional, it feels a bit like devaluing a highly skilled career; or at best, making testers nothing but self-employed, pay-as-you-go workers rather than full employees or traditional contractors.

I mean, what Facebook are basically offering is "no win no fee" Penetration Testing. Rather than paying a team of certified, experienced Pen Testers to run a thorough and compr

Google deliberately crowd sources testing

[MCRocker]

Along with some interesting revelations, the interview of James Whittaker about his book, How Google Tests Software [conversationsnetwork.org], included some discussion about effective crowd sourcing of software. Part of his argument is that even the best test engineers are going to miss things that end users find easily, so one way to leverage this is to make it as easy as possible for end users to provide high quality bug reports. He also has a lot of interesting things to say about scaling the testing process.

PHP

[Bengie]

And here I thought someone was poking fun at FB using PHP. http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/ [veekun.com]

Virtually every feature in PHP is broken somehow. The language, the framework, the ecosystem, are all just bad. And I can’t even point out any single damning thing, because the damage is so systemic.

fun read

Am I missing something? Buy bugs from black-hats?

[VortexCortex]

If they care about paying the right price for the bugs, why not just buy the existing exploits from the black-hats? Hackers get paid what the bug is ACTUALLY worth (on the black market), you fix even more bugs, driving more folks to search for cracks, driving bug price down, everyone's happy?

I get that white hatters are beneficial, but I'd still be careful attaching my name to a "bug bounty". They can throw you in jail for white hat hacking at a whim -- It's still illegal by the retarding letter of th

"Challenge accepted"

[fph il quozientatore]

Let me guess... 24 hours later the workstation on Mark Zuckerberg's desk had its hostname changed to challengeaccepted.facebook.com?

Decriminalization

[El_Muerte_TDS]

Now it's legal to hack their network. Which is a nice move for white hats, but it also gives black hats permission to fuck around with people's private data.

Why not provide a copy of the facebook software with mock up data to which you give permission to hack.

Facebook IS the attack

[wealthychef]

I think it's ironic that a company whose CEO has repeatedly made it clear [cnet.com] from the start that user's data should not be kept private is claiming to improve security while they themselves have intentionally and willfully made users' private data public again and again by changing default settings and making it hard to change them back. Or has everyone already forgotten? I for one assume everything I post on Facebook is going to become completely public, including private messges. Have you ever read the pe

Re:

[elflord]

This is right on the money. FB's security model is poorly thought out, and the indifference of the CEO to privacy concerns probably has a lot to do with it. In generally, the ad-hoc revisions of their privacy settings (which have at times forced users to opt out of more permissive settings) are indicative of a poorly thought out security model. The kind of "attack" that is effective (and has been used against FB users) is the "viral app" -- basically, the typical facebook "app" requires that the app is ab

Re:

[ThatsMyNick]

I am not a mother. Would that affect the chances of me getting paid, sir?