return to table of content

How did Facebook intercept their competitor's encrypted mobile app traffic?

ARandomerDude
35 replies
16h10m

If you or I did this, we would already be in jail for phishing plus whatever add-on charges the Feds could file.

Meta has Washington in their pocket so this will never leave civil court. The penalty will be less than the money made, meaning somebody gets a bonus for being creative.

dylan604
14 replies
15h53m

seriously, how does this not violate wire tapping laws? does agreeing to ToS mean you also agree to being spied on in a way that protects them? you are deliberately circumventing encryption for malicious purposes. if people got in trouble for DeCSS for circumventing encryption, how is this okay?

pithy "because they have all the monies" replies not wanted.

hypeatei
5 replies
15h39m

Big tech and telecommunications companies are effectively miniature arms of the U.S. government at this point.

As seen by the "Protect America Act" of 2007[0], the government will retroactively cover their own ass and your companies' ass if deemed important enough to the intelligence apparatus. There isn't a chance in hell that Meta would be brought criminal charges for wiretapping.

0: https://en.wikipedia.org/wiki/Protect_America_Act_of_2007

dylan604
1 replies
15h9m

Which is clearly a red flag operation so that whenever someone serious tries to tout this, they'll be rebuffed as it's an article in the Onion. Those clever bastards!

talldayo
0 replies
14h35m

That, or scathing satire has been a mainstay at The Onion longer than political consternation.

giancarlostoro
1 replies
14h3m

I'm assuming they were doing it for the federal government at this point. There's no reason for them to spy on another app, they can hire almost any developer they want.

dylan604
0 replies
13h33m

Hiring another dev does not give them access to the raw numbers. It's not the same thing at all

wannacboatmovie
2 replies
14h36m

What is described in the article is not some elaborate scheme or novel work of software engineering. Rather, it's exactly what 99% of corporate networks do (proxy server with SSL inspection using a custom root certificate) "to combat cyber threats".

As coincidence would have it, this is the perfect alibi provided by a snake oil "cybersecurity" app by one of the world's largest companies.

Every tech company that has promulgated the lie that a VPN operated by a third party provides added security is indirectly responsible for this. Funneling all your traffic through a shady intermediary does no such thing, and in fact often does the opposite.

tjoff
0 replies
13h37m

Doesn't change anything, consent and whether you own the device is everything.

The comparison with VPNs doesn't hold either, because for all their faults VPNs do not decrypt traffic going through them.

620gelato
0 replies
13h20m

99% of corporate networks? That can't be true.

I do know that this is done - in fact worked at a pretty major smartphone manufacturer and never logged in to any personal account on work devices. It was pretty obvious by even just looking at the security info on chrome/firefox that the certificate used was a root signed by the company itself. I used to shout at the top of my lungs to my friends, that hey, _this_ is how your information is vulnerable to the corporate overlords, but I guess they weren't as paranoid as I.

The first thing I checked when moving to my next employer was if they were intercepting SSL traffic like this. (They weren't - they used Falcon)

Aurornis
2 replies
14h12m

seriously, how does this not violate wire tapping laws? does agreeing to ToS mean you also agree to being spied on in a way that protects them?

It’s not really spelled out clearly in the article, but this was a specific program where people had to choose to opt-in in exchange for compensation.

This wasn’t simply Facebook hijacking random people’s traffic because they accepted the ToS or used the Facebook app

Not defending the program, but it’s not what a lot of comments are assuming.

haxrob
0 replies
12h50m

This wasn’t simply Facebook hijacking random people’s traffic because they accepted the ToS or used the Facebook app

Do you have further insights or references on what was the "trigger condition"? This is a new case, separate to the previous litigation related to the VPN app.

KennyBlanken
0 replies
12h53m

The article details how users were lied to about what was being collected and why.

If you lie to someone to get them to sign an agreement, that agreement is voided in nearly any sane jurisdiction on the planet.

_heimdall
0 replies
15h9m

It isn't because they have the money, it's because they have given the government access to whatever data they want. When it comes to three letter agencies it really isn't about money, it's about power and in today's digital world data is power.

To answer your specific question, this isn't okay. Both the government and large corporations have been given way too much power and we really have no hope of making any meaningful change until the people reclaim this power and put those in charge out on their ass.

Terr_
0 replies
14h37m

does agreeing to ToS mean you also agree to being spied on in a way that protects them?

This relates to a much bigger problem of courts upholding contracts even when nobody actually believes they represent an informed and voluntary agreement.

We aren't quite at the Looney-Tunes step of enforcing extra clauses that were hidden in invisibly small print, but things are drifting in that direction.

See also: https://www.law.cornell.edu/wex/adhesion_contract_(contract_...

xvector
12 replies
15h47m

Your work does this. This is incredibly common on basically every corporate device issued today.

The real issue is the NUX, which doesn't look like it made the data collection clear to users.

yjftsjthsd-h
10 replies
15h44m

My work puts a big banner on the login screen that says up front that they can and will record and monitor everything on this machine. And IMO that's fine, because it's their machine. If they wanted to do that to my machine it would be a problem.

Terr_
6 replies
15h20m

I agree it's legally fine, but morally/socially there are ways to go-too-far.

knome
5 replies
14h53m

there's nothing wrong with corporations tracking use of their hardware.

they have to watch for data exfiltration and attempts to download malware, etc.

don't use a corporate device for anything you don't want work to see.

use your own. that's not a hard ask.

Terr_
3 replies
14h32m

there's nothing wrong with corporations tracking use of their hardware.

As written, that means they can secretly enable the camera and microphone to surveil my house, supposedly to check the usage (or non-usage) of the hardware.

Surely that's very "wrong", if not also illegal in most places. Not everything about or near the hardware is fair game.

pigeonhole123
2 replies
13h40m

That's clearly not what was meant

Terr_
1 replies
13h13m

No, read what they're replying-to.

I wrote one sentence about how "there are ways for companies to go too far", which I think is pretty dang uncontroversial and trivially-true. However that user replied with what is clearly a disagreement, with corporate justifications and placing sole responsibility on employees to avoid the hardware.

This leads to two competing options:

(A) They simply can't imagine any scenario where a company might "go too far" and be at fault.

(B) Their stance is much milder, but for some reason they are replying to a straw-man argument that isn't what I actually wrote.

Of those two ambiguities, I went with (A), but if you think (B) is a more-charitable reading...

knome
0 replies
38m

Or that the discussion was about information on and being transmitted through the devices and I was limiting my opinion on "there being nothing wrong with corporations tracking use of their hardware" to that scope, and not extending it to include spying on people in their homes using the device peripherals.

No, they shouldn't be flicking on your laptop camera or mic remotely, as these are pretty obviously violations of your privacy.

lukeschlather
0 replies
2h53m

My rights are not subordinate to my company's, if anything it should be the reverse. My employment contract is intended for mutual benefit and the company also reserves the right to privacy from me in some things, even things in the scope of my employment. It should be acceptable to do things outside the scope of your employment using corporate devices, and you should retain a reasonable expectation of privacy when doing so.

mr_toad
1 replies
15h31m

No place I’ve worked has ever told their employees that they do this, but most of them do. Some employees I’ve spoken to are quite surprised that their “encrypted” connections are being monitored.

suprjami
0 replies
14h28m

People should probably read their employment agreements and IT usage policy. I'd be surprised if it's not written somewhere.

Besides which, using someone else's computer with an expectation of privacy is the wrong expectation.

Scarblac
0 replies
13h30m

It's "fine" in the way that I would leave that company at the first opportunity.

suprjami
0 replies
14h30m

I signed a contract with my employer that when I'm using the computer they give me to conduct their business on their behalf, they have the right to observe my usage of that computer.

The situation in this article is completely different.

protastus
4 replies
15h46m

Our apps would be deplatformed on Android and iOS, and our businesses would be prosecuted by the DoJ and FBI.

throw3736264
3 replies
13h24m

Looks like this was the real reason Facebook could not comply with China's data sovereignty laws and had to abandon the market.

The fact Apple and Microsoft services both work in China shows they are a little more trustworthy.

starspangled
1 replies
13h9m

Looks like this was the real reason Facebook could not comply with China's data sovereignty laws and had to abandon the market.

How so?

The fact Apple and Microsoft services both work in China shows they are a little more trustworthy.

Absolutely not. Companies apply different policies in different countries they operate in. This tells you nothing more than those companies came to a mutually beneficial agreement with the Chinese Communist Party.

bbarnett
0 replies
12h51m

Indeed. Even McDonalds has different menus, local workers, local employee standards, and even how their business signage looks, depending upon country/location.

fragmede
0 replies
11h50m

That's one possible read. The other possible read is that Apple and Microsoft both agreed to let the CCP decrypt all user data, which makes them less trustworthy in my book. You really gonna believe they couldn't have a similar arrangement with the US TLAs after that?

Animats
1 replies
14h47m

If you or I did this, we would already be in jail for phishing plus whatever add-on charges the Feds could file.

Yes. It's a good opportunity for an ambitious state attorney general to prosecute Facebook, of course.

theptip
34 replies
14h29m

So just to be clear on what is being alleged, because the write-ups are omitting this detail: from what I can tell FB paid SC users to participate in “market research” and install the proxy.

The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case. (I’d love to get more detail on exactly what the participants were told they were getting paid for, but I’d be surprised if they did not know their actions were being monitored.)

The accusation that it’s wiretapping if one party in the communication channel is actively breaking the encryption (even with a tool provided by a third party) seems tenuous to me, but IANAL. If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API?

oefrha
27 replies
11h8m

No, the writeup isn’t omitting anything, you’re mixing things up, which this article explicitly called out.

This article is about Onavo Protect[1], “Free VPN + Data Manager”, which was not paying anyone. There was a separate program where Facebook paid teenagers money to install their Facebook Research VPN through their enterprise distribution channel, bypassing the App Store and its rules, so that paid version was even more invasive.[2]

So no, this Onavo bullshit isn’t defensible at all.

[1] https://apkpure.com/onavo-protect-from-facebook/com.onavo.sp...

[2] https://techcrunch.com/2019/01/29/facebook-project-atlas/?re...

H8crilA
20 replies
7h10m

Why do people work on such projects? I mean specifically the engineers. You're still paid the same engineer salary, except now you expose yourself to criminal prosecution. The corpo is at least getting some extra returns for the risk, you as an engineer are not. So dumb.

reaperman
9 replies
6h32m

Maybe you're on H1B and if you get let go you have to go back to Sri Lanka, whose government collapsed 2 years ago and left the country in political disarray. Some people have better choices than others.

Like I wouldn't work on this project, but I have US citizenship. In college I slept over at some of my Indian friends' apartments and often they had like 8-12 guys sleeping in one bedroom, it was just a bunch of mattresses all laid together with no specific sleeping arrangement. Generally they made a giant pot of stew/daal/whatever once a week and ate the same thing for every meal all week, some even long after graduating with PhD's and getting low-tier visa-mill jobs. This was not a T10 school, our international students rarely came from wealthy families. One of my Saudi classmates came from a poor family in a remote village near the Iraq border and brushed his teeth with a twig from the Salvadora persica tree.

I couldn't really blame them if they didn't have another good option readily available.

ignoramous
3 replies
5h9m

Why do people work on such projects?

> Maybe you're on H1B and if you get let go you have to go back to Sri Lanka...

I mean that's there too, but in this case, the guy who ran this spyware op was a former IDF turned chief of Facebook in Israel, later promoted to CISO for all of Meta.

reaperman
2 replies
4h24m

Yes, I generally blame management. But sometimes I blame the engineers when its obvious they had other good options.

spencerflem
0 replies
3h27m

I think its fair to blame both, usually. Got enough hate left in my heart for it

ignoramous
0 replies
3h8m

I blame the engineers when its obvious they had other good options

Their manager was promoted to c-suite for running a covert worldwide spyware op (that also informed the company's M&A strategy). I'd reserve most of my blame on corporate culture that incentivized & rewarded such orgs and its management.

redserk
2 replies
4h35m

Or you have a nice bucket of RSUs that have been jumping in value and figure it’s just another project to pass time.

reaperman
1 replies
4h23m

If you have other good options, thats just greed. Sure its painful to turn down $200k in RSU’s but if you can jump ship and still get paid a respectable $160k I don’t have much sympathy for your choice to fuck over millions of people just so you can buy a house two years sooner.

spencerflem
0 replies
3h27m

I don't either. It seems to me that a lot of CS people don't have the same values as we do unfortunately. A sad mix of computers seeming apolitical - 'I just wanna hack' and as a well paid industry, the same money maximizers that would in previous years been business majors.

roenxi
0 replies
5h54m

I can't resist annotating the Sri Lanka comment, it was responsible for some of the most absurd headlines I've ever read; completely beyond parody. Typical example:

- Fertiliser ban decimates Sri Lankan crops as government popularity ebbs

https://www.reuters.com/markets/commodities/fertiliser-ban-d...
_proofs
0 replies
1h54m

holy fuck can we please stop letting circumstances be the excuse we continuously fall back on, when enabling and reinforcing behavior with long-term impact and consequences.

imagine all of the times in history where this type of enabling of behavior reached an extreme, and now ask yourself where do you draw the line.

are you really asking me to enjoy the growing consequences of corporate overreach in the name of data, and all the sketchy ass, unethical, and invasive work all these foreign engineers are getting paid ridiculous salaries to propogate, and feel good about being held hostage because said engineers.. don't have a home.

so we are supposed to enable them to wreck mine (ours)?

kotaKat
3 replies
6h38m

It takes the correct morally bankrupt person to be willing to take the job.

dl9999
2 replies
6h24m

Or a person with a sick kid, or who is about to be evicted, or who made some bad financial decisions or for some other reason is about to run out of food money. In those situations it's very easy to rationalize that the good outweighs the bad.

I've only been in a similar situation once. I could barely sleep at night for a week before I finally told them that I couldn't do it. In my situation I would have taken a financial hit if they decided to let me go, but my wife works and I have savings and there was no immediate threat, and it still was a difficult decision.

IG_Semmelweiss
1 replies
4h6m

Why would you diminish all those silent heroes who do decline the morally bankrupt job despite not making rent , or having to carry bad financial decisions?

The truth is that in the US we do have some very expensive social safety nets, and it always comes back to the morals of the individual. You can rationalize just about anything against all kinds situations, but in the end we are talking about someone morally corrupt, or morally steadfast.

Dont justify the injustifiable.

Instead Judge character in the hard times and use that opportunity elevate the heroes that do the right thing im the face of adversity.

dl9999
0 replies
3h16m

I'm not diminishing anything. I'm just not willing to condemn people without taking into account extenuating circumstances.

People regularly justify things that are not justified. When there's a lot of pressure, rationalizing is very easy. It's not even easy to realize that something is being rationalized.

I'm not justifying the unjustifiable. I'm saying that a person doesn't have be morally "bankrupt" to do something bad. Condemning people as morally bankrupt without taking into account extenuating circumstances is certainly not justified.

echoangle
2 replies
6h16m

You really think the engineers working on this will be personally liable for this? That would honestly surprise me, the worst i can imagine is punishment for the company as an entity.

echoangle
0 replies
3h5m

Saying stuff like that in a hearing to deflect blame doesn’t surprise me, but were any individual engineers punished for this?

Intermernet
1 replies
6h3m

I was talking about this with friends the other night. If you've been in the industry long enough, you've probably been party to creating something horrible. It takes a while for the reality of horribleness to crack the glamour of creation and monetary reward, but once it does, everyone I personally know has quit and lived with the regret.

I know people who have worked for adtech, gambling and HFT industries who now try to convince younger devs to avoid them. I personally worked briefly for a private prison corp, and I feel dirty and remorseful that I had anything to do with that industry.

throwaway55717
0 replies
3h34m

Due to an incarcerated family member, I had to deal with privately run prison telecom software, which was as awful and exploitative as you would expect, I could see where someone might feel guilty for working in this area. Evil business model.

But one of the worst things about the software was all the bugs. Silent failures so we couldn't tell what was happening, if it was a software problem or if our loved one was being prevented from communicating with us. The messaging and video call system failed us at some crucial moments and created a lot of emotional stress.

In fact I think this is part of the awful business model -- cut costs even if it hurts people.

Bad software can really make the lives of incarcerated people much worse. So if you were able to do a decent job on that software, whether it was prison telecom or internal tools for a prison contractor, you may have still had a more positive impact than you think, despite the broader business model being totally evil.

kevin_nisbet
0 replies
1h53m

Trying to bring an open mind, I could see a number of plausible scenarios where an engineer could do this, with various degrees of legitimacy.

It's certainly a complicated subject, but I think in general companies are really good, especially big ones, at getting people to work on things they might not be comfortable with otherwise. This thread has been talking the extremes like immigration status, but there are all kinds of subtle pressures as well. Some people might not believe they have the political capital to outright refuse a project (especially a pet project of the CEO) vs choose to accept and try to nudge the project onto more solid footing. And I suspect many engineers are terrified of being labelled as not a team player, which aids in the creation of group think, but makes it very difficult to foster a healthy culture of discussion that would bring forward the serious concerns of this work. And there is almost always some room of uncertainty as the last convincer... is it unethical to work on the project if the consumer is fully informed and offers consent to the invasion of privacy?

If there is an extreme where it's justifiable, for any reasonable engineer to accept the project, then it get's really muddy on where exactly the line is, and when it should be drawn.

I also suspect many of us envision ourselves having much more fortitude than we really do as well, imagining the heroic efforts we'd put in to changing a companies mind from a bad idea... where the more likely outcome for most of us is to fall silently into the background.

theptip
5 replies
4h18m

This is a bit tangled. I think this is new information but it’s all about Onavo. From OP:

Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.

So this seems to be new information about the Onavo Android app, but it’s not clear to me if the “install cert” button described was exactly the implementation of the previously reported research cert, or a new vector where people other than market research participants were MiTM’d. The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known. But nothing here is incompatible with the previously reported stuff being all that happened, AFAICT.

The TechCrunch article clearly states that Onavo was the method they used to get the FB Research cert onto devices. (Presumably they distributed a different build of Onavo with their enterprise distribution channel), it quotes:

“We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.

This sounds to me that there was one Onavo research program, but who knows, we have multiple project codenames.

oefrha
3 replies
1h33m

The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known.

No, it was already well-known way back in 2018, which is why that piece of shit app was withdrawn from App Store in the first place. Facebook’s enterprise account later got suspended in 2019 for distributing the paid piece of shit through enterprise MDM.

theptip
2 replies
1h28m

The claim in the OP is that they might have been MiTM’ing arbitrary users, I believe the previously reported claims were that they only MiTM’d paid research participants. (Please share some links if you have evidence to the contrary, I’d love to get to the bottom of this.)

valicord
0 replies
48m

That doesn't mean that the MITM traffic interception would be enabled for regular users that have downloaded the app from the store. As stated both in the article and in the comments here, both "free" VPN and "paid market research" VPN used the same codebase. Is there any evidence (other than "facebook bad") that the MITM part was enabled for anyone other than consenting/getting paid participants?

willstrafach
0 replies
2h13m

“Facebook Research” was the Onavo codebase, under a different name, signed by Facebook’s Enterprise certificate.

vlovich123
1 replies
12h51m

From the article:

Note this is a new case, different from the one that TechCrunch also covered in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines.
theptip
0 replies
4h14m

This has since been edited in OP, and the full quote I think supports my claim more:

Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
hollerith
0 replies
2h39m

SC == Snapchat

haxrob
0 replies
14h3m

from what I can tell FB paid SC users to participate in “market research” and install the proxy.

The app was available on both the Google Play and Apple App stores for anyone to download.

The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.

It could be that you are confused with a previous case. From the blog post:

The wiretapping claim is new and perhaps not to be confused with the prior controversy and litigation: In 2023, two subsidiaries of Facebook was ordered to pay a total of $20M by the Australian Federal Court for "engaging in conduct liable to mislead in breach of the Australian Consumer Law", according to the ACCC ... Facebook had shutdown Onavo in 2019 after an investigation revealed they had been paying teenagers to use the app to track them. Also that year, Apple went as far as to revoke Facebook's developer program certificates, sending a clear message.

If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API

If by "local" on your own network/machine with your own traffic then obviously no.

ec109685
0 replies
13h37m

Neilson does something similar with TV where they install capture boxes in people’s houses to determine what they’re watching for their panels: https://www.nytimes.com/athletic/3194414/2022/03/22/the-ulti...

I hope they were upfront about what they were collecting. The article didn’t show what the consent screen was before installing the proxy.

BobaFloutist
0 replies
2h41m

The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.

All the best/most effective hacks involve convincing someone to download something they shouldn't that lets you sidestep security.

dylan604
27 replies
16h42m

The email snippets are impressive on multiple levels, mainly how fucking stupid/arrogant people at FB must be. Openly talking about MITM, and then getting multiple other companies to include this kit in their products as well is just beyond stupid for putting in writing. "Hey Zuck, I have an idea on your proposal. We should get together to discuss in person" would be suspect, but at least it's not incriminating. It's like these people have never seen a movie, or read a news article on other companies getting caught.

xmprt
10 replies
13h11m

A piece of advice I've taken to heart is whenever I'm sending something in writing, to think about how I would feel if I needed to repeat the same things in court or if I found those messages in the news. Not that I've ever said anything near that egregious but it still helps.

ben0x539
3 replies
7h45m

Whenever I'm discussing something in person I think about how I would feel if it turned out my employer was breaking the law and me not putting it in writing stopped the injured parties from obtaining just compensation.

ornornor
0 replies
1h39m

Sorry, you’re not FAANG material.

hiatus
0 replies
6h14m

So send a follow up email post meeting recapitulating the key points.

dylan604
0 replies
4h35m

It sounds like you have a soul and/or morals. The people writing the emails in TFA clearly have neither.

b800h
2 replies
12h19m

More importantly these days, have the same thought every time you write a comment on Slack or Teams.

jdthedisciple
1 replies
10h25m

elaborate? was there some specific case?

mschuster91
0 replies
9h36m

Trouble at many orgs regarding the Israel vs Palestine conflict. No matter on which side of that clusterfuck you are - unless you are in a lobbyist group for either side, someone at your org will be offended and raise a stink.

StressedDev
0 replies
10h36m

This is excellent advice. Another thing I will add is if something is not ethical, misleading, or dishonest, just do not do it. The world will be a better place if people behave ethically. Also, I strongly suspect that long term success in business requires ethical conduct.

GeoAtreides
0 replies
10h37m

When putting down something in writing, you should also remember cardinal Richelieu's quote: "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."

tjpnz
6 replies
15h48m

If any of these miscreants were looking for a new job I bet the place you work would be getting in line to put them through an interview loop.

dylan604
4 replies
15h35m

I'll take that bet. Of course, you have no idea where I work and I do, so you're not a good gambler. The stench of social companies is noticeable by people that do not have their heads in the sand. Companies that still believe that ex-FAANG are automatically gawds deserve what they get.

tjpnz
3 replies
15h18m

That might be an increasingly common view on the shop floor, but how confident are you that it filters up through all levels of your org?

dylan604
2 replies
15h11m

there's 5 people in my company, and we talk daily. want to split 10s since you've already doubled down?

btw, I can add my crypto wallet to my bio so you can pay up if you'd like /s

drivebyhooting
1 replies
13h35m

How much does your company pay IC8 or equivalent per year? $2M liquid? $3M? Hard for anyone to feel moral qualms when they’re earning generational wealth.

tczMUFlmoNk
0 replies
2h15m

But some things will never change

Try to show another way, but you stayin' in the dope game

Now tell me, what's a mother to do?

Bein' real don't appeal to the brother in you

You gotta operate the easy way

"I made a G today" But you made it in a sleazy way

Sellin' crack to the kids.

"I gotta get paid," well hey—

but that's the way it is.

(Tupac - Changes)

meiraleal
0 replies
7h43m

Post-COVID big tech ex-employees aren't really what you would expect a decade ago.

cen4
4 replies
16h17m

Billionaire bosses are all surrounded by opportunists and flatterers. Over time like the Great Pacific Garbage Patch the size of this group grows to unmanageable dimensions, cause anyone acting moderately sane will be treated as an existential threat to their lives of fantasy, domination, manipulation, luxury, leisure etc and pushed out.

talldayo
1 replies
16h14m

Thankfully our fearless American regulators would never shy away from hanging these scoundrels out to dr- hey wait, where are the lawyers going off to?

walrus01
0 replies
16h7m

The lawyers are off in the Hamptons this summer with the same people who are the root cause of the 2008 financial crisis.

walrus01
0 replies
16h8m

To paraphrase Clarke's three laws, a sufficiently advanced quantity of yes-men and tech industry bro "move fast and break things" types is indistinguishable from a hostile malware actor.

Terr_
0 replies
15h16m

acting moderately sane will be treated as an existential threat [...] and pushed out.

Or converted, by making them take actions so that "if we go down you're going down with us."

Organized crime works that way too, come to think of it. They may call it "loyalty", but it really means "give us a way to coerce you into compliance."

maeil
1 replies
14h46m

Their contribution to the genocide in Myanmar has said everything about Meta you'll ever need to know. It's a tragedy that working for Meta is generally seen as neutral whereas working at any defense-related companies is often met with scorn, despite the overwhelmingly greater negative impact that working at the former has.

And this doesn't even touch upon Instagram.

I guess that they pay too much and employ too much of our industry, greatly reducing criticism because we all have a friend who has worked at Meta or we may even have applied ourselves at some point. Whereas we don't know anyone who has been at e.g. Anduril at the likes.

dagmx
0 replies
13h7m

I have several extremely talented friends at Meta, and the one constant is they left any attachment to the output product when they entered the workplace. Whereas they previously (at other top tech companies) did take pride in their employees output. Meta is “success at all costs” and heavily metrics driven.

I think that’s what contributes to things like Myanmar and other countries hate speech proliferation. When you don’t care about how your product is used, and can focus on just the technical aspect, you lose any sense of responsibility.

Conversely, we’ve hired many ex meta people, and they’ve always almost all unanimously said how much they NOW like having pride in the products they create, after jumping ship.

Imho it’s an issue of top down culture from Zuckerberg, and previously Thiel.

salawat
0 replies
9m

And people that think like you are the problem. Ypu should be calling immoral asshole things out. Not frigging trying to do them and not get caught.

globular-toast
0 replies
9h25m

So you'd rather they were smarter and able to hide the traces of their malicious behaviour?

The real problem here is the complete absence of any kind of ethics. It sounds like the kind of place where if you consider ethics to be a blocker you'd be laughed out of the room, or fired. Corporate culture is to chase profit above anything else. It's especially bad in software, though, as so many people don't even seem to think about the ethical implications of their actions ever.

walrus01
18 replies
16h47m

tl;dr: If you install and fully trust a root CA on your client device, of course your TLS traffic can be MITMed.

edit: the problem, obviously, is that this app tricked the non-technical people into installing/trusting the root CA for malicious purposes. Clearly this was malware.

dylan604
6 replies
16h18m

That's great for someone reading this forum to be aware of, but moms have no idea what any of the words you just wrote means. So if they were told they get a coupon for installing or some other bit of ridiculous things malware devs use, and yes I'm calling FB software malware. All of if it. Messenger, FB.app, everything. If it's from Meta, it's malicious.

ahazred8ta
3 replies
16h6m

Try comparing P2P OTR E2EE vs Non-CA TOFU SSH

dylan604
1 replies
15h58m

hell, even I don't know what the "words" you just used mean!

iam-TJ
0 replies
10h17m

That got me too for a few seconds whilst my brain cogs whirred... but the latter sounds tastier than the former for some reason!

For those wondering:

  P2P OTR E2EE == Peer to Peer, Off The Record, End to End Encryption
  Non-CA TOFU SSH == Non-Certificate Authority, Trust On First Use, Secure SHell

yjftsjthsd-h
0 replies
15h47m

Any app capable of installing a TLS CA is capable of writing to known_hosts (or authorized_keys, while we're at it).

walrus01
0 replies
16h14m

That's a very good point. I have within recent memory installed my own internal CA that I run on Android devices that I own and trust, and the process on android 11+ is sufficiently daunting that 99.5% of peoples' moms could not do it in one or two clicks. You have to go deep into system settings and manually import the CA. This requires first file-transferring the CA file somewhere onto local /sdcard storage and possibly having a file system explorer app installed to be able to view its location on "disk" and pick it.

As is pointed out in the article, I would presume that Google saw the threat from allowing an app to install and trust a root CA as well, and removed the ability for a "one click" install of a root CA:

"KeyChain.createInstallIntent() stopped working in Android 7 (Nougat). A user would have to manually install the certificate. It would no longer be possible to have Facebook's CA cert installed directly in the app."

smcin
0 replies
6h51m

"the average parent"

safety1st
4 replies
15h23m

So I mean, just taking a quick look at the contents of /etc/ssl/certs and what Firefox shows me when I hit its View Certificates button, I see among dozens of other actors, Amazon, Microsoft, GoDaddy, and the Beijing Certificate Authority. No software has ever asked me if I want to trust any of these guys, they've been silently trusted during a software install I suppose. Does this mean they can all MITM my TLS traffic if they so choose?

theptip
2 replies
14h22m

Not in 2020, no.

HSTS causes your browser to pin the first cert that it sees (from sites opting in to this scheme), so nobody (even the legitimate operator) can swap it out before it expires.

https://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Securi...

And specifically to the scenario in OP, app clients these days do not use the OS cert store, they will ship a single well-known server cert and only accept that one. This doesn’t help with your Firefox usecase though.

Uvix
1 replies
14h4m

When HSTS is enabled, browsers don't pin the specific cert, just that HTTPS is required. Pinning the cert would mean users would experience outages (because you can't swap the cert early), which would be a terrible experience.

toast0
0 replies
11h41m

HSTS is https required and it needs to be a validated cert; issued by a trusted CA and not expired (maybe also not before the not before date). And the usual ignore it and move on button is gone.

Doesn't help if you're worried about a trusted CA issuing a cert for your domain without your approval though. Certificate transparency helps a bit with that; Chrome requires certs issued with a not before after april 30, 2018 to be in CT logs[1], so at least you'll be able to know a certificate was issued for your domain. If that happens, you can ask the CA/Browser forum to investigate and there's a good chance the CA will get kicked out if there's not a good explaination of what happened. That's not perfect but it's better than without CT when you could only know about an unauthorized cert if you managed to see it.

[1] I think max validity was two years back then, so all current certs need logs

jerbear4328
0 replies
14h38m

Theoretically, yes, they could, I think. However, with Certificate Transparency, the fraudulent certificates these Certificate Authorities could create would have to be published in CT logs to be valid, where they would be quickly noticed, and the CA would (hopefully) lose credibility and be removed from device's trusted CA list.

dilyevsky
4 replies
14h24m

That’s not sufficient - you also need to intercept traffic somehow which they successfully accomplished by buying this vpn company and using them to proxy victims traffic through their infra

eightysixfour
3 replies
14h22m

Victims that were being paid to participate?

Edit: Not excusing Facebook here, but feel like this whole thing is in a weird grey area. It is like getting paid to have a Nielsen box monitoring your TV and then complaining when you find out it also knew what you watched on your DVD player.

haxrob
1 replies
13h40m

Victims that were being paid to participate

I believe you might be referring to what happened in 2019? [1] This is a separate issue. [2]

I do clarify this in the blog post, although it might be better to move the relevant text near the introduction rather then in the middle of the post.

EDIT: I have also added a remark to the post that it is not clear if all users were MITM'd or just a subset

[1] https://techcrunch.com/2019/01/29/facebook-project-atlas/

[2] https://techcrunch.com/2024/03/26/facebook-secret-project-sn...

eightysixfour
0 replies
3h23m

I think what is missing is a timeline and clarity about the actual steps users had to take.

1) Onavo was a (free?) VPN app acquired by FB in 2014. Facebook used it to collect “market research data.” People chose to download this, but thought it was a security product.

2) At some point (it looks like 2016?) they launched an iOS app called Research, using the same tech, which required users to install a certificate meant for internal Facebook employees. They paid these users to monitor their traffic.

Are you saying that the MITM was happening for users of (1) or (2) or both?

walterbell
0 replies
16h29m

Unless the TLS traffic uses certificate pinning.

xbmcuser
8 replies
13h23m

I don't know why but Facebook is the one tech company that I just can't have a good opinion about. I like and dislike Google, Microsoft, Apple, NvidiA, AMD, Intel and the rest for different things but I just hate Facebook. I closed my facebook account about 10-11 years back put a filter to keep facebook out of my search results. And I have to say it works I rarely see anything about Facebook on my Google news feeds etc. I still use WhatsApp though as that is the biggest communication app outside China in Asia

dagmx
5 replies
13h14m

Probably a combination of

- they’ve had a long history of trying to undermine privacy to extend profits. From stuff like in the article, to tracking pixels, alleged ghost accounts, and fighting anything that hampers tracking. Of the companies you listed, only Google has any crossover, but doesn’t come anywhere near as close.

- they’re irresponsible with the effects of their algorithm to amplify hate speech. None of your other companies have anything like that.

- they are dishonest in their marketing. Almost all their Quest ads and feature reveals use concept visualization to deceive users for example on what is possible. Mark often speaks in double speak when addressing issues. Double speak isn’t unique to them but they definitely take dishonest advertising to the limit versus the other companies on your list.

I know Meta are having a popularity renaissance with their open weight (not open source) models in this AI cycle, as is Mark with his his recent PR blitz to reinvent his image.

However I think they’re culturally the only one of your companies listed who lack a moral core to their work. I think culture is top down, and both Zuckerberg and Thiel have instilled a culture of “success at all costs” for the way Meta operates.

The other companies on your list are definitely capitalist too, but have some sense of responsibility with their output.

mschuster91
4 replies
9h34m

- they’re irresponsible with the effects of their algorithm to amplify hate speech. None of your other companies have anything like that.

Twitter is arguably worse - especially after Musk's takeover.

xbmcuser
2 replies
5h35m

With what is happening outside the us and how facebook and even YouTube ie google is deplatforming people fighting and raising awareness against totalitarian regimes but twitter is not. I get you hate Musk but I don't agree Twitter is not in the same realm as Facebook.

xbmcuser
0 replies
5h30m

Oh and with the Trump assassination attempt who is spreading hate now is really up for debate.

dagmx
0 replies
6h22m

Oh for sure there are worse companies. They just aren’t in the list of companies in the comment I replied to.

pavlov
0 replies
9h3m

> “And I have to say it works I rarely see anything about Facebook on my Google news feeds etc.”

The company is called Meta nowadays, so that also explains why you don’t see much news about Facebook.

NayamAmarshe
0 replies
7h56m

I still use WhatsApp though as that is the biggest communication app outside China in Asia

This is still contributing to their monopoly. WhatsApp's monopoly is growing and they've even blatantly started to copy the competition: Telegram.

Disagreeing publicly does nothing if I'm the one empowering my opposition in the first place.

afavour
7 replies
13h20m

Not to downplay it but at least this requires users to download the Onavo app, which isn’t so common.

The one that I wonder about a lot is this: there are two (non-deprecated) types of webview you can use in iOS: WKWebview and SFSafariViewController. They’re intended for very different uses.

When you tap on a link in the Facebook app they should use SFSafariViewController. It’s private (app code has no visibility into it), it shares cookies with Safari, it’s literally intended for “load some external web content within the context of this app”

Instead, FB still uses WKWebView. With that you can inject arbitrary JS into any page you want. Track navigations, resources loaded, the works. Given the revelations we’ve seen in this article and many others I shudder to imagine what FB is doing with those capabilities. They’re probably tracking user behavior on external sites down to every tap on every pixel. It seems insane to think they might be tracking every username and password entered in their in-app webviews but they have the technical capability to. And do we really trust that they wouldn’t?

windmark
2 replies
11h45m

I wasn’t aware that WKWebView granted the app such power. Is there a way for me as a user to figure out if WKWebView or SFSafariViewController is being used if I have a web page open? Although I don’t use FB, I do use the web view of other apps and don’t want them to be able to do this either.

can16358p
0 replies
10h19m

SFSafariViewController is less customizable visually so the standard "sheet coming up within the app" that looks always the same regardless of the app (at least in most apps and of course not Meta's apps) is that one.

Having said that, since WKWebView is just a view that can be customized visually, nothing can stop someone to create a WKWebView-wrapping view controller that looks exactly like the "safe" Safari one anyway.

haxrob
0 replies
10h18m

Not to downplay it but at least this requires users to download the Onavo app, which isn’t so common.

10 million installs on Android, according to AndroidRank[1]. What we don't know (yet) is what % of those installs had the FB competitor traffic MITM'd.

[1] https://www.androidrank.org/application/onavo_protect_from_f...

croisillon
0 replies
9h13m

i don’t have instagram but i have facebook; when people send me links to instagram videos on messenger, the view doesn’t let me watch it unless i login (in fact create an account), i can only watch it loading externally into safari

giancarlostoro
6 replies
14h5m

Reading this article I'm just thinking that Facebook has wing that's just an NSA front at this point.

KennyBlanken
3 replies
12h59m

People seem to forget that the research that turned into Google was initially funded by the NSA and CIA:

https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...

Cars now come with Google services / Android baked into the damn infotainment system, with no possible way to pull it out. What could possibly go wrong with an advertising company seeing everywhere you go, and everyone who rides in your car?

bbarnett
1 replies
12h48m

This is true, but so far there are ways to disable much of this.

For example on a Ford, you can literally pull the fuse for the GSM modem. On a GM, you can pull the antenna from OnStar, and put a resister there in replacement... thus rendering it unable to communicate to home base.

This doesn't solve everything, but it at least stops the immediate phone home.

kjkjadksj
0 replies
23m

You can also buy cars that don’t need an immediate debugging

serial_dev
0 replies
12h48m

Yeah... They are all connected to the "three letter agencies", in Google's case it was very early, but I believe nobody can stay popular and not have all of these agencies infiltrate then take control of them.

Apple, Google, Facebook, Twitter, Alexa, they are a gold mine for agencies, but even news sites, movie studios, and YouTubers. This is why they've been after Tik Tok for so long, they know how useful that app / network is.

slim
0 replies
11h32m

or unit 8200 front (since we're talking about Facebook Israel)

realusername
0 replies
11h24m

Pretty much every large tech company collaborated during the Prism leaks.

egberts1
4 replies
13h35m

This is why we should be doing dual-server-client TLS certificate exchange before stuffing damaging info over Internet. But, alas, nooooooooo.

HL33tibCe7
1 replies
10h31m

How would mutual TLS have helped here?

egberts1
0 replies
2h47m

Mutual TLS dutifully breaks if there is a transparent HTTPS proxy like SSLbump or Squid.

ozim
0 replies
12h29m

You can do certificate pinning.

Andrex
0 replies
5h48m

Any more post-relevant insights we should congratulate you for, or is it just this one?

Crazyontap
3 replies
15h49m

Why didn't a big company like Snapchat not have certificate pinning? Something is amiss here!?

liuliu
1 replies
15h46m

Snapchat do certificate pinning for it's main API domain. I am not exactly sure why analytics domain are different and why not have certificate pinning. (I thought analytics go through the same API domain, but it must be wrong then).

haxrob
0 replies
13h2m

The analytics domain was "sc-analytics.appspot.com" in which the lack of pinning is described at the tail end of the blog post.

theptip
0 replies
14h20m

From the OP, Snapchat started pinning not long after this program launched.

lowermidmgmt
2 replies
16h40m

If there is a god we'll be compensated through a class action settlement for a $5 meta ad voucher.

nilamo
0 replies
13h12m

Let's not pretend that's a good number, either.

egberts1
2 replies
16h50m

Ooooooooh, SSLbump.

There has to be a court precedent that criminalized sniffing network traffic on the customer’s side.

Should be one of those many cases involving wiretapping for banking info.

paradox460
1 replies
13h32m

Doesn't the computer fraud and abuse act cover this?

egberts1
0 replies
2h45m

Not ... really ...

It is about intent versus capability set that CFAA does poorly with differentiation in court.

1vuio0pswjnm7
2 replies
12h24m

"There is a current class action lawsuit against Meta in which court documents include claims that the company had breached the Wiretap Act."

This is not a wiretapping case. The claims are all for violations of the Sherman Act. Plaintiffs' attorneys _incidentally_ found evidence during discovery that Facebook may have breached the Wiretap Act. There are no wiretapping claims. It is an antitrust case.

haxrob
0 replies
11h55m

Thanks, I have modified the wording and also quoted you and linked this HN post on the blog page.

Andrex
0 replies
5h56m

Doesn't this violate the DMCA too? This is circumventing an encrypted system.

Does the DMCA not have enough teeth for something on this scale? Maybe an issue of standing or provable-damages? Did the plaintiffs forget about it? Curious and confused.

rkagerer
1 replies
13h48m

Why would anyone use a VPN service provided by Facebook?

dddw
0 replies
13h20m

Money, If I recall correctly they paid teens to install and use the app

exmicrosoldier
1 replies
13h47m

They do this on my work laptop. Zscaler

ozim
0 replies
12h28m

Big companies do MITM and deep packet inspection on company laptops that is normal - not normal is doing that on private devices.

bschne
1 replies
10h22m

I think a relative of mine once almost signed up for another market research thing that would have done essentially this, redirecting all their phone's internet traffic through a VPN & proxy controlled by the market research company, including installing their Cert. They would have received some small compensation for it, and of course consented to having it installed. I don't recall the company being misleading about anything, exactly. That being said, while I generally am not in favor of overly paternalistic policies, I wonder how meaningful the consent of someone with relatively little technical knowledge for something like this really is. They were not misleading about things, but also didn't fully spell things in a way that would really drive home what was going on for someone unaware.

smcin
0 replies
6h53m

Just because some market research companies do informed disclosure, says nothing at all about how Onavo did this (and Onavo didn't advertise themselves to users as "market research company", just as some free neat app that would categorize your internet data usage).

temp0728
0 replies
12h38m

I used to work for a startup that collected data by using MITM attack with a VPN server, and other means. The users got paid a small sum of money to participate.

musha68k
0 replies
14h14m

Unfortunately this is unsurprising; with bad actors like Meta there are likely many potential "dark patterns" put in place.

I can imagine e.g. security risks involving sensor data exfiltration where accelerometers and gyroscopes etc are monitored to infer audio information. By covertly relaying and processing the collected data externally it would be possible to reconstruct sensitive information without direct access to the device's microphone.

It's not unlikely that they pull off something like that.

Meta and other pernicious companies and government bodies are probably employing many more, even worse and much simpler eavesdropping techniques in the wild.

RockRobotRock
0 replies
15h36m

"Stay safer when you're using public Wi-Fi. Turn Protection On"

prompt to install a VPN config

Fuck yourself, Facebook.

29athrowaway
0 replies
2h21m

tl;dr: They acquired an app called Onavo, with 10 million customers, and used it to install a CA certiticate thus allowing them to act as a MITM proxy.