|
Nothing about that should surprise you about Facebook’s conduct. What im surprised about is that Apple hasn’t pulled their enterprise deployment license (yet?)
|
# ? Jan 30, 2019 07:33 |
|
|
# ? May 31, 2024 03:46 |
|
geonetix posted:Nothing about that should surprise you about Facebook’s conduct. What im surprised about is that Apple hasn’t pulled their enterprise deployment license (yet?) I mean, they probably just shrugged and assumed this would happen when they re-issued this. Its what you get for trusting Facebook.
|
# ? Jan 30, 2019 08:04 |
|
Apple should pull all of their apps. gently caress 'em. Also it would be funny.
|
# ? Jan 30, 2019 10:09 |
|
Thanks Ants posted:Apple should pull all of their apps. gently caress 'em. Also it would be funny.
|
# ? Jan 30, 2019 11:24 |
|
https://twitter.com/alexeheath/status/1090618327502897152
|
# ? Jan 30, 2019 15:38 |
|
|
# ? Jan 30, 2019 15:58 |
|
quote:Facebook is also saying that less than 5% of participants in the program were teens and all minors had signed parental consent forms. God Facebook sucks. Also there's no loving way they all signed consent forms.
|
# ? Jan 30, 2019 16:33 |
|
Inept posted:God Facebook sucks. Also there's no loving way they all signed consent forms. Got any proof/evidence of that? There's plenty here that's problematic without making poo poo up.
|
# ? Jan 30, 2019 16:42 |
|
oh lmao they took away all of facebooks internal apps https://twitter.com/marcoarment/status/1090633751166701570
|
# ? Jan 30, 2019 16:49 |
|
CLAM DOWN posted:Got any proof/evidence of that? There's plenty here that's problematic without making poo poo up. I mean FB lied about p much everything in their original reaction soooo
|
# ? Jan 30, 2019 16:50 |
|
|
# ? Jan 30, 2019 16:50 |
|
an actual dog posted:oh lmao they took away all of facebooks internal apps
|
# ? Jan 30, 2019 17:34 |
|
Still have my reservations about Apple but their commitment to privacy and security has seemed real and lasting these past few years.
|
# ? Jan 30, 2019 18:34 |
|
CLAM DOWN posted:Got any proof/evidence of that? There's plenty here that's problematic without making poo poo up. From the article quote:Ads (shown below) for the program run by uTest on Instagram and Snapchat sought teens 13-17 years old for a “paid social media research study.” The sign-up page for the Facebook Research program administered by Applause doesn’t mention Facebook, but seeks users “Age: 13-35 (parental consent required for ages 13-17).” If minors try to sign-up, they’re asked to get their parents’ permission with a form that reveal’s Facebook’s involvement and says “There are no known risks associated with the project, however you acknowledge that the inherent nature of the project involves the tracking of personal information via your child’s use of apps. You will be compensated by Applause for your child’s participation.” For kids short on cash, the payments could coerce them to sell their privacy to Facebook. Of course some kids lied about their age or filled out the form pretending to be their parents so they could get paid. It was just some online signup page.
|
# ? Jan 30, 2019 18:57 |
|
Cup Runneth Over posted:Still have my reservations about Apple but their commitment to privacy and security has seemed real and lasting these past few years. Not that long ago, Facebook was an integrated part of Ios. But all of Apple's social network initiatives have crashed and burned, this is the logical course for them.
|
# ? Jan 30, 2019 19:23 |
|
Lambert posted:Not that long ago, Facebook was an integrated part of Ios. But all of Apple's social network initiatives have crashed and burned, this is the logical course for them. What the hell does this mean?
|
# ? Jan 30, 2019 20:59 |
|
BangersInMyKnickers posted:What the hell does this mean? I'm guessing they're talking about the share thing but that's been gone for ages and just let you post things.
|
# ? Jan 30, 2019 21:15 |
|
https://en.wikipedia.org/wiki/ITunes_Ping
|
# ? Jan 30, 2019 21:17 |
|
an actual dog posted:I'm guessing they're talking about the share thing but that's been gone for ages and just let you post things. Depends on whether you consider September 2017 to be "ages" ago. Also, I was referencing Ping, of course.
|
# ? Jan 30, 2019 21:27 |
|
Google was doing the same thing too. I deeply doubt that Apple didn't know what was going on. https://twitter.com/TechCrunch/status/1090685989272633344
|
# ? Jan 31, 2019 01:02 |
|
Maybe, maybe not, but Google quickly moving to axe it suggests that they don't expect to get away with it anymore.
|
# ? Jan 31, 2019 01:20 |
|
an actual dog posted:Google was doing the same thing too. I deeply doubt that Apple didn't know what was going on. actual article link: https://techcrunch.com/2019/01/30/googles-also-peddling-a-data-collector-through-apples-back-door/
|
# ? Jan 31, 2019 02:46 |
|
This is doubly confusing since Google commissared Symantec only a few years ago for a similar misuse of certificates...
|
# ? Jan 31, 2019 11:19 |
|
peak debt posted:This is doubly confusing since Google commissared Symantec only a few years ago for a similar misuse of certificates... Similar in that both involved X509 certificates but otherwise no...
|
# ? Jan 31, 2019 17:34 |
|
The better question is why is apple allowing MITM certs to be installed to begin with? I don't think you can do that on android system-wide anymore, apps can add their own root but it only applies to their own traffic.
|
# ? Jan 31, 2019 19:00 |
|
I totally get why it shouldn't be a thing, but it was super useful when I needed to trouble shoot some app sign-in issues with Fiddler.
|
# ? Jan 31, 2019 19:20 |
Harik posted:The better question is why is apple allowing MITM certs to be installed to begin with? I don't think you can do that on android system-wide anymore, apps can add their own root but it only applies to their own traffic.
|
|
# ? Jan 31, 2019 20:24 |
|
That makes no sense. Certs have scope, and signing code scope doesn't require loving ultimate source of truth root CA. WHY did facebook need a root CA to make lunch menu apps??? The gently caress is wrong with apple's security. There's legitimate reasons for a MITM cert (financial institutions that have to log everything use them) but that doesn't explain why apple was putting one on random phones for facebook.
|
# ? Jan 31, 2019 21:58 |
|
There's two things going on. Facebook got an Enterprise Developer Cert from Apple that allows them to sideload apps signed with that cert onto devices that have the profile containing the certificate - otherwise Facebook would need to publish their lunch menu app in the App Store. This would usually just be a payload deployed via an MDM solution since they're company devices anyway. Facebook were using this certificate to enable non-Facebook employees to install their custom data harvesting application. This application would have installed a root cert and then a VPN profile and sent everything over this tunnel to Facebook, who could then decrypt the traffic. Deploying internal applications onto iPhones doesn't require you to MITM all the traffic.
|
# ? Jan 31, 2019 22:07 |
|
Thanks Ants posted:There's two things going on. Facebook got an Enterprise Developer Cert from Apple that allows them to sideload apps signed with that cert onto devices that have the profile containing the certificate - otherwise Facebook would need to publish their lunch menu app in the App Store. This would usually just be a payload deployed via an MDM solution since they're company devices anyway. And I'm guessing the permission to install a root CA for SSL sniffing is separate but facebook was granted it because they're big enough to need one.
|
# ? Jan 31, 2019 22:23 |
|
Harik posted:facebook was granted it because they're big enough to need one. Wrong.
|
# ? Jan 31, 2019 22:24 |
|
Harik posted:so it's not the developer cert that lets them MITM directly, but that "enterprise developer certs" come with the ability to install a root CA because they're supposed to be for company devices. I can go install a root cert for SSL sniffing right now on my iOS device with no special privileges. e: https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForiOS
|
# ? Jan 31, 2019 22:26 |
|
Yeah anybody can install a root cert onto an iOS device. It throws up a lot of warnings but it doesn't stop you from doing it.
|
# ? Jan 31, 2019 22:30 |
|
Google just got all their poo poo killed at Apple too.
|
# ? Jan 31, 2019 23:02 |
|
Thanks Ants posted:Yeah anybody can install a root cert onto an iOS device. It throws up a lot of warnings but it doesn't stop you from doing it. That's definitely different than newer Android, I couldn't do it on 7+. Unrelated, any idea what this is? I paved two machines that were emailing it out but I want to make sure I don't miss it on anything else. It's detected in file form but the email itself wasn't for some reason. NVM it's a generic downloader so it does whatever the current server payload is today. Finally found one of the descriptors that was more than "this file is bad don't open it" gee thanks for that Microsoft. Harik fucked around with this message at 00:27 on Feb 1, 2019 |
# ? Feb 1, 2019 00:20 |
|
bull3964 posted:Google just got all their poo poo killed at Apple too.
|
# ? Feb 1, 2019 00:23 |
|
Facebook has a cert again so I'd imagine Google will too within a day or so
|
# ? Feb 1, 2019 00:38 |
|
Harik posted:The better question is why is apple allowing MITM certs to be installed to begin with? I don't think you can do that on android system-wide anymore, apps can add their own root but it only applies to their own traffic. You can't on Android, https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html?m=1 and this kinda crap is why
|
# ? Feb 1, 2019 01:03 |
|
Sorry if this doesn't fit in with the rest of the thread. I have just moved to a new position. I have an 'IT Security Manager' reporting to me. Their role is quite poorly defined. As far as I can ascertain, they currently do the following 4 things:
What would you expect a high-performing IT Security Manager to do? E.g. would you expect them to be able to perform some vulnerability testing themselves? Would you expect them to develop reporting capability? Get involved in development practices? Any specific examples would be great. I suppose it seems odd to me that this person does not do any hands-on technical work, and they don't have a very deep technical understanding (e.g. didn't understand the mechanism behind a SQL injection attack). It's a professional services company, not a technology company. Usual sort of landscape, mostly Windows clients and servers.
|
# ? Feb 1, 2019 15:25 |
|
|
# ? May 31, 2024 03:46 |
|
Why were they hired? Who hired them? Are they there just to tick a box in one of your contracts, and or to be a prop in client meetings? If you hired someone competent, would they leave from boredom/underpay? Volmarias fucked around with this message at 15:47 on Feb 1, 2019 |
# ? Feb 1, 2019 15:44 |