#InfoSec (Facebook Bug Bounty): "intended functionality."
I posted a message on this Facebook Page:
https://www.facebook.com/chsmass/posts/1103998039771672
, which contained a link to a thread in a Closed Group:
https://www.facebook.com/groups/chsma69/permalink/10156808331886564
Facebook says that only current members can see what's posted in a Closed Group, so I assumed that any non-members who clicked that link would just see a description of the Group, along with a button allowing them to send a request to join the Group. But instead, FB displayed a Preview of the posting in the Group, which made me wonder if everybody could see that Preview.
I asked my wife, who's a non-member, to check, and she saw everything posted in the Group. I assumed that meant the entire FB community could see all the postings. So I immediately reported the breach ("Privacy of Closed Groups is compromised") to Facebook's Bug Bounty program:
https://www.facebook.com/whitehat
In the process of tracking down the bug, I discovered that my wife's role as an Analyst on the Page linked to the Group was causing the problem. But even according to FB's own chart:
https://www.facebook.com/help/2003297226584040
(column 2, row 5), her permissions in the Group should have been "None." After a few days of thinking this over, FB said that "None" really meant "Member" permissions, and that the bug I reported was "actually just intended functionality and therefore doesn't qualify for a bounty."
Update: Facebook gave the above bug report a score of -10 (Not Applicable):
https://www.facebook.com/notes/facebook-bug-bounty/an-inside-look-into-submission-scores/2005629766117906
My reply to FB: So "None" actually means "Member"... thanks for clearing that up. I really enjoyed the phrase "intended functionality," too!
Translation: "intended functionality" = "we rigged the game, so you lose." Or "it's a feature, not a bug." ;-)
#InfoSec (Facebook Bug Bounty): Gender confusion.
Let's face it, I don't belong anywhere near the Facebook Bug Bounty program:
https://www.facebook.com/whitehat/thanks
Why did I ever think I could run with The Big Dawgz? Those dudes (I haven't seen any gals on that list) are heavy-duty programmers. Hackers Extraordinaire. Compared to "real" security researchers, I'm just a lightweight. Those guys know and use tons of computer languages. They operate web tools that I haven't even dreamed about. They drink Red Bull, Club-Mate and Jolt Cola by the case.
If I have more than a half-can of Dr. Pepper, I get dizzy. And I've never gone on "a 36-hour coding tear":
https://www.imdb.com/title/tt1285016
After 20 minutes or so, I usually get distracted by something shiny on the Interwebs.
Background - I arrived at this point in my life almost by accident. My delusions of hacker grandeur were fueled by many years of dabbling in Computer/Internet Stuff. In between my non-cyber attempts to earn a living, I did these sorts of things, just to pass the time:
-In the 60s, I was kicked out of a Fortran programming class for intentionally submitting a deck of punch cards to the Michigan State computer center that contained an infinite DO-loop.
-In the 70s, I operated a room-sized IBM 370 mainframe for Bechtel in San Francisco and wrote a manual that documented the job. (Remember the 3336 disk pack that weighed 25 pounds and dislocated your shoulder whenever you tried to load it up? Remember the refrigerator-sized 3420 tape drive that kept the tape cued by sucking loops of it up and down inside two vacuum columns? If I took the right kind of smoke breaks, I could watch those hypnotic dancing loops for hours.)
-In the 80s, I created an IBM Displaywriter template library for the Sullivan & Cromwell law firm in Los Angeles. (Remember those 8.5-inch floppy diskette drives? If I took the right kind of smoke breaks, I could actually imagine they were toasters.)
-In the early 90s, I designed a WordPerfect macro productivity system for the Sheppard Mullin law firm in L.A. (When those macros worked only too well and earned me a few hundred extra dollars in incentive awards, the partners decided to get rid of some of us peons. So I took the buyout rather than face my co-workers' torch-and-pitchfork parade.)
-In the mid 90s, I created Screenwright(R), a screenplay formatter based on WordPerfect macros. (Corel offered to buy it, but the deal fell through when Michael Cowpland, Corel's head honcho, was accused of insider trading.) Later, I adapted Screenwright(R) into an OpenOffice template that won a $3,333 award from Sun Microsystems. (Sun became defunct when it was bought by Larry Ellison's Oracle, and OpenOffice forked into LibreOffice when Larry pissed everyone off.)
-In the late 90s, I met a Hungarian cutie-pie on the Internet and co-wrote a screenwriting book with her, via email and IRC. We later met IRL, got hitched and lived happily ever after.
-In the 00s, I designed and taught a Blogging 101 course for the University of California. (My pitch to get the gig went something like this: "I began manually programming an online journal in early 1996... before the term 'blog' was coined, and long before automatic blogging software was invented.")
-In the 10s (starting in the late 00s, actually), I wrote a book about becoming a social networking junkie, and later began reporting bugs to Facebook, for fun and profit.
Everybody knows that Facebook had, and still has, a lot of bugs. Beginning at the 2004 startup, Mark Zuckerberg's mantra was "Move fast and break things." Which meant that Users were forced to become Beta Testers. FB supposedly changed its motto in 2014, but the company still doesn't require any sort of quality control from its programmers. Zuck wants new tools and features on his platform, and he wants them now, but he doesn't really care how reliable they are.
Luckily, there are usually several ways to accomplish any given task on FB, so I got really good at designing workarounds. Every now and then, I'd try to report a malfunction through FB's Help Center:
https://www.facebook.com/help/1126628984024935
, or I'd post a question in the Help Community:
https://www.facebook.com/help/community
, but those reports and questions were almost completely ignored. Then I discovered the Facebook Bug Bounty program. Given the privacy sh*tstorm that FB faced last year, Zuck was finally forced into paying some lip service to privacy issues. Nice. For me, at least. The Facebook Bug Bounty report form:
https://www.facebook.com/whitehat/report
now contains an option under Vulnerability Type to specify "Privacy/Authorization" with a subchoice of "Identification/Deanonymization." Right up my alley. There's also an "Other" option. Hm, I wondered. Is FB finally paying attention?
You see, my current day job (actually, night job, working the graveyard shift as an Editor/Writer for NBC News Radio) requires a laser-like focus, in order to catch errors and uncover discrepancies. In fact, news editors need to cultivate an obsessive/compulsive/anal attention to detail. Their continued employment depends on it.
So I can't avoid noticing sh*t. It's in my DNA. And on FB, I notice a LOT of sh*t. The first time I reported a privacy issue, I thought it affected many users. But as the bug hunting process unfolded, the issue slowly became smaller and smaller, until it almost disappeared by itself. Almost, but not quite. Any decent programmer would have fixed it.
But this next time, I decided to put FB's security engineers to the test. Would they (1) pay attention to a bug that affects so many users and is so obvious that anybody can see how stupid it is? Or would they (2) sweep it under a rug?
If you guessed #2, you win a whip or a doll, anything on the top shelf.
Facebook Bug Report - So, this was my report, in a nutshell: "Pages display the wrong gender." If you visit the About tab on my wife's Author Page:
https://www.facebook.com/pg/bartosa/about
, and scroll down to the Gender area (careful, keep your hands to yourself), you'll see that it's set to Female. Naturally. That means FB should use the pronouns "she" and "hers," rather than the Male form of "he" and "his," or the Neutral form of "they" and "their." But if you look at this posting:
https://www.facebook.com/bartosa/posts/10157879325099358
, FB uses "their." It's plastered all over my Pages. Your Pages, too. This bug has been around for years, and I've reported it at least twice. You might be tempted to think that FB's elite security engineers would be embarrassed that their company is making such a fool of itself. You might be tempted to think they'd delegate this egregious bug to the grunt bug-fixers, rather than saying, "Not my yob, mon." You might be tempted to think they'd thank me for taking the trouble to report it, yet another time.
If so, you'd be wrong.
FB said the above bug report "doesn't appear to be a security vulnerability" and gave it score of -10 (Not Applicable):
https://www.facebook.com/notes/facebook-bug-bounty/an-inside-look-into-submission-scores/2005629766117906
How predictable.
#InfoSec (Facebook Bug Bounty): Anonymity on a Facebook Page? Think again, chucko.
Facebook has probably compromised your privacy. Again. Try clicking the "About" link at the top of your Timeline and scrolling down to your Notes section. If you can answer "yes" to the following four questions, it's likely that your identity as a Page Admin/Editor has been revealed to the entire Facebook community:
1) Do you have a Page Role that gives you posting privileges on a Facebook Page?
2) Did you ever post a Note on that Facebook Page?
3) Were you posting as the Page (not as yourself)?
4) Did you avoid clicking the "Add yourself as a team member" link on that Page?
Many Page Admins and Editors have an expectation of anonymity when they're working on a Page (authors who use pseudonyms, for example), so when they discover that Facebook has "outed" them, it will come as a nasty shock. Engineers in the Facebook Bug Bounty program:
https://www.facebook.com/whitehat
have indicated to me that they are unwilling (or perhaps unable?) to address this issue, so the only fix (other than Hiding your entire Notes section) is to delete the offending Notes and re-post them.
Full disclosure: even though this bug is still "outing" people today, I can only verify that it was triggered by Notes posted before 2016. However, I suspect the malfunctioning code was still active through 2018.
Update: Facebook gave the above bug report a score of -10 (Not Applicable):
https://www.facebook.com/notes/facebook-bug-bounty/an-inside-look-into-submission-scores/2005629766117906
In other words, here's how the deal went down:
1. I reported a security bug.
2. FB said: "We can't reproduce it."
3. I sent them a screenshot for proof.
4. FB said: "We don't wanna fix it."
5. I said, under my breath: "Do your f*cking job."
6. They scored my bug report: -10 (Not Applicable).
7. I scored their response: -20 (Not Arrogant At All).
How To Organize A 50th High School Reunion.
I've recently helped four different high school classes with their 50th reunions, and some of my friends have asked for tips, so here's what I've learned:
First, you'll need a Point Person, and the PP needs a disposable email address - Gmail.com, Ymail.com, whatever.
Second, the PP needs helpers (a "reunion committee"), so s/he can delegate the scut work, and shift the blame, when things get screwed up. Because you know things are gonna get screwed up. ;-)
Third, the organizing effort for each of "my" four reunions (see above) started in a Facebook Group, but I have come to believe it's a mistake to rely solely on FB as a way to disseminate information. Only about 20 to 30 percent (at best) of your affinity group will use FB with any regularity. The rest either [1] don't trust FB, or [2] are disgusted with FB, or [3] are "taking a break" from FB. If you do go ahead and create a FB Event listing for your reunion, you'll be tempted to associate the Event with your FB Group, or create a Private Event. Resist this urge. Make it a Public Event. Don't force potential attendees to join your FB Group, or to become your FB Friend, just to get access to reunion info. Some of them may still hate your guts because of that thing you did in the high school gym many years ago. Don't pretend you don't know what I'm talking about. ;-)
Fourth, you can try posting a reunion announcement on Classmates.com, but only about 30 percent of your classmates will have an account there, and only about 10 percent of the ones who have accounts will respond to the announcement. (After you post the announcement, tell CM to send out a reminder email or update alert to everybody.) CM may not be a total waste of time, if they have a scanned copy of your yearbook, but that's becoming less and less likely as more yearbooks start appearing on the Internet Archive (MA digitization) and issuu.
Fifth, you'll eventually need a public website, because most people won't want to input usernames/passwords into FB or CM, just to get reunion details. Some of your classmates won't even own a home computer! So if someone in your class knows HTML and can put up a simple page, great. Otherwise, you might try Google Sites, Wix, Weebly, etc. The reunion website is where the majority of your classmates will get their info, but they will probably visit it only once or twice, so KISS: Keep It Simple, Stupid.
Sixth, nail down your venue. A hotel is good, because that will keep a lot of drunk people off the road.
Seventh, start updating your names/addresses database from the previous reunion. This site was very useful to us - FastPeopleSearch.com - but I'm sure other free people-locator sites will pop up from time to time.
Eighth, establish a timeline: [1] upload the public reunion website about 8 months in advance, [2] mail out Save The Date cards (w/website address) the next day (affix full letter rate postage so undeliverables will be returned, and you can learn which addresses are wrong), [3] mail out invitations (prices, times, order form, website, etc.) about 4 months in advance.
Ninth, don't be disappointed if only about 30 to 40 percent of your surviving classmates show up. And at the 50-year mark, about 15 percent will not have survived. It might be nice to set up a memorial to honor them.
That's about it. Have fun! And here are some examples: reunion website (2) and online memorials.
LATER: If You Get Talked Into Planning Your High School Reunion ~ Class Reunion Dos and Don'ts ~ 75th High School Reunion ~ Why High School Reunions Are Good For You, Really ~ Go To Your High School Reunion, Dammit ~ Reunion Nostalgia.
Suicide By Taillight.
Our relatively-new Mazda CX-5 has all sorts of standard-issue bells and whistles, most of which are designed to be VERY high-maintenance. Take the headlights, for example. The adaptive front lighting system (AFS) automatically adjusts the headlight beams to the left or right, depending on which way you turn the steering wheel. This means there are left-right adjusting motors on each headlight, just waiting to burn out. The auto-leveling headlight motors (up-down adjustments) are also secretly waiting to malfunction. You can turn off the AFS with a button, but you have to remember to push the d*mn button every f*cking time you start the car. I don't want twitchy headlights that dart around, left and right, up and down, like some nervous serial killer. I just want a set of basic headlights that make the road a little less dark.
I work at night, and one night, I noticed a motorcyclist following me, just a few feet behind the car. At first, I thought it was a cop, but then he pulled up beside me. My peripheral vision could see a leather-clad dude on a chopper. Three feet away from my driver's-side window. Was it road rage? I studiously avoided making eye contact, and my mind raced, trying to remember if I had cut him off. But then, I could see that he was smiling, and indicating that I should roll down my window. Was it a trick? Against my better judgment (it was 9:54pm, in a sh*tty part of town), I opened the window. A crack. He yelled, "Your taillights are off - you need to change the settings!" So I ruefully thanked him, then pulled into the parking lot at my workplace. Sure enough, he was right. The external lights have three settings, and each setting (even the default position) turns on the headlights when the car is moving. But the default position also leaves the taillights OFF.
WHAT THE F*CK?! What kind of madness is this?!! I had assumed, since the headlights were on, that the taillights were on, too. But noooooooooooooooo! Mazda has thoughtfully provided me with a carefully-designed set of Kamikaze Taillights®.
So this morning, I took a look at the owner's manual. The problem seemed to be connected to the Daylight Running Lights (DRL). In Europe, they require headlights to remain on, all the time. But DRL are optional here in the States, and the manual said that only a dealer could turn them off.
F*ck that sh*t. I emailed Mazda USA, and they sent a do-it-yourself Procedure (below) for disabling the DRL. However, trying to read the instructions was, for me, much like attempting to learn the Macarena. I can't dance at all, but I practiced by doing the Hokey Pokey, then patting my head and rubbing my tummy.
OK, deep breath, GO!
Procedure:
1. Apply the parking brake.
2. Set the ignition switch to the ON position (engine off).
3. Press and hold the brake pedal.
• Continue to press the pedal until the procedure is completed.
• The entire procedure must be completed within 23 seconds after pressing the brake pedal.
• Start Step 4 within 2 seconds after pressing the pedal.
4. Turn the headlight switch from OFF to the parking light position 5 times and end with the switch in the OFF position.
• DO NOT turn the switch all the way to the ON position.
• Step 4 must be completed within 5 seconds.
• Start Step 5 within 2 seconds.
5. Press the hazard warning switch 10 times within 5 seconds (on-off-on-off-on-off-on-off-on-off).
• Start Step 6 within 2 seconds.
6. Turn the headlight switch from OFF to the parking light position 5 times and end with the switch in the OFF position.
• DO NOT turn the switch all the way to the ON position.
• Step 6 must be completed within 5 seconds.
7. Confirm DRL setting is changed by releasing the parking brake.
• If DRL is activated: - PARK BRAKE OFF = DRL ON, - PARK BRAKE ON = DRL OFF.
Note: The setting will not change if the DRL procedure is not completed within the time limits noted in the above procedure.
So I carefully perform the above Procedure TEN F*CKING TIMES, with and without a stopwatch, but no dice. I then check the owner's manual again, which says I can ask any "Authorized Mazda Dealer" to turn off my daytime running lights. But when I take the car over to CardinaleWay Mazda Mesa, the dealership's service manager tells me it can't be done. I respond: "It says right here..." The manager confides in me that the owner's manual covers a lot of different model types, and that on my model, it simply can't be done. So I write to Mazda USA again, and they say the procedure is a bit difficult, but they'll send instructions to CardinaleWay Mazda Mesa. I think: "Sure, and replacing an oil filter is a bit difficult, if you haven't been f*cking trained on how to do it." Then Mazda USA sends me another email, saying the service manager at CardinaleWay Mazda Mesa refuses to perform the procedure. REFUSES?! ARE YOU KIDDING ME?!! AND YOU STILL LET HIM CLAIM TO BE AN AUTHORIZED MAZDA DEALER?!!!
Moral: I'm left with a car that lulls me into a feeling of security during my nighttime commutes, when the headlights turn on automatically. But unless I remember, every d*mn time, to also turn on the TAILLIGHTS, someone is very likely to come speeding up behind me and buttf*ck/ram into the a**-end of my non-taillighted car.
Consolation: As I drive down the freeway at night, I notice several other makes and models of new cars, driving without taillights. Are automakers really that stupid? This is a class-action lawsuit, just WAITING to happen. And I want a piece of that action. Remember, you heard it here first.
Update: My apologies. I think some of you may have mistaken this rant for a How-To article. It's not. It's a What-The-F*ck article. ;-)
Labels: nfh