Sparc Flow – what a read …

As some of my readers may know I have a certificate on ISO/IEC 27001 internal auditing. (Not that there are many customers interested in this … security in Germany still is a waste land.) The ISO/IEC 27001 standard defines a systematic process oriented approach to security. At its core it demands (besides other things) defined processes for a thorough periodical risk analysis to derive appropriate security measures. Control, audit and continuous improvement processes must be included in the process landscape – up to highest company level. So far so good. Of course, technical measures have to be taken into account – but the whole “control” catalog of Appendix A is written in a very general way and has to be broken down to specific requirements of a company.

Despite working on process consulting, I carry around a technical mindset from my time in physics and numerical math. So, in a way, I like looking at the technical basics in a security context – though I would not call me a real technical expert on “hacking”. Still I have a profound interest in pen-testing tools. In my opinion every type of security auditor should have a reasonable amount of knowledge about technical risks, pen-testing and possible attack vectors. However, after working a while with common scanning and attack tools in isolated pen-test environments – with the legal consent of the owners – one gets a strange feeling:

When you judge the effectiveness of security measures and test them by standard analysis tools: Don’t you miss the creativity of real hackers? Are the “real” threats covered by pen-testing tools like vulnerability scanners and Metasploit stuff, at all?

Another critical point is the threat level assigned by tools like Nessus or OpenVAS to detected system vulnerabilities – if you concentrate on the most “severe”, high point alerts, you may almost always miss some “low” risks and underlying threats, which alone or in combination can be used for a systematic privilege escalation. That there is some truth in this statement you may already find out on metasploitable training machines.

So, one of the questions nagging in a corner of my mind from time to time was: Is there some literature which gives you a broader insight in the way a hacker may think? In action? Yesterday, I started reading a series of books of an author calling himself “Spark FLOW”.

My preliminary “verdict” as a non-hacker, but as a defense and security oriented person after 2 out of 7 books is:

Very interesting reading – though based on somewhat “constructed” scenarios (so far). Creative, varying use/combination of attack methods on different types of machines … I learned quite a bit about some Windows weaknesses and privilege escalation. But also Linux gets its amount of hacks and related comments. It is almost provocative that the first book rather early describes compromising a Linux machine in a DMZ ….(because – as the author explains in a footnote – “otherwise it would be too simple if we directly landed on Windows from the start”).

However, more important: Although written very attack-oriented – it gave me a hell to think about counter-measures. Which I, probably, have a better grasp on regarding Linux machines. But there a some Windows systems in our nets, too.

I would like very much to see a kind of summary table of this guy at the end of each of his books with a systematic collection of weaknesses and vulnerabilities exploited – and his ideas on reasonable countermeasures on the admins’ side.

Anyway – the reading was “enjoyable” and a bit frightening at the same time. It triggers some serious thinking. I recommend the book series of Sparc Flow to all “admins” and to all “sec staff” members who want to learn more about a hacker’s mindset and its flexibility.

Leaving Facebook … – I

At the beginning of this year I got advice from several people to become a customer of Facebook. I thought this could be interesting – what would it feel like? Especially, as I am biased – against data collectors … And I knew the GDPR of the EU (DSGVO in Germany) would come soon … Would be interesting to see how FB would react …

My wife – a Norwegian citizen – is very active on Facebook and Instagram. One reason is that she, of course, is interested in current developments in her home country. My grandchildren are on Instagram. Some friends are on Facebook – mostly as private persons. So, there are obviously some points that at least count for other people in favor of FB. Among other things: FB offers “free” communication services. And it offers information spreading – on fast time scales. Yeah, well known … A fundamental question, however, is: Information spreading to whom?

As some people may have noticed: I have left Facebook two days ago – for good. As I have no other platform, yet, I want to explain my decision here.

Personal Experience – a summary

I have tried and used FB now for 4 months. My personal opinions and conclusions are:

  • FB comprises a totally unproductive bubble world on a headline level.
  • It costs you a lot of time and delays productivity of whole societies.
  • Instagram appears to make children and teens addicted. A whole generation is literally wasting its youth with FB products.
  • In a way Facebook undermines the business of serious news agencies.
  • It is manipulative and provokes you to publish opinions – without any filter.
  • It is definitely a machinery aggregating detailed profile information on individuals of big parts of the world’s population.

So, FB, for me is at least as bad as expected – if not worse. But last things first.

The new terms and regulations as part of FB’s reaction to the EU GDPR

At least after the EU’s GDPR (https://www.eugdpr.org/) FB became relatively clear about what information it gathers on you. By providing you – at least in principal – with information on new terms and rules. Which you must accept, if you want to continue using FB services.

They are, however, not so clear about how they earn money with their services – and who really gets your data. Should make you suspicious. Despite all efforts to create a certain impression: FB is NOT a welfare company. So, take your time and read the new terms very carefully … No, its no fun; if printed, its a lot of pages in tiny letters …

Whilst you read keep in mind that FB already transferred 1,5 to 1,8 billion data records on non EU-customers to the US – where the information provision is not regulated as it soon will be in the EU.

“Data Policy” information – how to find it
So how do you as a EU citizen get to information of how FB uses data about and on you:

To see the full extent you have to move to your account, down to the left side – Link “impressum/terms/NetzDG”. Then you get to a page with the old rules; but at the top there is a warning about imminent changes – and a link to the new rules. Click there – navigate a bit – yes, there is a link for a printable version on the left side. Get the whole stuff printed on at least 7 pages in a quite tiny font size. Read … and get reminded of the Windows 10 user conditions.

My short summary is – and please correct me, if you find something which you think cannot be interpreted the way I see it:

What data, where from?
FB gathers all information on you which it can get – from all types of sources, including other persons and services besides FB’s own applications.
About what you do, where you do it, when, and not surprisingly for data analysts, how you do it (when you interact with their pages, e.g. via mouse or finger movement, scrolling analysis, …).

They collect detailed information about all devices you use and – as far as possible – also on processes running there as well as on configuration settings. They collect data that identify these devices and their settings in a unique way – and which identify, thereby, also you as a person, your location and parts of your behavior, plus your relation to your Internet providers. They use face recognition techniques if allowed on your device or if you accepted conditions to do so whilst using a FB product. FB clearly says that it combines all this gathered information. Across all of their products you may use (FB, Instagram, Whatsapp, Oculus, …). Not excluding other secondary sources and resources – as “partners” on whose websites you may have been.

Partners
And because FB is such a welfare oriented company it also does the following; I quote:

“We use the information (including your activities off our Products, such as websites you visit and ads you see) to help advertisers and other partners measure the effectiveness and distribution of their ads and services, and understand the types of people who use their services and how people interact with their websites, apps and services.”

Please note the “off” (2 fs !) in the first sentence. And the remarkable word “partners”. Hmm, there are “partners” and there are “third-party partners” as we soon learn. Notably, FB does not mention any money here. And of course not, where FB and their “partners” pay tax for all this “help”.

Yeah, … And of course your data may be used in projects and research in the context of “general social welfare, technological advancement, public interest, health and well-being”. Unfortunately, you have to assume that FB itself defines the meaning and borders of all these nice words … especially “public interest”. These expressions are not explained and left open – what an arrogance!

Then we learn throughout paragraph III that YOU as a user should think carefully about whom you share information with – because you may loose control over your data. Oooops … in the end data protection is still my own responsibility – and shit happens as we all know ….

Third-party partners
And then (2 pages later) comes a very nice and very fine distinction:
The “third-party partners.” And, within this context, we almost cannot believe it:

“We don’t sell any of your information to anyone, and we never will. We also impose strict restrictions on how our partners can use and disclose the data we provide. Here are the types of third parties we share information with …”.

You can almost see the lawyer who has written this. From the context it should become clear that this is only about “third-party partners” – and maybe not a general statement on other types of (direct) “partners”. Otherwise, FB would have to explain, where all the billions do come from, every year, … I would say – an unexplained business is a kind of dubious business.

Another pretty creepy part in this paragraph is the following – see the lines under “Measurement partners”: “We share information about you with companies that aggregate it to provide analytics and measurement reports to our partners.”

Wow … Read it again and again … It is not (!) Facebook that aggregates – it is some other companies! Meaning these other companies first get personal data about you which they then (!) aggregate and provide back to FB’s partners. You see the funny lawyer again, which I mentioned above. I hope the EU data protection authorities have a very close look into this type of information provided by FB.

And then again the welfare attitude:
“We also provide data and content to research partners and academics to conduct
research that advances scholarship and innovation that support our business or mission, and enhances discovery and innovation on topics of general social welfare, technological advancement, public interest, health and well-being.”

Didn’t you always want to become a subject for some special analysis? Hey, you can get famous – somewhere in some data lab …

Cooperation with law enforcement
Pretty nice also some passages about sharing data with law enforcement institutions: Here we learn that the exchange of data is based on “good-faith belief” on FB’s side. You do not believe it? Read paragraph VIII of the whole mess yourself. And good luck, if you, e.g., happen to be Russian or Chinese …

Addendum, 04/28/2018: What is not written in the new Data Policy

As with other business it is interesting, too, what is not written down explicitly. In this case in the FB document on “Data Policy”.

E.g., you do not get information on who are “partners” – and what makes a “partner” a partner of FB. Also, the definition of a “third-party partner” is pretty unclear. So, in the end you do not know where your data end up – or who under which conditions employees of partners and third-party partners get access to them.

The other remarkable thing is: It is not written where FB stores your data and what they do for data protection – technically and otherwise. You may assume from newspaper articles that your data should be located on servers within the EU, especially in Ireland. But, you have no guarantee for this.

You may nail the whole mess down with some simple questions: How can you as a EU citizen be sure that there, e.g., is no copy of all your collected data on a Russian FB server – and/or that there is no Russian “partner” or “third-party partner”, who is allowed to get your personal data for “aggregation” and “research” in the “public interest” of Russia? My copy of the present “Data Policy” of FB does not seem to exclude such a type of scenario – if I assume that there are some Russian partners of FB. Are there? I would like to know .. Of course, I have learned that the data would not be “sold” to third-party partners or authorities … but maybe just given – in “good-faith belief” …

A last remarkable thing is that you do not find a single description about variants and functionality of AI and deep learning algorithms FB or their aggregating partners or third-party partners use. So, besides not knowing where your data end up, you neither get to know in which way and for which special purpose your data get analyzed.

Conclusion

Facebook is and remains creepy. Its information on what customer data they gather and what they in general do with it is partially quite open and partially very obscure and evasive. In my opinion. Some paragraphs in the “Data Policy” open up a legal void – with much room for interpretation.

Taking it all together, I see a fundamental lack of understanding at FB what data privacy really means – and how it should be described for customers. But there is one thing I must admit: FB warns you – in a way – that you should be careful about what you share on Facebook.

You should take this warning seriously. And read a comment of the well known security expert and researcher Bruce Schneier on the whole information gathering industry around FB and others; his comment was published on CNN:

Bruce Schneier on Facebook and CA

Read also about the EU GDPR and its intentions:
https://www.eugdpr.org/


See also:

www.heise.de/newsticker/meldung/Wegen-der-
DSGVO-Facebook-verschiebt-Daten-von-1-5-Milliarden-Nutzern-aus-Irland-4027584.html

https://www.heise.de/newsticker/meldung/Wegen-der-DSGVO-Facebook-verschiebt-Daten-von-1-5-Milliarden-Nutzern-aus-Irland-4027584.html
https://www.reuters.com/article/us-facebook-privacy-ireland/eus-top-court-asked-to-probe-facebook-u-s-data-transfers-idUSKBN1HJ1D5
https://www.zdnet.de/88331745/dsgvo-facebook-verschiebt-15-milliarden-nutzerkonten-in-die-usa/
https://www.newsslash.com/n/12074-dsgvo-facebook-verschiebt-nutzerdaten-zum-schutz-von-nicht-europaeern
https://www.zeit.de/wirtschaft/2018-03/plattformkapitalismus-internetplattformen-regulierung-facebook-cambridge-analytica