Yep your right just swap out the hash for a known password, that's probably the backdoor this is referring too, i.e access to the database.
https://bgr.com/2018/05/04/facebook-profile-backdoor-account/
The media and its misunderstanding technology
- Thread starter Christmas themed thank
- Start date
Yep your right just swap out the hash for a known password, that's probably the backdoor this is referring too, i.e access to the database.
https://bgr.com/2018/05/04/facebook-profile-backdoor-account/
Facebook dont have your password - they have a hash of it which is compared to what you type when you log in to see if they match.
If you need the data then a legal request will just have someone pull the data from the database - they dont need access to your account just they way the database stores who owns or created the entry
If you need the data then a legal request will just have someone pull the data from the database - they dont need access to your account just they way the database stores who owns or created the entry
If they have their systems setup properly they could just provide the police with a login that has permissions for that account - which is far better for a number of reasons i.e. being able to see historic/additional account data that the user might no longer be able to see, etc. than giving them the original login credentials including the fact there might be instances where they don't want to tip off they have access (depending on the legality) which replacing the hash might do.
Fair point. I didn't consider that one.
My reply was just to suggest it's really not as difficult as some people seem to think it is.
It would make life easier, however I can't imagine, in a million years - any of the tech companies allowing police from any country let alone the US, direct backdoor access into their systems to view any account information, there are literally infinite ways that could be misused.
Tech companies are terrified of governments, and rightly so - if you look at previous performance, relating to technical competence, broken procedures and mishandling of data and information.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
But tech companies think they can make up their own rules when it comes to government/law. This is a very complex situation and should be tread on very lightly. I still stand by my decision that a court order should be obtained in the country of origin and information should be handed over to only the police to do their job. Really the tech companies are stopping police in their tracks of fighting crime.
Though I agree with your post - in this context it wouldn't be an administration backdoor just an additional account login with slightly more permissions to read data about the account/see realtime information relevant to the account.
Unfortunately without at least 2-3 layers of oversight the potential for misuse/abuse of such a feature is rather high.
Who said they were the good guys, they're sneaky and greedy and want to stay that way. Megalomaniacs.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
Position of trust and all that... I know I know but there has to be some sort of hierarchy.
- Joined
- 30 Jul 2006
- Posts
- 12,130
Actually, if you refer back to your opening post, I don't think that people are exactly ignoring your questions.
- First of all, doesn't [Facebook giving the Police access to someone's account] set a dangerous precedent?
- Second of all, how could Facebook [give the Police access to someone's account]?
ps - you are 100% correct about the inadvisability of trusting the Daily Mail
What was your point? That Facebook are unable to access or provide access your account without your permission / password? Pretty sure numerous people have showed this not to be the case. Or was it just highlighting DM's lack of techno savvy by saying "provide password" rather than correctly saying "provide access"?
Yeah I'd agree with that,
Interestingly enough, if you look at Facebook's law enforcement page - they already have what seems like a pretty sensible procedure in place for their own US authorities (lol) https://www.facebook.com/safety/groups/law/guidelines/ simply submit a court order and by the looks of it, they'll send over the account information without any hullaballoo.
Predictably; this all goes south as soon as anything international is involved - with what looks like no policy at all, the only thing I found was this from their privacy statement;
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
In regards to international aspects a personal opinion of mine is whereby:
A) A local court should allow/deny access to profiles/accounts and if approved, this order then goes to the international court order and then if approved access is granted and information is given - judged on a case by case scenario.
It's not a hard process to follow. They could set up a full brand new law and order company for digital issues that's ongoing like this making the process a lot smoother and faster to gain access. We have to start somewhere to sort this mess out once and for all.
A) A local court should allow/deny access to profiles/accounts and if approved, this order then goes to the international court order and then if approved access is granted and information is given - judged on a case by case scenario.
It's not a hard process to follow. They could set up a full brand new law and order company for digital issues that's ongoing like this making the process a lot smoother and faster to gain access. We have to start somewhere to sort this mess out once and for all.
If they need access for legal reasons they should NOT under ANY circumstances be given the users password. They should be allowed access via the normal process.
Giving the password to an account allows for all manor of fool play, such as impersonation, framing, etc. Law enforcement do not need this and it could be miss used, abused.
Logging in to someone's account as them is 100% illegal, even for the police. Passwords should NOT be given out. There are other channels.
Giving the password to an account allows for all manor of fool play, such as impersonation, framing, etc. Law enforcement do not need this and it could be miss used, abused.
Logging in to someone's account as them is 100% illegal, even for the police. Passwords should NOT be given out. There are other channels.
Its basically this - ask the user for their password so they can then just trawl the data which is nice and easy for them. If they refuse its go through the courts to get Facebook to extract the data fro the database for you. Thats not easy to do by the sounds of it especially in the US
Is it just me or is it slightly ironic that in a thread complaining about spreading misinformation that the OP contains an error on the very subject (It isn't "never store a password", it's "never store a password in plain text") and that a lot of people are confusion the important difference between hashing and encryption?
Also, the way end-to-end encryption is reported on makes it seem like it's the bee's knees to keeping everything secure and private, but that's 100% NOT the case. As its name suggests it's only working on securing the communication between two parties - the thing to remember is that the two parties that are communication are two "Facebook Accounts". Not two "people".
Saying that, in all fairness, the way "secure conversations" are implemented on Facebook Messenger suggests that the two parties are actually the devices you're using (if you turn on a secure conversation you can't pick it up on any other device) but that still doesn't mean Facebook isn't storing those device cryptographic keys, just that they're not letting you transfer them to another device.
Facebook have been shown to work very closely with the police when the appropriate channels are taken. Like every Daily Fail story I imagine this has just been taken out of context and likely already resolved without anyone bothering to tell them.
Also, the way end-to-end encryption is reported on makes it seem like it's the bee's knees to keeping everything secure and private, but that's 100% NOT the case. As its name suggests it's only working on securing the communication between two parties - the thing to remember is that the two parties that are communication are two "Facebook Accounts". Not two "people".
Saying that, in all fairness, the way "secure conversations" are implemented on Facebook Messenger suggests that the two parties are actually the devices you're using (if you turn on a secure conversation you can't pick it up on any other device) but that still doesn't mean Facebook isn't storing those device cryptographic keys, just that they're not letting you transfer them to another device.
Facebook have been shown to work very closely with the police when the appropriate channels are taken. Like every Daily Fail story I imagine this has just been taken out of context and likely already resolved without anyone bothering to tell them.
Do you have a source for that?
That's not the way facebook or whatsapp claim their end-to-end encryption works.