July 29, 2010, 2:31 PM — Well, that certainly got everyone's attention.
Yesterday, a security consultant named Ron Bowes published a database containing the names and public information of well over 100 million Facebook users and put it up on Bit Torrent for all the world to download.
The official figure is 171 million profiles, though it's unclear if that represents 171 million individual Facebook users. Still... it's a friggin' lot, between a fifth and a third of all Facebook members.
So far I've been completely unable to access Bowes' Skull Security site -- no doubt overwhelmed with traffic after all the attention this story has gotten. And I've not yet downloaded that 2.5 gig Torrent file. So it's hard to gauge exactly what information Bowes managed to scrape.
[ See also: Should Facebook charge for privacy? ]
It's important to note Bowes only accessed information that is publicly available. He didn't hack anyone's accounts. He probably violated Facebook's policies about automated information retrieval, but otherwise did nothing illegal.
Facebook's response: Feh. All of the information Bowes scraped off the site was public anyway. Much of it could be accessed via Google or Bing. Or, for that matter, Facebook's own directory of public profiles. Nothing to see here, please move along.
But deliberately or otherwise, Facebook is missing the point. There are billions of bits of information accessible via Google. They're all marginally useful -- until someone collects them all in one spot and organizes them. Then, suddenly, they can be extremely useful.
Think about it. You're searching for a new place to live. Do you use Google? No, you use a site like RealEstate.com or Apartments.com, which gather all the data you need into one spot, and sort it based on the information you're most likely to need.
Think about the phone book. Tons of information in there, but not terribly useful for looking up more than one name at once -- until you put it online. Suddenly it's a lot more useful. Now you can locate numbers for everyone in a particular area or ZIP code, plug them into a piece of software, and start robo-dialing.
That's the beauty of a database where you control the interface: You can mine that information and come up with stuff that would otherwise not be worth the effort to find. And that's what Bowes has essentially created.
Why did he do this? In an interview with the BBC, Bowes explained:
Mr Bowes told BBC News that he did it as part of his work on a security tool.
"I'm a developer for the Nmap Security Scanner and one of our recent tools is called Ncrack," he said.
"It is designed to test password policies of organisations by using brute force attacks; in other words, guessing every username and password combination."
By downloading the data from Facebook, and compiling a user's first initial and surname, he was able to make a list of the most common probable usernames to use in the tool.
The three most common names, he found, were jsmith, ssmith and skhan.
In theory, researchers could then combine this list with a catalogue of the most commonly used passwords to test the security of sites. Similar techniques could be used by criminals for more nefarious means.
Mr Bowes said his original plan was to "collect a good list of human names that could be used for these tests".
"Once I had the data, though, I realised that it could be of interest to the community if I released it, so I did," he added.
In other words, Bowes was just being a hopeless (and somewhat clueless) geek. He didn't do it to prove a point about how easily Facebook data can be manipulated and abused. But that's exactly the point he managed to make.
If I were a scammer, I might use this information to isolate Facebook users by location and target those living in the more affluent areas for the old "friend in peril overseas and needs cash immediately" attack. Or I might use it to guess their passwords, steal their accounts, and seek to wring a few bucks from their friends. There are probably more sophisticated and lucrative ways to use this information, and if I were a criminal I'd probably come up with them.
By the way, when you sign up for Facebook your information is publicly searchable by default. You can make it private by doing the following:
Go to Account/Privacy Settings. Under "Applications and Websites" (bottom left corner) select "Edit your settings." On the next page, find "Public search" and click the Edit Settings button. On the following page, find the "Enable public search" tickbox and, if there's a checkmark in it, untick it. Ignore that stupid warning Facebook puts up about people not being able to find you and click Confirm.
This will keep search sites like Google and Bing from finding your Facebook profile, though a cached version may be available for a while. It will not keep other Facebook users from finding your profile via the Facebook Directory, however.
Of course, at this point, Bowes' database has already been downloaded thousands of times. If your info was public yesterday, it's in the database today. Not much you can do about that one, I'm afraid.
The point: Your data, on Facebook and elsewhere, is more vulnerable and accessible than you think. Facebook really should own up to that. And you oughta be more careful with it.
ITworld TY4NS blogger Dan Tynan has no cash to spare, so if you're overseas and in peril, tough tatas. Check out his geek humor site, eSarcasm, and follow him on Twitter if you dare: @tynan_on_tech.
Follow Dan on Google+
