Jump to content

Search the Community

Showing results for tags 'facebook'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Facebook advertisers are panicking after iOS cuts off key tracking data Facebook’s ads aren’t as effective after iOS privacy changes, advertisers say. Facebook’s ability to track users and show them certain ads appears to be tanking thanks to Apple’s “ask not to track” feature, according to some advertisers. Apple rolled out the privacy prompt in late April with iOS 14.5. Since then, nearly half of all iOS devices worldwide have at least version 14.5 installed, according to Statcounter, and a vast majority of these devices' users have chosen to deny Facebook and other apps the ability to track them. Nearly three months after the feature's launch, just 17 percent of users worldwide have opted in, according to analytics company Flurry. The changes could have a significant effect on Facebook’s bottom line. Eric Seufert, an analyst who writes Mobile Dev Memo, forecasts that if only 20 percent of users consent to tracking, Facebook’s revenue could drop 7 percent in the first full quarter that the opt-in prompt is active (the forthcoming third quarter). The company warned back in February that the iOS changes would curtail its ability to track users across the Internet. “It’s been pretty devastating for, I would say, the majority of advertisers,” Seufert told Bloomberg. “The big question is: Are we seeing just short-term volatility where we can expect a move back to the mean, or is this a new normal?” Enlarge / The Settings menu for managing tracking on a per-app basis in iOS. Samuel Axon It may be some time before advertisers have an answer to that question. Facebook initially appeared to be taking the low opt-in rate in stride, with media buyers not noticing significant changes. But that has apparently changed in recent weeks, with some buyers reporting that ad effectiveness began dropping this month. Some advertisers, like e-commerce sites, appear to be hit particularly hard. Many retailers run software like Shopify, which shares customer data, including details about purchases that customers make on the site, with Facebook. That allows Facebook to refine its “lookalike” audiences, which advertisers buy access to so they can target other people who may be interested in buying the same thing. One way Facebook could deepen its data pipeline would be to deepen its integration in retailer's online stores, which it appears to be doing with the rollout of Facebook Pay for e-commerce platforms like Shopify. Before the new iOS feature was rolled out, media buyers reported that Facebook could capture as much as 95 percent of sales made on their clients’ sites. Now, many media buyers are reporting that Facebook is capturing only 50 percent of sales. One buyer reports that, with one client, just 3 percent of sales are showing up in Facebook’s ad manager. Other people visit e-commerce sites without purchasing anything, and to close the deal, retailers will “retarget” those users, showing them ads on Facebook for an item they viewed but didn’t buy. Those ads aren’t possible when “ask not to track” is enabled. "We believe that personalized ads and user privacy can coexist, without the collateral damage caused by App Tracking Transparency," a Facebook spokesperson told Ars. "We're also working on our own solutions to help businesses and investing in privacy-enhancing technologies designed to minimize the data we process, while still allowing us to show relevant ads and measure ad effectiveness." As users have asked Facebook not to track them, the company’s feedback loop has broken for a portion of its audience, costing it a key source of data. Though iOS doesn’t run on a majority of mobile devices, it does have a significant footprint in some of the world’s largest advertising markets, including the US. The US market is so important to advertisers that Flurry breaks out the country’s iOS tracking opt-in rate separately. Just 10 percent of US users opt in to tracking, compared with 17 percent worldwide. By opting out at such high rates, US iOS users could have a particularly significant impact on Facebook’s revenue. In the US and Canada last year, the company made five times more advertising revenue per user than its worldwide average. What happens to that number in the third quarter will reveal the extent to which tracking opt-out threatens the company’s earnings. Facebook advertisers are panicking after iOS cuts off key tracking data
  2. Facebook Catches Iranian Spies Catfishing US Military Targets The hackers posed as recruiters, journalists, and hospitality workers to lure their victims. If you're a member of the US military who's gotten friendly Facebook messages from private-sector recruiters for months on end, suggesting a lucrative future in the aerospace or defense contractor industry, Facebook may have some bad news. On Thursday, the social media giant revealed that it has tracked and at least partially disrupted a long-running Iranian hacking campaign that used Facebook accounts to pose as recruiters, reeling in US targets with convincing social engineering schemes before sending them malware-infected files or tricking them into submitting sensitive credentials to phishing sites. Facebook says that the hackers also pretended to work in the hospitality or medical industries, in journalism, or at NGOs or airlines, sometimes engaging their targets for months with profiles across several different social media platforms. And unlike some previous cases of Iranian state-sponsored social media catfishing that have focused on Iran's neighbors, this latest campaign appears to have largely targeted Americans, and to a lesser extent UK and European victims. Facebook says it has removed "fewer than 200" fake profiles from its platforms as a result of the investigation and notified roughly the same number of Facebook users that hackers had targeted them. "Our investigation found that Facebook was a portion of a much broader espionage operation that targeted people with phishing, social engineering, spoofed websites, and malicious domains across multiple social media platforms, email, and collaboration sites," David Agranovich, Facebook's director for threat disruption, said Thursday in a call with press. Facebook has identified the hackers behind the social engineering campaign as the group known as Tortoiseshell, believed to work on behalf of the Iranian government. The group, which has some loose ties and similarities to other better-known Iranian groups known by the names APT34 or Helix Kitten and APT35 or Charming Kitten, first came to light in 2019. At that time, security firm Symantec spotted the hackers breaching Saudi Arabian IT providers in an apparent supply chain attack designed to infect the company's customers with a piece of malware known as Syskit. Facebook has spotted that same malware used in this latest hacking campaign, but with a far broader set of infection techniques and with targets in the US and other Western countries instead of the Middle East. Tortoiseshell also seems to have opted from the start for social engineering over a supply-chain attack, starting its social media catfishing as early as 2018, according to security firm Mandiant. That includes far more than just Facebook, says Mandiant vice president of threat intelligence John Hultquist. "From some of the very earliest operations, they compensate for really simplistic technical approaches with really complex social media schemes, which is an area where Iran is really adept," Hultquist says. In 2019, Cisco's Talos security division spotted Tortoiseshell running a fake veterans' site called Hire Military Heroes, designed to trick victims into installing a desktop app on their PC that contained malware. Craig Williams, a director of Talos’ intelligence group, says that fake site and the larger campaign Facebook has identified both show how military personnel trying to find private-sector jobs pose a ripe target for spies. “The problem we have is that veterans transitioning over to the commercial world is a huge industry,” says Williams. “Bad guys can find people who will make mistakes, who will click on things they shouldn’t, who are attracted to certain propositions.” Facebook warns that the group also spoofed a US Department of Labor site; the company provided a list of the group's fake domains that impersonated news media sites, versions of YouTube and LiveLeak, and many different variations on Trump family and Trump organization–related URLs. Facebook says that it has tied the group's malware samples to a specific Tehran-based IT contractor called Mahak Rayan Afraz, which has previously provided malware to the Iranian Revolutionary Guard Corps, or IRGC—the first tenuous link between the Tortoiseshell group and a government. Symantec noted back in 2019 that the group had also used some software tools also spotted in use by Iran's APT34 hacking group, which has used social media lures across sites like Facebook and LinkedIn for years. Mandiant's Hultquist says it roughly shares some characteristics with the Iranian group known as APT35, too, which is believed to work in the service of the IRGC. APT35's history includes using an American defector, military intelligence defense contractor Monica Witt, to gain information about her former colleagues that could be used to target them with social engineering and phishing campaigns. The threat of Iran-based hacking operations—and particularly, the threat of disruptive cyberattacks from the country—may have appeared to subside as the Biden Administration has reversed course from the Trump administration's confrontational approach. The 2020 assassination of Iranian military leader Qassem Soleimani in particular led to an uptick in Iranian intrusions that many feared were a precursor to retaliatory cyberattacks that never materialized. President Biden has, by contrast, signaled that he hopes to revive the Obama-era deal that suspended Iran's nuclear ambitions and eased tensions with the country—a rapprochement that has been rattled by news that Iranian intelligence agents plotted to kidnap an Iranian-American journalist. But the Facebook campaign shows that Iranian espionage will continue to target the US and its allies, even as the broader political relations improve. "The IRGC are clearly conducting their espionage in the United States," says Mandiant's Hultquist. "They're still up to no good, and they need to be carefully watched." Facebook Catches Iranian Spies Catfishing US Military Targets
  3. Three big questions about Facebook’s new VR ads Lots of people saw this coming, but what will it look like? Yesterday, Facebook took a leap many people have been predicting for years: it started putting ads inside virtual reality. The company launched a limited test of advertisements inside three Oculus Quest apps, saying it would expand the system based on user feedback. The move is a turning point for Oculus, bringing one of Facebook’s most controversial features into a medium that inspires both idealism and alarm. And it raises three big questions about Facebook’s future and immersive computing. The first question is how deeply Facebook will end up linking advertising with hardware sensor data. Even more than smartphones, Oculus Quest headsets are a gold mine of information about you. They capture precise head and hand motion, pictures of your surroundings through tracking cameras, and microphone audio for Facebook’s voice command system. Future headsets will likely include even more intimate features like eye tracking, which would offer incredibly precise metrics on what captures your attention in VR. Right now, Facebook says much of this data either never leaves your headset or is completely segmented from its advertising system, and it says it has “no plans” to do things like target ads based on movement data. But as Facebook moves deeper into virtual and augmented reality, using its hardware’s special features for advertising will become an increasingly attractive prospect. Facebook is reportedly working on a fitness tracker and has discussed building AR glasses that you’ll use to interact with the world. These products are custom-built to produce quantifiable insights about your body and surroundings, and it’s hard to believe Facebook doesn’t have plans to monetize that — even if Facebook Reality Labs head Andrew Bosworth has said the company is “not really focused on business model” questions for experimental hardware. Oculus is Facebook’s first big test case for advertising on its own computing device, and as it expands ads on VR and other hardware, we’ll see how it handles the wealth of new data types it’s collecting. The second question is how ads will affect VR development. Several of the bestselling VR titles right now feel like substantive console or PC games and sell at a similar price. By contrast, it’s not yet clear which app genres work well with an ad-based model. (Blaston, the first game we know includes ads, is a multiplayer dueling game that you play in short competitive bouts.) Whatever those genres are, Facebook just created an incentive to make a lot more of them, since developers get a cut of the revenue involved. It’s easy to imagine dystopian scenarios like a huge library of attention-grabbing but low-quality games and social apps plastered with pop-ups, or the seizure-inducing corporate hellscape from Ready Player One. It doesn’t help that Facebook’s first tests look like flat banner ads from a website or freeware game. That said, Facebook is notoriously picky about what goes into the Quest library and there’s no indication that will change soon. We also don’t know VR advertising’s final form. Facebook says it’s currently exploring “new ad formats that are unique to VR.” It didn’t specify what that looked like, but for one nontraditional ad platform, we could look at Fortnite — a popular virtual world from a studio with an impeccable gaming pedigree, and one of the most effective ad delivery systems in the modern cultural landscape. (A system where players pay to promote the intellectual property of multinational media conglomerates is possibly also dystopian, but in a way most people seem okay with.) Modern consumer VR headsets have been full of ads since practically the beginning, thanks to promotional tie-ins and sponsorships. Yesterday’s news was just the latest iteration of a long-running trend. This iteration, though, has a big Facebook-shaped wrinkle. The Quest ads are served based on data from your Facebook profile, and Facebook’s hyper-personalization is one of its most controversial features — criticized in general as a tool for social division and more specifically for enabling discrimination. Beyond any larger social effects, if you’re sharing a headset with friends and family, it could feel simply invasive to have them see what Facebook thinks you’re into. You can add multiple accounts to a Quest headset, but the feature is experimental and it’s not clear how many users know about it. And that raises the third question: how will Facebook and its critics address general concerns about “Big Tech” in the realm of VR? Should Facebook, for example, ban specific kinds of ads — or methods of ad delivery — from appearing in headsets? And should consumer protection watchdogs look specifically at how ads work inside the Oculus platform, which they’ve largely ignored when scrutinizing Facebook? It wasn’t hard to see these debates coming. Facebook has wanted to own the next computing platform for years, and its vision of computing relies a lot on advertising. Oculus founder Palmer Luckey once promised that Oculus wouldn’t “flash ads at you” inside VR, but he (along with Oculus’ other early executives) left the company years ago. Bosworth said in 2015 that the Oculus experience “should include ads, because life includes ads.” But Facebook says it’s not just barreling ahead with a long-held master plan — instead, it promises it’s looking at feedback as it moves forward with VR advertising. As VR gets closer to Facebook’s core business, Quest users and developers will get to see if the company keeps that promise. Three big questions about Facebook’s new VR ads
  4. Facebook begins tying social media use to ads served inside its VR ecosystem Announcement doubles down on Facebook account requirement for Oculus hardware. Everything we've feared about the Facebookening of Oculus and its virtual reality ecosystem is starting to come true. A Wednesday blog post has confirmed that Oculus, the VR-specific arm of Facebook, is now displaying advertisements in select VR games and apps to their players. As Facebook has since emphasized in emails sent directly to the press, these ads will leverage "first-party info from Facebook to target these ads"—and FB has yet to announce any limitations for what Facebook account data may be leveraged. (Ars Technica was not briefed about this news ahead of the announcement, and we did not get the opportunity to request the comments that other members of the media received.) FB's additional clarifying statements about biometric and use data inside of VR are carefully worded to clarify that the company does examine specific use data as it sees fit, and for now, that data won't apply to its new advertising platform. Facebook says it processes and keeps track of the following data, uploaded by users while connected to any Oculus services: "Weight, height, or gender information that you choose to provide to Oculus Move [a pre-installed fitness suite]" "Movement data" that Facebook uses to "keep you safe from bumping into real-world objects"—in other words, every single way your head and hands move around within VR and relative spatial data about the rooms you play VR within, which researchers have concluded can be used to create a recognizable biometric profile after only minutes of training "The content of your conversations with people on apps like Messenger, Parties, and [Oculus] chats or your [Oculus] voice interactions" For now, Facebook continues to tell users that "data that are processed on the device" are not uploaded to Facebook servers, which include "raw images" from Oculus headset sensors and "images of your hands" in its hand-tracking interface. Meanwhile, if you'd like to know how much of your use data inside of Facebook (and Instagram and other FB-connected services) might be leveraged by its combined advertising network, clear the rest of your day's schedule and dive in. Today's announcement emphasizes that this advertising option is meant to generate "new ways for developers to generate revenue. The thing is, Facebook itself created a revenue blocker for VR game and app creators up until now, since its "app policies" agreement has always forbidden third-party advertising services inside of any products. Now that Facebook can operate the advertising platform and skim revenue off the top, things have changed. How rapidly will the downstream soon run? Facebook itself suggests that advertising is a key element in its VR business going forward: "This is a key part of ensuring we're creating a self-sustaining platform that can support a variety of business models." It also admits that product pricing can vary with advertising in the mix: "It helps us continue to make innovative AR [augmented reality]/VR hardware more accessible to more people." That news is unsurprising to anyone who follows Facebook's quarterly financial results, which revolve largely around its targeted advertising platforms that deftly move from app to app and from service to service. Meanwhile, rival VR hardware manufacturers like HTC have loudly shot back at Facebook's cheap-hardware sales approach. Recently, HTC Vive general manager Dan O'Brien said the following to Ars Technica: When pressed about Oculus as VR's top-selling consumer option, O'Brien was frank: HTC wants to make its VR money from upfront purchase revenue, not from "downstream" opportunities. He described at length the business model of "some brands" subsidizing expensive hardware at a lower MSRP "with the hope of monetizing downstream on shared services" and "maybe using data-mining tactics to understand user behavior and then run a program that also generates downstream income." But also: notice the official mention of augmented reality in Facebook's Wednesday pitch. The most recent Facebook Connect presentation revolved around Oculus research and hardware, included a wide-open pitch hosted by longtime Oculus lead Michael Abrash. He spoke of the company's ambitions for Google Glass-like hardware that people may one day wear in public, full of real-time virtual images embedded in your nearby surroundings and high-level processing of all nearby audio and conversations. While we aren't surprised that Facebook might want its eventual always-on-your-face device to tap into its advertising ecosystem, today's announcement is a clear warning: if such a product should reach the market, it, like the $299 Oculus Quest 2, could very well be priced to move—but at a cost outside of shoppers' dollars and cents. As a reminder, all new Oculus-branded hardware going forward requires a Facebook account to work. Meanwhile, hardware sold before that rules change went into effect will require a ToS agreement beginning January 1, 2023. And the company's combined ToS can penalize users for creating phantom or dummy Facebook accounts for the sole purpose of enabling connected Oculus VR features; by agreeing to that ToS, Facebook can void your account and its related purchases, should they be found in violation of its rules. And as Facebook continues acquiring VR-focused video game developers, particularly the makers of megahit Beat Saber, those fully owned development houses could reasonably become prime targets for Facebook's internal advertising tools. Big companies don't acquire successful, smaller ones for charity, after all. Facebook begins tying social media use to ads served inside its VR ecosystem
  5. Facebook’s Head of Oculus and VR Is Leaving the Company Facebook Hugo Barra, who has served as VP of Facebook Reality Labs for the past four years — overseeing the social giant’s Oculus team and its VR and augmented reality development projects — is exiting his post. Barra announced his departure in a Facebook post Monday, saying May 17 is his last day at the company. He said he plans to “explore the healthcare technology space” in his next venture: “I hope to be able to apply what I’ve learned from working in the consumer tech industry to help solve meaningful problems in the healthcare world.” Barra joined Facebook in 2017 from Chinese mobile phone upstart Xiaomi, where he was VP of global for a little over three years. Before that, Barra was VP of Android product management at Google, where he was one of the most prominent faces of the search giant’s mobile efforts. “When Mark Zuckerberg approached me 5 years ago to come to Facebook to lead the Oculus team and work on virtual reality, I knew I was jumping into an ambitious journey to help build the next computing platform but I couldn’t have imagined just how much this team would get done in just a few years,” Barra wrote. Zuckerberg, in a comment replying to Barra’s post, said, “Thanks for everything you’ve done to help build the next computing platform and the whole ecosystem around it. I’ve learned so much working with you, and I’m excited to see what you build next.” In his farewell Facebook post, Barra called out “what we accomplished together” with Oculus Go, Oculus Quest and Quest 2. Barra added that “I’m equally excited about what’s yet to come, starting this year with the launch of Facebook’s smart glasses in partnership with Ray-Ban, which will begin connecting the dots from today’s VR headsets to tomorrow’s AR glasses.” Recently, Facebook Reality Labs researchers released a first look at its latest prototype: a wrist-based controller that uses a combination of artificial intelligence and input from a wearer’s nervous system to interact with VR and AR environments. Source: Facebook’s Head of Oculus and VR Is Leaving the Company
  6. GDPR regulators are urged to enforce an Europe-wide ban Germany has banned Facebook to collect data on WhatsApp users within the country's borders. According to the Hamburg Data Protection and Freedom of Information Commission (HmbBfDI), the app's new data collection policies, as well as Facebook's aggressive efforts to persuade users to accept, tamper with the GDPR regulations. In a press release, HmbBfDI commissioner Johannes Caspar stated that Facebook has a history of user-privacy abuse, citing the Cambridge Analytica scandal and the recent leak of 500 million records as examples. The commissioner is particularly concerned that WhatsApp's less transparent advertising policies may have a role to play in the German elections coming up in September. Caspar stated that "In view of the nearly 60 million WhatsApp users with a view to the upcoming federal elections in Germany in September 2021, the risk is all the more concrete, as these will arouse desires after influencing the opinion-forming of Facebook's advertisers". WhatsApp’s Terms and Conditions violate GDPR WhatsApp's data collection has been allowed for three months by the HmbBfDI. In the meantime, the European Data Protection Committee (EDPC) was asked to decide the case on a European level. If the EDPC finds that WhatsApp is in violation of the GDPR, a more permanent ban will be implemented on all member states, including Germany, until WhatsApp changes its policies. Facebook has vehemently denied any wrongdoing. According to a spokesperson for Bloomberg, the commission's emergency order is based on a fundamental misunderstanding of WhatsApp's terms and conditions. Despite the ban, Facebook plans to roll out the new rules. Facebook threatened to delete users' accounts if they did not agree to the terms after attempting to downplay its data collection policy. However, following widespread criticism, the social media toned down the threat, opting instead to bombard users with nagging consent popups. If the reminders are ignored, the app will gradually lose key features until it will become useless. Users have until May 15 to accept the updated terms. Source
  7. Mark Zuckerberg on Facebook's VR future: New sensors on Quest Pro, fitness and a metaverse for work Exclusive: Facebook's CEO talks about what the next headset could bring, how fitness plays into the picture, and whether there will be kid accounts for VR anytime soon. Brett Pearce/CNET Five years after Facebook released its very first PC VR headset, and over a year into the pandemic, VR has been getting a closer look in a world where remote work has become standard and virtual life has become normal even without headsets. I met with Mark Zuckerberg in person a year and a half ago to talk about the next steps for VR and the possibilities of augmented reality, just a few months before much of the globe went into coronavirus lockdown mode. Now, as the world is figuring out how to slowly reopen for business, I spoke with Facebook's highest-profile VR advocate again -- this time remotely -- to talk about how his latest VR headset, the Oculus Quest 2, is doing. In a world of remote work where VR headsets still don't fit into the picture too much -- just 5.5 million headsets were estimated to be sold last year -- I wanted to hear what Facebook's CEO thinks will come next. Zuckerberg says that the Oculus Quest's greatest strength against its competition is its convenient wire-free experience, and that bringing the price down from the original $399 to $299 in October was a strategic move, intended to get more people to embrace VR. But Zuckerberg says he wants to upgrade the VR experience even more with the Quest Pro, a device that could include new sensors -- face and eye tracking or maybe even fitness -- in a higher-end self-contained system. The new sensors could add a greater sense of "presence" as part of Facebook's plan for social VR. It could also come at a higher price, as Zuckerberg says, "there's some ability for it to be a little more expensive." But the overall goal for Facebook right now, Zuckerberg told me, is to widen adoption so the world's largest social media network can create more social opportunities for engaging in a virtual world. And he's willing to lose money to win over people. "We're not approaching this from the perspective of, how do we charge people as much money as possible and make profit on the devices?" Zuckerberg said in our 30-minute conversation. "What we saw was virtual reality is really about this sense of presence and therefore, it's about social connection, more than it's about whatever the technology is." For Zuckerberg, this isn't about resolution or processor speed. It's about creating an immersive world to fall into. "We want to get as many people as possible to be able to experience virtual reality and be able to jump into the metaverse and … to have these social experiences within that," he adds. "That's really where our bread and butter as a company is in terms of building those experiences. That's also what our business is." Facebook is getting closer to launching this world in the form of a large-scale social metaverse called Facebook Horizon that, with creative tools and user-created worlds, looks reminiscent of apps like AltspaceVR, Rec Room, and maybe even Fortnite, Roblox and Minecraft. Zuckerberg calls Horizon a "very big priority" for Facebook, something that will "play a big role toward helping to build out this broader metaverse that will go across all of virtual and augmented reality." It's an approach that feels similar to Microsoft's. Zuckerberg plans for Facebook's employees, who will be able to work remotely in our new postpandemic, hybrid workplaces, to start testing Horizon. He says it's an important "dogfooding" step for developing the platform more as it nears public launch sometime in the as-yet-to-be-determined future. Tellingly, we didn't speak over VR or even over Zoom video, instead opting for a Zoom audio call. Zuckerberg says he doesn't find Zoom meetings memorable or compelling. "I find that when I'm on a bunch of video calls, they all kind of blend together and I have a hard time remembering exactly which call something was said on or it's just kind of harder to place it because there's no real sense of space," he notes. And though he admits that videoconferencing has its positives today -- including higher video quality than you get in VR right now -- he's also confident that people will see the benefits of VR. "There are a lot of advantages to the presence that you get in virtual reality compared to the other modes of communication that we have. If we're already there with the fidelity of experiences that are possible today, to me that just says, wow, in five years this is going to be clearly better on almost all of these fronts for a lot of the things that we do." That VR future, however, still isn't designed for kids, despite a growing number of children I know using the Oculus Quest at home. Zuckerberg doesn't see a kid mode for Oculus VR being in the works anytime soon, either, but admits a large interest in VR for education overall. Facebook is also working on more advanced AR glasses with wrist-worn neural interfaces, but that may still be many years away. Before that, an Oculus Quest Pro could bring more advanced sensors into Facebook's VR ecosystem first. We also talked about the possibilities for what a step-up Oculus Quest Pro could bring next and what VR apps Zuckerberg spends time with at home. Below is our conversation, lightly edited for clarity. Mark Zuckerberg using the Oculus Quest 2, Facebook's latest VR headset. Facebook It's been five years since the Oculus Rift came out. Where do you see VR and AR tech for you now versus what it was even in 2019? Are things significantly changed? Or are there things that you wish were here but still aren't? It's an incredibly exciting time for this. It's pretty amazing to see how a lot of the aspects of the original vision, and what we hoped would play out here, are starting to fall into place. You know, it's still a long-term journey. There's still a ton that needs to get done over the next five-plus years to really deliver all the experiences that we want. But there are a lot of awesome pieces that are coming into place. And I'm excited to get a chance to talk about those today. At the same time, you're right that with the pandemic and more people shifting toward being more remote more of the time, that's just put even more importance on building technologies that give us a sense of presence, and that help us feel like we're together and really get to connect naturally, whether that's socially or professionally or for entertainment and playing games. That's always been the promise of virtual and augmented reality. Unlike every other computing platform and type of screen that we've had to date, these platforms give you a sense of presence, like you're right there with another person or in another place. That's pretty magical. Every other communication tool that we've built up to this point is trying to approximate that, but virtual and augmented reality are the first ones that really deliver that sense of presence. And I know that is going to be increasingly important as the world, I imagine, will stay more remote as we come out of the pandemic. You mentioned presence, and I think a lot about social [uses]. At the same time, I talk to some people and they don't have any VR headsets. Other people I know are starting to actually buy them. I was curious where you see that right now. You don't specifically mention sales numbers, but you've mentioned sales coming along, but not necessarily being as big as the Nintendo Switch. Do you think VR has achieved that social level you wanted? We're in the second generation of Quest now, and what I can say is that Quest 2 is doing quite well. It's meaningfully outperforming even what we'd hoped for it. So that's great. The Quest was where we really cracked the form factor and got it to be a wireless device that can do high-quality experiences. When you're talking about virtual reality, in the sense of presence, there really is something that's incredibly important about it being wireless. If you [have a] wire that's wrapped around your neck or draped over your shoulder and it's touching you, it really just breaks the whole illusion and sense of presence. It's a big step forward in terms of quality of the experience, and it requires a lot of innovation to achieve that. What we've seen is that a lot of the other folks in the space haven't been able to deliver that wireless experience yet, and I think that will likely continue to hold back some of those products. But we had the first-generation Quest, we improved on it with Quest 2. That's going quite well. So what I look at is the trajectory of how these things are going, how is the next version after that going to go, and the next version after that. We have really exciting products in the road map for down the line that I just think are going to be really awesome. But you know, Quest 2 has been an inflection point for the adoption around this. You mentioned some of the road map. And recently I heard a chat mentioning the existence of a Quest Pro. Is that something that would be for business? Or do you imagine there being possibly different levels of interest at different tiers for what the Oculus Quest could be? This is certainly something that we're working on. Basically, having a higher-end virtual reality experience. Traditionally, if you wanted to get a virtual reality device that had more power, the thing that you did was you wired [it] into a PC or some other computer, that's one way to do it. But I think the trade-off on requiring the wire is too great in terms of the experience ... what you trade off on immersion and being able to walk around -- even if you're sitting at a desk and doing productivity work. I don't think you want that wire basically breaking the sense of presence. So even for Quest 2, we focused a lot on AirLink, which we just released. It's the ability to now stream games from your PC, so you can take advantage of the power of the PC and still have a wireless experience, which is really important. But there are other aspects that make virtual reality a higher-end experience as well, including putting more power in it in terms of different types of sensors and capabilities on the device. We do want to be able to support a wider range of use cases. I mean, it's one of the things that's been quite exciting with Quest 2 -- seeing it broadened out. It's still primarily gaming. But we're starting to see the top few apps are social apps where people hang out together. We're starting to see an increase in apps for creative production or productivity or people getting together to work. One of the things I've been pretty excited to see is this growth of fitness apps. So you see apps like FitXR and Supernatural, which are basically subscription services where you can take different classes doing boxing or dancing or different things. It's almost like Peloton. It's just kind of as easy to jump into, and you're paying a subscription. Now you can do your workouts that way. From my perspective, it's filling out the initial vision and hope that we had for VR about how there are going to be all these different use cases. It's amazing for gaming, but it's not only for gaming. Part of the question is if you were focused on building a higher-end device that could really max out further on some of those other use cases, in addition to doing the gaming pieces, there are some interesting questions about how you design. Now it's not coming out anytime soon, but that's certainly something that we're excited about and having different products that basically can serve different use cases really well. Mark Zuckerberg at Facebook's Redmond, Washington research lab in 2017, looking at prototype hardware. Facebook You mentioned fitness: It's an area I definitely want to talk to you about because I've been using my [Quest 2] more for that. I see that it's being positioned for that. I saw an ad in the New York Times talking about it as a fitness device, and I believe Facebook as a company is allowing expensing of it as a health and wellness device. Do you use it for fitness yourself? I use all these different apps. I love Beat Saber. That's one of my favorite things on Quest. I've certainly enjoyed FitXR as well. And I'm a big runner. So we don't quite have that in VR yet. I am also a surfer and a foiler. I really want us to get a good experience where you can basically do the pumping part in VR, but we don't quite have that yet. But I think in all these things, doing Beat Saber or FitXR or Supernatural, they're real workouts. If I'm in Beat Saber, especially if I'm competing with one of my friends for half an hour or an hour, you definitely work up a sweat. You get tired by the end of that. So it's pretty active. And I think it's pretty clear why people really like it. Do you set up a space in your home that's a dedicated VR zone where you do these things, and is there any time of day where you might do workouts with this? One of the things about Quest, and it being wireless and stand-alone, is it is really portable, to be able to do it anywhere. So I have [it] in our living room and in our basement. To be honest, sometimes I'll kind of go down there and there's sort of bigger open spaces. But I'll even just do it in our bedroom, where I probably have a more traditional, not particularly huge space to do it, but definitely enough. But again, I think this gets down to the form factor question. At the time we were getting into the experience, you had to be tethered to a desk or tethered to the same room as where your gaming PC was. [That] was just a bit more limiting for people and getting it to be more free-flowing is a very big advance in terms of letting people try it on in different places, making it easier to jump in. That's a big part of what we're seeing here, and why we're so dedicated to wireless as the form factor. All the things that we're going to focus on, including the future Quest Pro work that we're thinking about, that's just going to be a killer part of it. You also asked about routines. I have this one group of a bunch of my friends on a Messenger group thread. And it's like our metaverse thread. Every weekend or so, someone pings the thread and is like, 'Hey, do you want to play Onward?' Or, 'Do you want to play Population: One? Or do you want to play Arizona Sunshine?' Those are a bunch of my favorite multiplayer games. That's probably the closest thing that I have to a real ritual around this -- kind of getting together with friends and going to do this. Over the last year, especially during the pandemic, when I couldn't see a lot of these people in person, it was just really a neat thing to be able to do. [It] really drove home for me the value of being able to have those kinds of social and gaming experiences together. I'm sort of getting into the same when you mentioned fitness. You mentioned sensors... it raises the question for me, do you think that there's a chance of these fitness apps working more with watches and trackers? I know you're working on wrist tech for neural inputs and AR. Does that open doorways for VR? And are you looking at more of a wellness direction for what fitness can do? These are all really interesting questions. We are certainly working on the neural interfaces part and the wrist interface around that. Our hope is that eventually that works across virtual and augmented reality, and will be valuable across all these things. Getting back to your question around Quest Pro, there are a lot of sensors that would add different senses to the overall experience. We've talked a bit about things like eye tracking and face tracking, and you're talking now about things like different health sensors, whether that's heart rate monitoring or the different other kinds of fitness sensors that you might have on a fitness watch. The basic thing that these all have in common is that each of them takes additional compute power to power the thing. And the whole device needs to be tuned for that. So if you want to basically have a device over time that is just capable of all these things and is running an increasing number of sensors, you need to kind of get to higher- and higher-end devices. And then the question for us is going to be, well, how do we innovate on what that's going to look like and be able to deliver something that's a high-end product? And then also, how do we get it to be something that is really affordable for a very wide number of people, because our mission as a company is really to help connect everyone, right? Our approach to VR, is, rather than building a device and trying to sell it at a premium and make a bunch of money on the device, what we want to do is build a great experience and make it so that as many people as possible can experience this and can be part of this metaverse. And at the end of the day, we build experiences that are part of that and that will be the long-term business that we do. So I think the innovation on the sensor side, the compute side, to make sure that we can build devices that power these both at the high end, and devices that can be broadly available to everyone, that's a big part of what we're focused on over the next five years. It sounds like affordability is a big part of that too, when you mentioned not climbing too high in price. Already the Quest 2 is reduced in price (from $399 to $299 today) and it's gotten to a point where it's game console-level, which is not something that other companies have been able to hit yet. That's right. I mean, getting to $299 on Quest 2 was a really big deal. That's something we wanted to get to, the team worked really hard on that. I'm really proud of them. They did a lot of really hard work to be able to achieve that. And we wanted to see how that would affect accessibility for it. That's been pretty good in terms of the results that we've seen there. But as you mentioned, at this point, even game consoles are more expensive than that. So I think there's some ability for it to be a little more expensive. But our bottom line on this is: We're not approaching this from the perspective of, how do we charge people as much money as possible and make profit on the devices? We want to get as many people as possible to be able to experience virtual reality and be able to jump into the metaverse and then be able to have these social experiences within that. Then that's really where where our bread and butter as a company is in terms of building those experiences. That's also what our business is. Speaking of social, you just launched a revamped version of social avatars. [Facebook] Horizon, which seems like Facebook's metaverse, keeps approaching. Have you been spending time inside [Horizon]? I've had two demos in Horizon over the past couple of years. But I was curious if you're spending time in there and whether that might be heading toward a launch? Yeah, this is a big project for us because there needs to be a social fabric that goes across all of the different layers of virtual reality. That's what we hope to do with Horizon. So part of it is we're building this environment where individual creators can create worlds and you can hang out with your friends. Part of it is, we're building out this avatar system that is going to get increasingly expressive on the one hand, and then if you want, also increasingly realistic. Although I think not everyone wants to be exactly realistic all the time, so you want to kind of offer both expressive and realistic. There are all these different services in this. But basically, that's a big part of what we want to do around Horizon. And it also spans not just social use cases, it's not just gaming. I think it's also going to be work and collaboration and productivity, and that's a big thing that we focused on. There are some interesting experiences in virtual reality now. I have to say, one of the things that I've been excited about as we start thinking about what the policies are going to be around how employees start returning to the offices, and after the pandemic clears up, one of the things that I hope is that, going forward at Facebook, in addition to doing videoconferences and stuff like that, I want to basically have our culture be that a lot of our employees are holding meetings in VR, in something like Horizon. So that way, every employee of the company is kind of contributing to giving feedback, helping to tune and make those experiences better and better so that they can serve all these different use cases. In the beginning, when we got started working on virtual reality, what we saw was virtual reality is really about this sense of presence, and therefore, it's about social connection more than it's about whatever the technology is. I would expect that as these things get built out more, whether it's just use cases for hanging out and chatting, or playing different things together, or working together and collaborating, I would bet that those will be a lot of the biggest uses of this over the long term. We're very focused on just giving creators and developers the tools to build that with Horizon. It's a very big priority for us. We're not building it as just a single app or experience. We're building it out as more of a platform that will enable people to build a lot of these different things over time. That's why we're building it methodically, and step by step. Maybe it's taken a little longer than we would have thought to kind of have its first major, completely open release. But it's a very important part of what we're doing and the whole vision here. And I think it will play a big role toward helping to build out this broader metaverse that will go across all of virtual and augmented reality. Do you see Horizon as a chance to rethink what the idea of what social media is for Facebook? Or do you also see ... there are more Facebook elements coming into VR. Do you see that continuing? It's an interesting question. I certainly think that this is going to rethink what our perception of social experiences are. You asked about social media specifically, but I think social media is one category of social experiences, right? I don't know if you'd consider, for example, WhatsApp to be social media in the same sense that you would say that Facebook or Twitter or YouTube are. And so, similarly, I think that what you're going to see with the metaverse and people interacting in virtual and augmented reality is it's probably at least as different if not more from all these 2D-type interfaces, even though there will be some similarities. It is sort of an environment, an opportunity to kind of imagine what these social experiences can be in a completely different environment. This is a lot of what gets me really excited about this, is that I literally remember when I was a kid, in middle school, sitting in my math class, basically sketching in my notebook every day. I just kind of dreamed, while the teacher was going on and lecturing about something, about what I wanted to go home and build and code that night. And the tools didn't exist yet to do this, but the ultimate thing that I really hoped to do one day was build out this kind of 3D immersive world where people can build different things. I feel like now that's starting to become possible with all this technology. And I think that's super exciting. So now, we're literally able to start building and imagining some of these experiences that are like the holy grail of social experiences, because you're going to be able to -- with AR glasses in the future, when we're having this conversation -- you'll be a hologram sitting on my couch next to me, rather than doing this over video or doing this over audio. Or in virtual reality, we can go into the same space. In a lot of ways meetings in VR today, or kind of hanging out, already feel more present and realistic than being on videoconference with someone because of the spatial audio. If someone's to your right, you hear it coming from the right, you have a shared sense of the space, which you don't when you're on, say, a Zoom call for example, where everyone's grid is a little bit different and all your meetings kind of look the same. I do think the social experiences here are going to be different, but pretty awesome. And I think getting a chance to build that from the ground up, not within sort of a box or platform that's defined by other companies, who have their own sense of what a computer or a phone or something are, but really getting to design that whole experience from first principles around how people should be able to be present and connected with each other, is a lot of the most exciting work that we're doing. I think about that excitement -- you bring up dreaming this as a kid, and we talked about using VR in the here and now, and what it's becoming for people. I see a lot of people -- I wanted to bring this up because my nephew wanted me to ask this too -- I know a lot of people who are getting an Oculus Quest, and their kids are playing games in it. And it's interesting, because I know there's no Facebook account setup for under 13. Parents are doing stuff with them with it. But also I wonder how you feel about that, and if you see more of a role for it with kids or a kid mode. My 13-year-old nephew was asking me to ask you about if you're going to be adding more things like that. Or a kid's version of the headset at some point? It's a good question. And I imagine that is part of the full vision over time, we'll have to address that more. But as you know, in order to use this, you sign in with your Facebook account. That way you can have all your friends there and have the kind of social experience that we're trying to build. But you can't have a Facebook account if you're under 13. So I think it's probably quite a ways off that we'd really build something like this. And there are also some pretty fundamental physical challenges with it. The device is designed for people who have a certain IPD (interpupillary distance) range, how far apart your eyes [are]. And different things like the weighting of the device are designed for people who have a certain amount of neck strength, for example. So not small kids, but at least people in their teens and adults. Those are things that I think will have to be overcome before you design even just hardware that I think really makes sense for younger kids to be wearing for an extended period of time. But it is certainly interesting. I think over the long term, education is certainly going to be one of the really promising verticals here. We already see and I hear these stories all the time in higher ed. There was actually an experiment that was run, comparing heart surgeons with training in 3D, so that they can see the heart and see some of the things that they were doing, compared to people who had just been in lectures and experienced it in a more theoretical way. And my understanding is that the people who had the VR training generally performed better, which intuitively makes a lot of sense. So giving people the ability to do things hands-on and to experience them I think is going to beat being lectured to or just reading a book a lot of times in the future. There are opportunities to build those kinds of educational experiences. Not just for the youngest kids, but even today, teens can use this, and people who are doing higher education can do this. There are even opportunities to do this in ways that are not traditionally what you'd think about as education. One view on communication technology is that they're basically technologies around sharing a perspective. Some people describe books that way. Basically, books are a technology for sharing a perspective and trying to internalize someone else's perspective. And there's certainly film, and other things try to do that well. But in a lot of ways, I think virtual reality is the ultimate, because it literally lets you embody someone and walk in their shoes, and experience some of what they're actually seeing and feeling around them. So I think that's going to be pretty powerful for not just school-type learning, but culture and sharing each other's experiences, and getting more empathy for what other people are experiencing around the world as well. My kids are 12 and 8, and your kids are much younger. I don't use VR that much with them at all. But I was curious if you ever thought of a moment when you might use VR with your kids? I haven't done that yet. Max is five now, and she sees me doing it and thinks that looks like I'm having a lot of fun. She has certainly asked if she can jump in. I told her when she's older. But it's an interesting question on all this stuff. The only other thing that I'd add, on top of all the challenges that we've talked about so far, is that part of the work that we do with younger kids -- we work on Messenger Kids, for example, making it an experience that parents can really control -- we do a lot to consult with experts to make sure that we're doing this in a good way. I don't think this is ever going to be something that we here at Facebook just decide, here's how it should be for younger kids and therefore we're going to go do it. This will be something that -- this is not the top priority or near priority anytime soon, there's a lot of other challenges that I think we need to solve to help expand virtual reality and help more people experience this -- but I do think you're highlighting what I think, you know, in kind of a 10- to 20-year future, I think people are going to want to use this in this way. I think we'll approach that by being more open with the community of educators and experts, and really taking their lead on what the right way is to approach this. When you mention work in VR and aiming to get Facebook employees to work in VR, is that happening now? Do you find that you're doing certain types of work in VR or are you setting up a sort of a routine for that with people right now? Over the next several months, some more people are going to start going back into the offices, especially as vaccines ramp up. We're trying to figure out what the new rhythm is going to be. That's part of what I'm trying to figure out, exactly, how that's going to all fit together. But for example, you can conceivably have a meeting that's hosted in virtual reality, where some people who aren't in virtual reality can videoconference in and be a part of the meeting, just like if you were in a physical meeting; you can have a screen, and people could be on that screen. I think being able to make it so as many people who are not together can feel like they're present -- and I think virtual reality can be a big part of that -- that to me seems like a good direction for us to go in. And then given that this is such a big focus for our company, I really believe in dogfooding your own products. Which is I guess our technical term for eating your own dog food, which is basically saying if you're in the middle of building out a product, what the best practice is is to use your product all the time. If we want to get better and better, then I do think we will be well served by having a lot of people inside the company, and outside, use it. Some of the meetings that I've had in virtual reality so far are... it's pretty good. It's interesting and it's different from video chat calls. Just to start off and be fair on some of the places where it's not as good right now are, obviously if you're on a video call, you can get a little higher resolution on the person's face. We don't quite have perfectly realistic avatars yet in VR in the way that we do if you're on a Zoom call, for example. But there's technology that we're working on that will hopefully get there over the coming years. But then I think that there are all these things that are actually quite a lot better about meeting or being present in VR than even Zoom calls today. I mentioned this before, but a lot of how we as people process, even remember things, is through a shared sense of space. So if you're sitting in a room with someone, if you're on on my right, and we're sitting on a couch, we have a shared memory where it's like, all right, I remember that you were kind of sitting next to me, you're on my right on the couch, and if you're on my right, that means I'm on your left, so we kind of have a shared sense of what's going on in the space, and all of our different memories -- my visual memories of thinking of turning to my right and seeing you, my audio memory as I'm hearing the audio coming from the right -- that stuff all ends up being pretty important in terms of imprinting memories, and feeling like this is a real experience where you're present in a space together. And you don't get that on video calls today. I find that when I'm on a bunch of video calls, they all kind of blend together and I have a hard time remembering exactly which call something was said on, or it's just kind of harder to place it because there's no real sense of space. There's certainly no shared sense of space. If you're saying something and it's not coming from my right or my left, and if you're kind of in the upper right-hand corner on my Zoom screen, that doesn't mean that I'm in any particular place on yours -- there's no shared sense of that at all. Even though the avatars aren't quite fully defined yet -- although we did just roll out a new avatar system, which is pretty good, and is certainly a big step in this direction -- even without that piece kind of fully being in its final state yet, I still think there are a lot of advantages to the presence that you get in virtual reality compared to the other modes of communication that we have. If we're already there with the fidelity of experiences that are possible today, to me that just says, wow, in five years this is going to be clearly better on almost all of these fronts for a lot of the things that we do. Source: Mark Zuckerberg on Facebook's VR future: New sensors on Quest Pro, fitness and a metaverse for work
  8. Facebook Acquires ‘Onward’ Developer Downpour Interactive in Fourth VR Studio Acquisition Facebook today announced its fourth VR studio acquisition. This time it’s Downpour Interactive, the studio behind the popular VR shooter Onward which has been continuously developed since its Early Access launch on PC back in 2016. More recently the game launched on Oculus Quest where it has become one of the headset’s most popular titles. Facebook announced the acquisition today on the Oculus blog, saying that it is “eager to support Dante [CEO] and Downpour Interactive in growing Onward as one of the foremost multiplayer VR games […].” The company also promises that “Onward will continue to be supported on all its current platforms,” including Steam. The company says that the entire Downpour Interactive team will join Facebook “in some capacity,” and that the team has “exciting plans for future Onward updates and future projects.” Downpour Interactive had been working with Coatsink as a publisher, though it isn’t clear if the company was involved in the deal; the terms of the acquisition were not announced. Downpour Interactive CEO Dante Buckley shared a message about the acquisition on the official Onward website: Today is a very exciting day for Onward and the Downpour team, we are joining Oculus Studios at Facebook! I remember when I wrote the first line of code for Onward and walked around “Cargo,” one of the first maps in game. Putting on a VR headset and building this dream game was a magical experience every day. From those early days to now, Onward and Downpour have grown and made huge strides in the VR industry. I can’t thank my team enough for their hard work and dedication, as well our passionate and dedicated player community. With us joining Oculus Studios at Facebook, we can now realize Onward’s full vision with tremendous support and resources. This means a better game for all our players on all platforms. There are no changes in hierarchy or in vision, everyone at Downpour is still working hard to deliver you the best game possible. Thank you all for your continued support, and stay tuned for future updates and content. Today’s acquisition marks the fourth VR studio that Facebook has bought, seemingly in an effort to have greater control over the destiny of killer VR apps and the talent behind them. Facebook has also acquired Beat Games (Beat Saber), Sanzaru Games (Asgard’s Wrath and others), Ready at Dawn (Lone Echo and others), and now Downpour Interactive, all within the last year and a half. While Facebook and Downpour Interactive have promised to continue to support Onward on Oculus and non-Oculus platforms alike, it seems likely that future titles from the studio will be exclusive to Oculus. Source: https://www.roadtovr.com/facebook-acquires-downpour-interactive-onward/
  9. A New Facebook Bug Exposes Millions of Email Addresses A recently discovered vulnerability discloses user email addresses even when they’re set to private. PHOTOGRAPH: MIRAGEC/GETTY IMAGES STILL SMARTING FROM last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher—who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed—fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts." Ars obtained the video on condition the video not be shared. A full audio transcript appears at the end of this post. In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video. The researcher, whom Ars agreed not to identify, said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it." Facebook has been under fire not just for providing the means for these massive collections of data, but also for actively promoting the idea that they pose minimal risk to Facebook users. An email that the company inadvertently sent to a reporter at the Dutch publication DataNews instructed public relations people to "frame this as a broad industry issue and normalize the fact that this activity happens regularly." Facebook has also made the distinction between scraping and hacks or breaches. It's not clear if anyone actively exploited this bug to build a massive database, but it certainly wouldn't be surprising. "I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped," the researcher said. Here's the written transcript of the video: So, what I would like to demonstrate here is an active vulnerability within Facebook, which allows malicious users to query email addresses within Facebook, and have Facebook return any matching users. This works with a front-end vulnerability with Facebook, which I've reported to them, made them aware of, um, that they do not consider to be important enough to be patched—which I would consider to be quite a significant privacy violation and a big problem. This method is currently being used by software which is available right now within the hacking community. Currently it's being used to compromise Facebook accounts for the purpose of taking over Pages groups and, uh, Facebook advertising accounts for obviously monetary gain. I've set up this visual example within no JS. What I've done here is I've taken 250 Facebook accounts, newly registered Facebook accounts, which I've purchased online for about $10. I have queried or I'm querying 65,000 email addresses. And as you can see from the output log here, I'm getting a significant amount of results from them. If I have a look at the output file, you can see I have a user ID name and the email address matching the input email addresses, which I have used. Now I have, as I say, I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 accounts. I have tested this at a larger scale, and it is possible to use this to extract feasibly up to 5 million email addresses per day. Now there was an existing vulnerability with Facebook earlier this year, which was patched. This is essentially the exact same vulnerability. And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it. So I am reaching out to people such as yourselves, in hope that you can use your influence or contacts to get this stopped, because I am very, very confident this is not only a huge privacy breach, but this will result in a new, another large data dump, including emails, which is going to allow undesirable parties, not only to have these email-to-user ID matches, but to append the email address to phone numbers, which have been available in previous breaches. I'm quite happy to demonstrate the front-end vulnerability so you can see how this works. I'm not going to show it in this video, simply because I don't want the video to be, um, I don't want the method to be exploited. But I would be quite happy to demonstrate it if that is necessary. But as you can see, it continues to output more and more and more. I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped. Source: A New Facebook Bug Exposes Millions of Email Addresses
  10. A Tale of 3 Data 'Leaks': Clubhouse, LinkedIn, Facebook Confusion Over Hacking, Scraping and Amassing Highlights Data Lockdown Imperative Post to cybercrime forum describes Clubhouse user data being offered for sale Criminals love to amass and sell vast quantities of user data, but not all data leaks necessarily pose a risk to users. Even so, the ease with which would-be attackers can amass user data is a reminder to organizations to lock down inappropriate access as much as possible. That's a takeaway experts offer after large tranches of data recently became available for sale or for free. The data allegedly was obtained from three social networks: Clubhouse, LinkedIn and Facebook. Scammers can use such data to target individuals via social engineering attacks, and phishers can use it to craft lures, among other potential threats. Clubhouse - a startup social media network accessed via an app - and LinkedIn have both confirmed that large amounts of their user data has appeared online. But both services say the data, which is being offered for sale on darknet forums, was scraped from public-facing pages. So what buyers would be paying for is getting access to all of this public information at once. The story is different, however, with the latest Facebook data breach to come to light. Earlier this month, 533 million users' details - including phone numbers that were set to not display on their profiles - were being offered for free online after having been available for purchase. In response, Facebook said attackers had obtained the data "not through hacking our systems but by scraping it from our platform," apparently by abusing an API that Facebook built to allow users to find each other. "If you provide an API … work on the assumption of it being abused." —Troy Hunt Experts say the resulting records, linking people's names, email addresses, phone numbers and more, are a potential gold mine for fraudsters and phishers (see: Facebook Tries to 'Scrape' Its Way Through Another Breach). Ireland's Data Protection Commission is probing the breach, in line with its authority to enforce the EU's General Data Protection Regulation. Facebook says it's attempting to trace the posted information back, and it has suggested that the data dump may include information amassed from multiple sources, not all of them involving private information held by the social network and its ancillary services. LinkedIn: 'Not a Data Breach' While a Facebook feature appears to have exposed private data for more than a half-billion users, the story looks different for LinkedIn and Clubhouse. Last week, a cybercrime forum seller began advertising 500 million LinkedIn records, offering 2 million of the records as a sampler for $2 in forum credits and access to all records for a four-figure sum, CyberNews first reported. The seller said the profiles included "emails, phone and other details." In a statement released on Thursday, LinkedIn said the data involves only information that is already publicly accessible via its site and may have been combined with information from other sites. "We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies," LinkedIn says. "It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we've been able to review." In other words, while seeing so much user data get amassed in one place might be concerning - and of use to social engineers and others - this information was already in circulation. Clubhouse Data Also Scraped The same also appears to be true for Clubhouse, which saw information from about 1.3 million user profiles get posted on a cybercrime forum on or around Saturday. The poster said that the data had been scraped from Clubhouse using one of its APIs. Clubhouse is an iOS-based app that enables users to set up virtual audio chat rooms, to which most participants will then be listening in. The service, which launched early last year, is still invite-only, but the Guardian reports that buzz over Clubhouse has been building, especially after Tesla founder Elon Musk used it in February to host a popular chat. The scraped Clubhouse data includes name and username, user ID, profile photo, number of followers, number of other Clubhouse users followed, an account creation date, who invited the user to the platform and sometimes Instagram and Twitter handles. The data does not include personally identifiable information, such as phone numbers, email addresses or other sensitive information. In a statement posted to Twitter on Sunday, Clubhouse denied that it had been breached or hacked after reports emerged that user data had appeared on the cybercrime forum. This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API. https://t.co/I1OfPyc0Bo— Clubhouse (@joinClubhouse) April 11, 2021 Clubhouse officials didn't immediately respond to a request for further comment. Expert View: The API Challenge The posted Clubhouse data poses no risk to users, says Jane Manchun Wong, a Hong Kong-based software engineer and security researcher who often blogs about unreleased features in popular applications. "The kind of data gathered here is no different than going to someone's Clubhouse profile and taking a screenshot," Wong says. The data was likely scraped using one of Clubhouse's "private" APIs or one that is used by its app to retrieve data, Wong says. Whoever downloaded the data may have simply cycled through user IDs sequentially, she says. Not seeing any private info in this "leaked data" of Clubhouse The user IDs are numerical. So it just seems like someone scraped the data by hitting Clubhouse's private API, iterating from user ID 1 to beyond https://t.co/MBWG46JmCB— Jane Manchun Wong (@wongmjane) April 11, 2021 Services generally use rate-limiting and other defensive measures to ensure their APIs aren't abused. Wong says that if the data was obtained by iterating through numerical user IDs, Clubhouse should have enabled rate limiting on its private API if it does not already do that, because its users have an expectation of privacy. But even with rate limiting, amassing all of this information would still be possible. "It'll only be slower, but it can still be done," Wong says. Troy Hunt, creator of the free Have I Been Pwned data breach notification service, says APIs pose this paradox: If developers want to make users discoverable to other users, it's difficult to ensure that the underlying API will only be used for that purpose - in other words, by only the right users and for the right reasons. "If you provide an API, regardless what you protect with rate limiting," expect that whatever data it touches "will be aggregated," Hunt says. "You work on the assumption of it being abused." Source: A Tale of 3 Data 'Leaks': Clubhouse, LinkedIn, Facebook
  11. Personal data for 533 million Facebook users leaks on the web It had been circulating privately since January. Tim Bennett on Unsplash Hackers were reportedly sharing a massive amount of personal Facebook data in January, and now that data appears to have escaped into the wild. According to Business Insider, security researcher Alon Gal has discovered that a user on a hacking forum has made the entire dataset public, exposing details for about 533 million Facebook members. The data includes phone numbers, birth dates, email addresses and locations, among other revealing info. About 32 million of the users are in the US, while 11 million are from the UK and another 6 million come from India. Gal first spotted the data in January, when Telegram users could pay to search the database. The intruders reportedly took advantage of a flaw that Facebook fixed in August 2019 and reportedly includes information from before that fix. You might not be in trouble if you're a relative newcomer or have changed key details in the time since the fix, but the breach still leaves many people vulnerable. We've asked Facebook for comment. As Gal noted, Facebook can only do so much when the data is already in circulation and the related flaw is no longer an issue. The social network could notify affected users, though, and there's pressure on the company to alert affected users so they can watch for possible spam calls and fraud. All 533,000,000 Facebook records were just leaked for free. This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked. I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8 — Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021 Source: Personal data for 533 million Facebook users leaks on the web
  12. The UK Is Trying to Stop Facebook's End-to-End Encryption The government's latest attack is aimed at discouraging the company from following through with its planned rollout across platforms. Photograph: Dan Kenyon/Getty Images The UK is planning a new attack on end-to-end encryption, with the Home Office set to spearhead efforts designed to discourage Facebook from further rolling out the technology to its messaging apps. Home Secretary Priti Patel is planning to deliver a keynote speech at a child protection charity’s event focused on exposing the perceived ills of end-to-end encryption and asking for stricter regulation of the technology. At the same time a new report will say that technology companies need to do more to protect children online. Patel will headline an April 19 roundtable organized by the National Society for the Prevention of Cruelty to Children (NSPCC), according to a draft invitation seen by WIRED. The event is set to be deeply critical of the encryption standard, which makes it harder for investigators and technology companies to monitor communications between people and detect child grooming or illicit content, including terror or child abuse imagery. End-to-end encryption works by securing communications between those involved in them—only the sender and receiver of messages can see what they say and platforms providing the technology cannot access the content of messages. The tech has been increasingly made standard in recent years with WhatsApp and Signal using end-to-end encryption by default to protect people’s privacy. The Home Office's move comes as Facebook plans to roll out end-to-end encryption across all its messaging platforms—including Messenger and Instagram—which has sparked a fierce debate in the UK and elsewhere over the supposed risks the technology poses to children. During the event, the NSPCC will unveil a report on end-to-end encryption by PA Consulting, a UK firm that has advised the UK’s Department for Digital Culture Media and Sport (DCMS) on the forthcoming Online Safety regulation. An early draft of the report, seen by WIRED, says that increased usage of end-to-end encryption would protect adults’ privacy at the expense of children’s safety, and that any strategy adopted by technology companies to mitigate the effect of end-to-end encryption will “almost certainly be less effective than the current ability to scan for harmful content.” The report also suggests that the government devise regulation “expressly targeting encryption”, in order to prevent technology companies from “engineer[ing] away” their ability to police illegal communications. It recommends that the upcoming Online Safety Bill—which will impose a duty of care on online platforms—make it compulsory for tech companies to share data about online child abuse, as opposed to voluntary. The Online Safety Bill is expected to require companies whose services use end-to-end encryption to show how effectively they are tackling the spread of harmful content on their platforms—or risk being slapped with fines by communication authority Ofcom, which will be in charge of enforcing the rules. As a last resort, Ofcom could demand that a company use automated systems to winnow out illegal content from their services. The NSPCC says that this set-up does not go far enough in reining in encryption: in a statement released last week, the charity urged the digital secretary, Oliver Dowden, to strengthen the proposed regulation, preventing platforms from rolling out end-to-end encryption until they can demonstrate that they can safeguard children’s safety. Facebook currently tackles the circulation of child sex abuse content on WhatsApp by removing accounts displaying forbidden images in their profile pictures, or groups whose names suggest an illegal activity. WhatsApp says it bans more than 300,000 accounts per month that it suspects of sharing child sexual abuse material. “Ofcom will have to meet a series of tests before it could take action on a regulated platform,” says Andy Burrows, NSPCC’s head of child safety online policy. “That is about being able to require evidence of serious and sustained abuse, which is going to be practically very difficult to do because of end-to-end encryption will take away a significant amount of the reporting flow.” Burrows declined to comment directly about the event with the Home Secretary, and whether any policy announcement will be made then. In an email, a Home Office spokesperson wrote that “end-to-end encryption poses an unacceptable risk to user safety and society. It would prevent any access to messaging content and severely erode tech companies’ ability to tackle the most serious illegal content on their own platforms, including child abuse and terrorism.” “The Home Secretary has been clear that industry must step-up to meet the evolving threat,” the spokesperson says. Since Facebook’s announcement on the extension of end-to-end encryption in 2019, Patel has grown increasingly impatient and vocal about the dangers of the technology—publicly calling on Facebook to “halt plans for end-to-end encryption”, and bringing up the subject in meetings with her US counterparts and the Five Eyes intelligence alliance of English-speaking countries. While Dowden is working jointly with the Home Office—taking part in conversations with Facebook on the matter—in an online press conference on March 10 he said that end-to-end encryption will not be dealt with in the Online Safety Bill. The comment has caused concern among observers. According to a person familiar with policy discussions, technology companies are now increasingly worried that the Home Office could issue a Technical Capability Notice (TCN) against Facebook—that is: an injunction forbidding the company from switching to end-to-end encryption. A TCN would allow investigators with a warrant to keep obtaining decrypted conversations on Instagram and Facebook Messenger, the platforms of main concern because they potentially allow unsolicited messaging between adults and children. In December last year, Sky News reported, quoting Home Office policy advisers, that a TCN would have become an option if the Online Safety Bill did not demand that Facebook kept its ability to spot child abuse—a scenario that would arguably materialize if Facebook had its way with encryption. Jim Killock, executive director at digital rights organization Open Rights Group, says he is “worried that the Home Office will be considering using a secret order (TCN) to force Facebook to limit or circumvent their encryption.” “Facebook would be gagged from saying anything,” Killock adds. Although the action would be targeted to Facebook only, he thinks that such a move would set a precedent. One industry source who has spoken with government figures is skeptical that such a radical scenario will come to pass, pointing out that encryption has routinely been in the Home Office’s crosshairs since Theresa May’s tenure as home secretary started in 2010, but that the technical difficulty—and the unpopularity—of outlawing encryption eventually always prevailed over the rhetorical posturing. In a statement, a Facebook company spokesperson said that end-to-end encryption is “already the leading security technology used by many services to keep people safe from having their private information hacked and stolen.” Company executives have previously admitted that the increased rollout of end-to-end encryption will reduce the amount of child abuse reports it makes to industry monitoring groups. “Its full rollout on our messaging services is a long-term project and we are building strong safety measures into our plans,” the spokesperson added. This story originally appeared on WIRED UK. The UK Is Trying to Stop Facebook's End-to-End Encryption
  13. Supreme Court rules Facebook text alerts not akin to robocalls © Getty Images The Supreme Court on Thursday sided unanimously with Facebook, ruling that a notification system the social media giant employs to alert users to suspicious logins does not run afoul of a federal law aimed at curbing robocalls and automated text messages. The decision derailed a proposed class-action lawsuit that sought to hold Facebook liable under a 1991 law that imposed a general ban on automated calls. The justices found that Facebook’s opt-in security notification feature fell outside the law, even though the program was found to have transmitted unwanted text messages. The court rejected an argument from a recipient of unwanted Facebook texts, who claimed that the company’s messaging program amounted to an “autodialer,” which generally involves the use of a random or sequential number generator. “Expanding the definition of an autodialer to encompass any equipment that merely stores and dials telephone numbers would take a chainsaw to these nuanced problems when Congress meant to use a scalpel,” Justice Sonia Sotomayor wrote for the court. The class-action suit was brought by Noah Duguid, a man who received repeated Facebook text notifications alerting him to unusual login attempts, despite the fact that Duguid says he has never had a Facebook account. Facebook said it was possible Duguid’s phone number was linked to Facebook alerts by the phone number’s previous owner. A trial court agreed with Facebook’s request to toss the case, but a San Francisco-based federal appeal court reversed, prompting Facebook’s appeal to the Supreme Court. Updated at 1:05 p.m. Source: Supreme Court rules Facebook text alerts not akin to robocalls
  14. Facebook disables cyber espionage operation from Chinese group against Uyghur activists Facebook regularly discloses methodologies that it is utilizing to secure its platform from cyberattacks and other malicious activities. Now, the company has announced that its security teams have disabled operations against Uyghur activists. These were being carried out by a group in China known as "Evil Eye" or "Earth Empusa". According to Facebook, these attacks were being predominantly carried out against journalists and activists from the Uyghurs of Xinjiang in China, who are currently living abroad in countries such as the United States, Australia, and Turkey. The cyber espionage model primarily revolved around infecting target devices with malware so they could then be utilized for surveillance. Facebook noted that this was accomplished by distributing links to targets on Facebook. These links would either direct users to lookalike domains for known Uyghur news outlets or to actual websites infected with malicious JavaScript code, which would then infect iOS devices. The company notes that this was a highly targeted activity which only infected devices after they had passed certain checks for IP addresses and browser settings, among other things. In terms of who actually distributed these problematic URLs, Facebook says that malicious actors would pose as Uyghur activists, establish trust with their targets, and then share the links. They also targeted Android users by setting up third-party app stores containing malware-infected apps for Uyghur-themed keyboards, prayers, and the Holy Quran. Facebook went on to say that: We’ve observed this group use several distinct Android malware families. Specifically, our investigation and malware analysis found that Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush), two Chinese companies, are the developers behind some of the Android tooling deployed by this group. Our assessment of one of them benefited from research by FireEye, a cybersecurity company. These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security. [...] Our industry peers have been tracking parts of this activity as being driven by a single threat actor broadly known as Earth Empusa, or Evil Eye, or PoisonCarp. Our investigation confirmed that the activity we are disrupting today closely aligns with the first two — Earth Empusa or Evil Eye. While PoisonCarp shares some TTPs including targeting and use of some of the same vendor-developed malware, our on-platform analysis suggests that it is a separate cluster of activity. Actions that Facebook has taken to disable this operation include blocking malicious domains from being shared on its platform, informing affected users, and sharing threat indicators such as hashes and domain names publicly. Source: Facebook disables cyber espionage operation from Chinese group against Uyghur activists
  15. Facebook finally explains its mysterious new wrist wearable Will we be able to trust it with a new form of personal data? (Probably not.) Enlarge / Facebook is developing a wrist-worn wearable that senses nerve activity that controls your hands and fingers. The design could enable new types of human-computer interactions. Facebook It first appeared on March 9 as a tweet on Andrew Bosworth’s timeline, the tiny corner of the Internet that offers a rare glimpse into the mind of a Facebook executive these days. Bosworth, who leads Facebook’s augmented and virtual reality research labs, had just shared a blog post outlining the company’s 10-year vision for the future of human-computer interaction. Then, in a follow-up tweet, he shared a photo of an as yet unseen wearable device. Facebook’s vision for the future of interacting with computers apparently would involve strapping something that looks like an iPod Mini to your wrist. Facebook already owns our social experience and some of the world’s most popular messaging apps—for better or notably worse. Anytime the company dips into hardware, then, whether that’s a very good VR headset or a video chatting device that follows your every move, it gets noticed. And it not only sparks intrigue, but questions too: why does Facebook want to own this new computing paradigm? In this case, the unanswered questions are less about the hardware itself and more about the research behind it—and whether the new interactions Facebook envisions will only deepen our ties to Facebook. (Answer: probably.) In a media briefing earlier this week, Facebook executives and researchers offered an overview of this tech. In simplest terms, Facebook has been testing new computing inputs using a sensor-filled wrist wearable. It’s an electromyography device, which means it translates electrical motor nerve signals into digital commands. When it’s on your wrist, you can just flick your fingers in space to control virtual inputs, whether you’re wearing a VR headset or interacting with the real world. You can also “train” it to sense the intention of your fingers, so that actions happen even when your hands are totally still. Enlarge / Facebook’s vision for its wrist-worn device includes being able to type on a virtual desktop keyboard. Facebook This wrist wearable doesn’t have a name. It’s just a concept, and there are different versions of it, some of which include haptic feedback. Bosworth says it could be five to 10 years before the technology becomes widely available. All of this is tied to Facebook’s plans for virtual and augmented reality, technologies that can sometimes leave the user feeling a distinct lack of agency when it comes to their hands. Slip on a VR headset and your hands disappear completely. By picking up a pair of hand controllers, you can play games or grasp virtual objects, but then you lose the ability to take notes or draw with precision. Some AR or “mixed reality” headsets like Microsoft’s HoloLens have cameras that track spatial gestures, so you can use certain hand signals and the headset will interpret those signals … which sometimes works. So Facebook has been using this EMG wearable in its virtual reality lab to see if such a device might enable more precise hand-computer interactions. But Facebook has visions for this wrist tech beyond AR and VR, Bosworth says. “If you really had access to an interface that allowed you to type or use a mouse—without having to physically type or use a mouse, you could use this all over the place.” The keyboard is a prime example, he says; this wrist computer is just another means of intentional input, except you can carry it with you everywhere. Bosworth also suggested the kitchen microwave as a use case—while clarifying that Facebook is not, in fact, building a microwave. Home appliance interfaces are all different, so why not program a device like this to understand, simply, when you want to cook something for 10 minutes on medium power? In the virtual demo Facebook gave earlier this week, a gamer was shown wearing the wrist device and controlling a character in a rudimentary video game on a flat screen, all without having to move his fingers at all. These kinds of demos tend to (pardon the pun) gesture toward mind-reading technology, which Bosworth insisted this is not. In this case, he said, the mind is generating signals identical to the ones that would make the thumb move, but the thumb isn’t moving. The device is recording an expressed intention to move the thumb. “We don’t know what’s happening in the brain, which is full of thoughts, ideas, and notions. We don’t know what happens until someone sends a signal down the wire.” Bosworth also emphasized that this wrist wearable is different from the invasive implants that were used in a 2019 brain-computer interface study that Facebook worked on with the University of California at San Francisco; and it’s different from Elon Musk’s Neuralink, a wireless implant that could theoretically allow people to send neuroelectrical signals from their brains directly to digital devices. In other words, Facebook isn’t reading our minds, even if it already knows a heck of a lot about what’s going on in our heads. Researchers say there’s still a lot of work to be done in the area of using EMG sensors as virtual input devices. Precision is a big challenge. Chris Harrison, the director of the Future Interfaces Group in the Human-Computer Interaction Lab at Carnegie Mellon University, points out that each individual human’s nerves are a little bit different, as are the shapes of our arms and wrists. “There’s always a calibration process that has to happen with any muscle-sensing system or BCI system. It really depends on where the computing intelligence is,” Harrison says. Enlarge / A closer look at the prototype wearable. Facebook And even with haptic feedback built into these devices, as Facebook is doing with some of its prototypes, there’s the risk of visuo-haptic mismatches, where the user’s visual experience—whether in AR, VR, or real space—does not correlate to the haptic response. These points of friction can make these human-computer interactions all feel frustratingly unreal. Even if Facebook can overcome these obstacles in its research labs, there’s still the question of why Facebook—largely a software company—wants to own this new computing paradigm. And should we trust it? This hugely powerful tech company that has a track record of sharing user data in “exchange for other equally or more valuable things,” as WIRED’s Fred Vogelstein wrote in 2018? A more recent report in MIT Technology Review highlights how a team at Facebook assembled to tackle “responsible AI” was undermined by leadership’s relentless quest for growth. Facebook executives said this week that these new human-computer interaction devices will perform as much computing as possible “on device,” which means the information isn’t shared to the cloud; but Bosworth won’t commit to how much data ultimately might be shared to Facebook or how that data will be used. The whole thing is a prototype, so there’s nothing substantive to tease apart yet, he says. “Sometimes these companies have cash piles large enough to basically invest in these huge R&D projects, and they’ll take a loss on such things if it means they can be front-runners in the future,” says Michelle Richardson, director of the Data and Privacy Project at the nonprofit Center for Democracy and Technology. “But with companies of any size, any product, once it’s built, it’s so difficult to overhaul it. So anything that can start the conversation on this before the devices are built is a good thing.” Bosworth says Facebook wants to lead this next paradigm shift in computing because the company sees tech like this as fundamental to connecting people. If anything, this past year has shown us the importance of connecting—of feeling like you’re in person, Bosworth says. He also seems to believe he can earn the required trust by not “surprising” customers. “You say what you do, you set expectations, and you deliver on those expectations over time” he says. “Trust arrives on foot and leaves on horseback.” Rose-colored AR glasses, activated. This story originally appeared on wired.com. Facebook finally explains its mysterious new wrist wearable
  16. Facebook Paid Out $50K for Vulnerabilities Allowing Access to Internal Systems A researcher says he has earned more than $50,000 from Facebook after discovering vulnerabilities that could have been exploited to gain access to some of the social media giant’s internal systems. Cybersecurity engineer and bug bounty hunter Alaa Abdulridha revealed in December 2020 that he had earned $7,500 from Facebook for discovering a vulnerability in a service apparently used by the company’s legal department. The researcher said the security hole could have been exploited to reset the password of any account for a web application used internally by Facebook employees. In a blog post published on Thursday, the researcher said he continued analyzing the same application and once again managed to gain access to it. From there he claimed he was able to launch a server-side request forgery (SSRF) attack and gain access to Facebook’s internal network. Facebook described this as an attacker being able to send HTTP requests to internal systems and read their responses. “I was able to scan the ports of the local servers and browse the local applications/web apps that the company uses in their infrastructure,” the researcher told SecurityWeek. “I'm sure such a vulnerability in the wrong hands could be escalated to RCE and can pose a huge risk for the company and its customers.” The social media giant awarded him nearly $50,000 for this second exploit chain. Abdulridha also claimed the account takeover attack may have allowed a hacker to access accounts for other internal Facebook applications as well, but Facebook told SecurityWeek it had not found any evidence to suggest that the flaw could be escalated to access other internal accounts. Facebook has clarified that the vulnerabilities reported by Abdulridha actually affected a third-party service designed for signing documents and they impacted anyone using this service, not just Facebook. The company said it worked with the third-party vendor to quickly get the flaws fixed and said it had found no evidence of malicious exploitation, noting that exploiting the weaknesses was a complex task. The company also pointed out that the first vulnerability only allowed access to accounts within the third-party document signing app, but did not grant access to any employee accounts used for other internal applications. While the researcher claimed that it took Facebook nearly 6 months to patch the second round of vulnerabilities, the company told SecurityWeek that while the report was only closed in February, the bugs were actually completely fixed — by both Facebook and the third-party vendor — within a few days. Facebook also said that while it paid out a bug bounty based on the maximum possible impact it could determine, it did not agree with the researcher’s belief that the SSRF vulnerabilities could have been escalated to remote code execution. Source: Facebook Paid Out $50K for Vulnerabilities Allowing Access to Internal Systems
  17. Facebook enables the use of hardware security keys on mobile devices Facebook is expanding support for physical security keys to mobile devices in order to help users secure their accounts. The site already offers multi-factor authentication via SMS or authenticator apps, but adding support for hardware keys offers users another means of supplementing their passwords and keeping their accounts more secure. Security keys are the strongest authentication method available. Even if someone does get hold of a Facebook password, they won't be able to pass the authentication challenge unless they have the person's security key. The feature will be available to both iOS and Android users. In a statement announcing the move Facebook says, "Since 2017, we've encouraged people that are at high risk of being targeted by malicious hackers: politicians, public figures, journalists and human rights defenders. We strongly recommend that everyone considers using physical security keys to increase the security of their accounts, no matter what device they use." You can set up your security key on Facebook by going to the Security and Login section of your account settings. Photo credit: tulpahn / Shutterstock Source: Facebook enables the use of hardware security keys on mobile devices
  18. A federal judge on Friday approved a $650 million settlement of a privacy lawsuit against Facebook for allegedly using photo face-tagging and other biometric data without the permission of its users. U.S. District Judge James Donato approved the deal in a class-action lawsuit that was filed in Illinois in 2015. Nearly 1.6 million Facebook users in Illinois who submitted claims will be affected. Donato called it one of the largest settlements ever for a privacy violation. “It will put at least $345 into the hands of every class member interested in being compensated,” he wrote, calling it “a major win for consumers in the hotly contested area of digital privacy.” Jay Edelson, a Chicago attorney who filed the lawsuit, told the Chicago Tribune that the checks could be in the mail within two months unless the ruling is appealed. “We are pleased to have reached a settlement so we can move past this matter, which is in the best interest of our community and our shareholders,” Facebook, which is headquartered in the San Francisco Bay Area, said in a statement. The lawsuit accused the social media giant of violating an Illinois privacy law by failing to get consent before using facial-recognition technology to scan photos uploaded by users to create and store faces digitally. The state's Biometric Information Privacy Act allowed consumers to sue companies that didn't get permission before harvesting data such as faces and fingerprints. The case eventually wound up as a class-action lawsuit in California. Facebook has since changed its photo-tagging system. SOURCE
  19. Facebook to reverse Australia news ban after lawmakers alter bill Australian Facebook users' News Feeds can once again have actual news in them. Enlarge / Facebook's Menlo Park, California, headquarters as seen in 2017. Jason Doiy | Getty Images Facebook has apparently emerged victorious from its standoff with the entire nation of Australia, as lawmakers in that country have agreed to amend a proposed law that would have required Facebook to pay publishers for news content linked on its platform. The social networking giant last week banned all news posts both in and from Australia to protest a bill under discussion in Parliament. Users inside Australia became unable to share news links of any kind from any source, and users outside Australia became unable to share links from Australian media. Facebook at the time argued that the proposed law "fundamentally misunderstands the relationship between our platform and publishers who use it to share news content." Facebook's ban turned out to be an extremely blunt instrument, blocking sharing not only of news inside Australia but also of public communications from the government, pages for nonprofit organizations and charities, and other Australian organizations that tried to share links to off-Facebook sites. Australian Prime Minister Scott Morrison blasted Facebook over the ban, saying last week, "We will not be intimidated by BigTech seeking to pressure our Parliament as it votes on our important News Media Bargaining Code." The government, however, appears to have blinked first, and the Morrison administration is now offering several amendments to the bill, Treasurer Josh Frydenberg said this week. What’s changing? As originally drafted, the bill would require "digital platform corporations" to negotiate in good faith with news outlets ("registered news business corporations") to link to their content. If the outlets and the platforms can't reach a deal on their own, they would immediately have to take the dispute into baseball-style arbitration, where a neutral third-party arbitrator looks at both offers on the table and decides which is the better one. The definition of "digital platform corporations" in the bill is crafted such that it would at first apply to only two companies—Google and Facebook, both of which vehemently oppose the proposed law. The new amendments tweak some provisions of the bills to give platforms a little more breathing room—and basically give both firms a way to buy their way out of the regulation. Google in January also threatened to leave Australia entirely over the bill, but this month it began reaching deals with Australian media instead. The amended bill would explicitly take those kinds of deals into consideration: "A decision to designate a platform under the Code must take into account whether a digital platform has made a significant contribution to the sustainability of the Australian news industry through reaching commercial agreements with news media businesses." Facebook has already reached one such deal with Australian news firm Seven West Media, the companies said Tuesday. The amendments would also extend the notice period from the government to a corporation before it becomes designated under the law and would create a mediation/negotiation window for publishers and platforms to hash out their own payment schemes before going to arbitration. The amendments "add further impetus for parties to engage in commercial negotiations outside the Code—a central feature of the framework that the Government is putting in place to foster more sustainable public interest journalism in Australia," Frydenberg said. Full Facebook service is not yet restored in Australia as of publication time but will be "in the coming days," company executive Campbell Brown said. "It’s always been our intention to support journalism in Australia and around the world," Brown added. "We’ll continue to invest in news globally and resist efforts by media conglomerates to advance regulatory frameworks that do not take account of the true value exchange between publishers and platforms like Facebook." Facebook to reverse Australia news ban after lawmakers alter bill
  20. Facebook news ban is “arrogant,” Australia will not be “intimidated,” PM says Deploying a blunt instrument on a whole nation is going just as well as you'd guess. Enlarge / News is still very much happening both around the world and in Australia... but you wouldn't know it if you're one of the tens of millions of Australian Facebook users. Brent Lewin | Bloomberg | Getty Images A long-simmering battle between tech firms and the government of Australia became explosive yesterday when Facebook announced that it would block all linking of news publications inside the country. Not only has this change affected Australian and international news publishers, but Facebook's wide net has also caught up governments, nonprofits, and basically anyone else in Australia who posts non-news content to the platform. Australian lawmakers have been considering a bill that would require Internet platforms such as Google and Facebook ("digital platform corporations") to negotiate in good faith with news outlets ("registered news business corporations") to link to their content. If the outlets and the platforms can't reach a deal on their own, they would have to go to baseball-style arbitration, where a neutral third-party arbitrator would decide whose offer is the better one. The bill would at first apply to only two companies: Google and Facebook. Both, as you might expect, have expressed consistent opposition to the bill. (Microsoft, operator of remote second-place search engine Bing—which captures between 2 and 3 percent of the market—does not oppose the rules that would apply to its largest competitor.) After months of complaint, Facebook took the nuclear option on Wednesday, blocking all Australian users from sharing links either from Australian or international sources and blocking everyone else in the world from sharing any links to any Australian news sources. At a high level, the dispute is not unlike the cable blackouts US consumers are all too used to experiencing. When two parties can't agree, each one points the finger at the other and tells consumers to blame the other guy for the inconvenience. Meanwhile, consumers are stuck in the middle, facing all the harm. And when the fight is between the world's largest online platforms and an entire country, the stakes are high. Apparently everything is “news” Facebook's universal block turned out to be as blunt an instrument as you could imagine, and for several hours Wednesday it blocked basically all links from being shared in Australia. The ban hit not only news outlets but also a wide range of other websites and organizations inside Australia. City, state, and national government pages, including departments of health that communicate with the public about the pandemic and weather services that warn about fire hazards, were blocked for several hours before being restored. Facebook even suspended its own page for a while. Nonprofits were also affected, according to Bloomberg News. Pages for food banks, domestic violence shelters, the Australia Council of Trade Unions, and a wildlife preservation group were all caught up in the ban, as well as pages for some politicians and emergency services departments. "Government Pages should not be impacted by today’s announcement," a Facebook spokesperson told Bloomberg. "As the law does not provide clear guidance on the definition of news content, we have taken a broad definition in order to respect the law as drafted." “Arrogant and disappointing” Facebook's actions were "as arrogant as they were disappointing," Australian Prime Minister Scott Morrison said in—of course—a Facebook post. "These actions will only confirm the concerns that an increasing number of countries are expressing about the behavior of BigTech companies who think they are bigger than governments and that the rules should not apply to them. "We will not be intimidated by BigTech seeking to pressure our Parliament" as the bill heads to a vote, Morrison added. "I encourage Facebook to constructively work with the Australian Government, as Google recently demonstrated in good faith." Google in January threatened to exit Australia rather than pay to link to news content. Earlier this week, however, Google made a deal with News Corp—media mogul Richard Murdoch's international company—to pay "significant" sums for access to News Corp's US, UK, and Australian news outlets. Australian news outlets—the entities the bill is theoretically designed to boost and protect—were similarly displeased. "Despite key issues such as the COVID-19 pandemic having ongoing effects on all Australians, Facebook has today removed important and credible news and information sources from its Australian platform," the Australian Broadcasting Corporation (ABC)'s managing director said in a written statement. "We will continue our discussions with Facebook today following this development." The NT News, a regional paper, was more blunt. The cover for its Thursday issue reads: "FEBRUARY 18, 2021. THE DAY FACEBOOK WENT TO WAR WITH AUSTRALIA." Facebook news ban is “arrogant,” Australia will not be “intimidated,” PM says
  21. Facebook will block Australian users and publishers from sharing news links in response to new bill Facebook decided against cutting deals with media partners Photo by Amelia Holowaty Krales / The Verge Facebook has decided to block both Australian users and media companies from sharing links to news articles and related content on its main social network, following the country’s proposed landmark regulatory measure that would force tech giants to pay Australian news organizations for using their content. The bill passed the Australian House of Representatives today and is believed to have enough votes to pass the Senate, The New York Times reported. The bill also targets Google, which at one point last month threatened to leave the country entirely. However, Google has since decided to start cutting deals with major Australian media organizations, like Rupert Murdoch’s News Corp., to comply. Facebook, it appears, will not follow suit — for now. “The proposed law fundamentally misunderstands the relationship between our platform and publishers who use it to share news content,” reads a blog post from William Easton, the managing director of Facebook Australia & New Zealand. “It has left us facing a stark choice: attempt to comply with a law that ignores the realities of this relationship, or stop allowing news content on our services in Australia. With a heavy heart, we are choosing the latter.” The policy change from Facebook will have stark consequences for both users and media organizations. Easton’s blog post outlines four distinct categories that will be affected and in what ways: Australian publishers: “They are restricted from sharing or posting any content on Facebook Pages. Admins will still be able to access other features from their Facebook Page, including Page insights and Creator Studio. We will continue to provide access to all other standard Facebook services, including data tools and CrowdTangle.” International publishers: “They can continue to publish news content on Facebook, but links and posts can’t be viewed or shared by Australian audiences.” Australian users: “They cannot view or share Australian or international news content on Facebook or content from Australian and international news Pages.” International users: “They cannot view or share Australian news content on Facebook or content from Australian news Pages.” Facebook says it’s using a “combination of technologies” to restrict news content and it will have processes for reviewing content that was removed inadvertently, although it is not sharing those processes at this time. It also says the news content changes won’t affect any of the company’s other products or services in Australia. Easton’s blog post makes clear Facebook saw this measure as a last resort. The company cites statistics, like how news content makes up less than 4 percent of what people see in the News Feed and how Facebook drove an estimated AU$407 million in referrals to Australian news publishers, as reasons why it felt the bill unfairly penalizes tech platforms. “The proposed law fundamentally misunderstands the relationship between our platform and publishers who use it to share news content.” Facebook also draws a distinction between how news publishers and readers access news content on its social network versus Google’s search engine. “Google Search is inextricably intertwined with news and publishers do not voluntarily provide their content. On the other hand, publishers willingly choose to post news on Facebook, as it allows them to sell more subscriptions, grow their audiences and increase advertising revenue,” Easton argues. “We were prepared to launch Facebook News in Australia and significantly increase our investments with local publishers, however, we were only prepared to do this with the right rules in place,” Easton goes on. “This legislation sets a precedent where the government decides who enters into these news content agreements, and ultimately, how much the party that already receives value from the free service gets paid. We will now prioritise investments to other countries, as part of our plans to invest in new licensing news programs and experiences.” Facebook will block Australian users and publishers from sharing news links in response to new bill
  22. Big Tech opens wallet for publishers as Australian news code looms Google and Facebook strike deals in effort to stymie rules on paying for content. Enlarge / Close-up photography John Lamb | Getty Images Google and Facebook are rushing to agree to deals with Australian publishers, offering them the most generous licensing terms in the world in an attempt to persuade Canberra not to apply rules forcing tech groups to pay for news. MPs began debating legislation on Wednesday to enact the news media bargaining code, which the EU, UK, and Canada are considering as a model for similar regulations to support publishers in their own jurisdictions. While Google has multi-million-dollar licensing deals with publishers in almost a dozen countries, people involved in negotiations told the Financial Times the sums now under discussion in Australia were “multiple times” the size of those agreements. The developments in Australia are being closely watched in Europe and the US for evidence the tougher approach will reset the balance between publishers and tech platforms. Among the code’s features is an arbitration system that would make binding decisions on the fees Facebook and Google would have to pay news providers if commercial negotiations fail. Google signed a letter of intent on Wednesday with Nine Entertainment, one of Australia’s largest media groups, that outlines a draft agreement to use content from its newspaper, television, and Internet assets, according to a person directly familiar with the deal. The tech group said on Wednesday it had also struck a deal with Junkee Media to curate the small online publisher’s content on its recently launched News Showcase service. Those followed a similar agreement Monday with Seven West Media, a group with TV, newspaper, and digital assets that is reported by Australian media to be worth A$10m to A$30m ($7.7 million to $23 million) per year. By comparison, Google’s recent framework agreement in France with more than 100 publishers is worth about €22 million ($26.5 million) a year in total, according to people familiar with the deal. Rupert Murdoch’s News Corp and Google are also in talks over a potential global content deal, according to people with knowledge of the negotiations. Experts said the tie-ups reflected Google’s desire to ensure Canberra did not apply the toughest elements of the code to its core search function, which the US group has warned it could be forced to close down in Australia. “Google is desperate to not pay for news delivered through their search engine. It looks like they are paying over and above market value to secure deals that specifically exclude Google Search,” said James Meese, a lecturer in communications at RMIT University in Melbourne. Canberra and Google could be coming to some sort of a “tacit agreement,” he added, whereby the government would not apply the code to the tech giant’s search function if it signed enough deals with publishers. Josh Frydenberg, Australia’s treasurer, said none of the commercial deals would have been struck without the code, which had ushered in a “historic moment” for news businesses. The legislation would be enacted through parliament but the government would decide if it was enforced against Google’s search service or Facebook, he said. “With respect to the designation of Google Search or Facebook, they are decisions that I would make after receiving the advice” of Australia’s competition regulator, he told Sky. “But if there are commercial deals in place then that becomes a different equation for me.” Google and Facebook have not released details on how much its deals with publishers are worth, but they are not expected to reach the AU$1 billion a year that News Corp signaled the tech groups owed Australian media owners. Google last year pledged $1 billion over three years to pay global publishers and has said it reached terms with 450 “news partners.” Facebook has made less progress in signing deals with publishers, although it remains in negotiations, said people directly familiar with the matter. The Sydney Morning Herald, the Nine-owned newspaper that first reported the draft deal between Google and its parent, said it would be worth more than AU$30 million a year. Additional reporting by Richard Waters in San Francisco and Alex Barker in London. Big Tech opens wallet for publishers as Australian news code looms
  23. Facebook's next attempt at hardware may be a smartwatch A report suggests Facebook's first watch could go on sale next year. Pheelings Media via Getty Images Facebook's past forays into hardware have had mixed results, ranging from well-regarded Oculus VR headsets to an ill-fated phone tie-up with HTC. Now The Information cites anonymous sources saying the company will try again with a smartwatch that includes a built-in cellular connection. The report claims an initial version could arrive next year powered by an open-source version of Android, with a follow-up in 2023, all in service of trying to control the next computing platform after smartphones. Of course, it's unclear whether that effort will work -- seen anyone using a Portal lately? -- especially considering the privacy issues around Facebook and looming investigations by regulators. Source: Facebook's next attempt at hardware may be a smartwatch
  24. We uncovered a Facebook phishing campaign that tricked nearly 500,000 users in two weeks Our investigation into a malicious Facebook Messenger message uncovered a large-scale phishing operation on Facebook. We also potentially identified the threat actor behind the phishing campaign and his intentions. “Is that you” is a phishing scam circulating on Facebook in various forms since at least 2017. It begins with a Facebook message sent by one of your friends. The “friend” claims to have found a video or image with you featured in it. The message masquerades as a video that, when clicked, leads you through a chain of websites infected with malicious scripts. These scripts determine your location, the device you are using, and your operating system. They then lead you to a malicious Facebook phishing page in order to harvest your credentials, and, depending on your device, infect it with adware or other malware. Close to 500,000 victims At the time of writing this report on February 8, the number of potential victims exceeded 480,000 since the phishing campaign began on January 26, 2020, with 77% of the victims being based in Germany. Based on the large-scale nature of the campaign and the fact that it appears to predominantly target users in Germany, we shared our report with CERT Germany, Facebook, and wal.ee (the URL shortener service used by the threat actor). We also informed the Dominican Republic’s cyber police about the incident. That being said, it wasn’t immediately clear whether the threat actor behind the phishing operation was using the compromised Facebook accounts for any malicious purpose other than to simply spread the phishing campaign through the victims’ Messenger contacts. Interestingly, however, the threat actor was using a legitimate third-party web statistics service to track the campaign, which helped us conduct our investigation and find out the start date of the campaign, the number of affected users, and more useful information. How the phishing campaign works The message The campaign is initiated by sending the potential victim a message from one of their Facebook contacts. The message contains what appears to be a video link with a suggestive text that asks the victim ‘Is that you?’ in German. It seems that the message employs Facebook’s Open Graph protocol to manipulate the fake video preview to include the recipient’s name. After clicking the malicious link, the victim is redirected to a fake Facebook phishing page. The “legitimate” phishing page Interestingly, the malicious script that redirects victim to the phishing page is hidden in what appears to be a compromised legitimate website. http://108xxxxxxx.rsc.cdn77.org/Uploaded/Content/26d0ba85d866423db3d591c9835d72ef/saliendopadentro.xml The website appears to be legitimate. However, a malicious XML file has been injected into its code. The file has a small script that triggers a redirect to a short URL, which then leads the victim to a malicious phishing page. Using a legitimate website to host malicious redirect scripts makes the phishing attack more effective as it can be used to bypass Facebook’s blacklists. How we uncovered the threat actor behind the campaign As we investigated the phishing page, we learned that it includes HTML content with Open Graph metadata and obfuscated images with Base64 encoding. To our surprise, we found that the malicious script was signed by the author. Translated from Spanish, the author’s signature means: Developed by BenderCrack.com The domain mentioned in the signature no longer exists. However, upon further investigation, we discovered a Facebook page that could be connected to the creator of the malicious script: Meanwhile, the original phishing page also includes a script designed to harvest credentials entered by the victims and collect their location data: The malicious scripts are hosted on the threat actor’s private server: https://lapirixxx.xyz We also discovered legitimate third-party service-tracking code implanted in the phishing page. After obtaining the identifier, we were able to access the threat actor’s dashboard to determine the scale of the campaign. It appears that since the start of the malicious campaign, a total of more than 480,000 users have ended up clicking the phishing link. Since we had access to the threat actor’s dashboard, we were able to identify the devices and browsers predominantly used by the affected users. We were able to identify and correlate other, potentially malicious activities that we traced to the same threat actor. The Facebook phishing campaign is named Tamo Trabajando, which means “we’re working.” The motive Even though Facebook has a rigorous system of checks to stop the spread of malware and malicious links, these types of campaigns are sophisticated enough to at least temporarily bypass those measures. It’s clear that the “Is that you” phishing campaign was targeting German residents in order to harvest their credentials. What was not immediately clear, however, is whether the mass abuse of breached Facebook accounts was perpetrated in order to do anything else besides spreading the campaign. What could point to the threat actor’s further motives, however, is the fact that after having their credentials harvested, the victim was redirected to a malicious website that served them either adware or malware. The threat actor’s other campaign – Blacksar Inc. – appears to be associated with additional malicious websites and malware campaigns. We have observed more Spanish words in the code, such as saliendopadentro, Desarrollado por etc. One of the malicious Blacksar domains was registered from the Dominican Republic, which strongly suggests that the threat actor is from a Spanish-speaking country or even the Dominican Republic itself. One interesting campaign and tracking code was LA PARITA, which tracked a particular personal Facebook profile and its visitors. That person seemed to be based in the Dominican Republic. At this point, we have sent our report, our open-source intelligence, and all the remaining details we gathered during our analysis to the Computer Emergency Response Teams (CERTs) in Germany and the Dominican Republic. Steps we’ve taken to mitigate the threat We have reported the phishing campaign with the relevant information to Facebook to help stop the spread of the campaign on the social media platform. We have informed the wal.ee link shortening service to disable the short URL that redirects to the malicious Facebook phishing page. At the time of publishing they have removed the malicious script from their website. We have sent all the relevant information and evidence from our investigation to CERT Germany since it is evident that the campaign primarily targets German citizens. We have sent the relevant information to Dominican CERT, as some artefacts and evidence point that the campaign was launched from there. We have informed the website compromised by the threat actor that it serves malicious scripts. How to protect yourself against phishers Use unique and complex passwords for all of your online accounts. Password managers help you easily create strong passwords and notify you of password reuse. Use multi-factor authentication where possible. Beware of any messages sent to you, even from your contacts. Phishing attacks usually employ some type of social engineering to lure users into clicking malicious links or downloading infected files. Be mindful of any suspicious activity on your Facebook or other accounts. Source: We uncovered a Facebook phishing campaign that tricked nearly 500,000 users in two weeks
  25. Covid-19 Vaccine Scams Spread Under Facebook and Telegram's Watch Don’t use an iTunes gift card to purchase doses of the vaccine online. A health worker prepares a Covid-19 vaccine injection.Photograph: ALAIN JOCARD/Getty Images Scammers have flooded Facebook and other social media platforms with Covid-19 scams for almost as long as the disease has had a name. Now, as desperation builds for access to a limited vaccine supply, internet charlatans have escalated in kind, offering shipments of doses in Facebook groups and Telegram chats. According to a new report from internet safety nonprofits Digital Citizens Alliance and the Coalition for a Safer Web, researchers had no trouble finding vendors with claims of vaccines ready to ship. The offers ranged from Facebook page operators willing to ship Sinovac Covid-19 vaccine—which is not authorized for use in the United States—from China, to apparent scammers on Telegram claiming to have access to Moderna, Pfizer, and AstraZeneca’s vaccines. The researchers say they looked for but did not find comparable activity on Twitter, Instagram, and YouTube. While similar scams had previously surged on the dark web, their presence on mainstream social networks with billions of users exposes a much wider population to potential harm. “What you find is that these questionable masks, PPE, treatments, tests are being sold on these Facebook group pages that actually act as marketplaces for the sale and buying of questionable Covid-19 products,” says Eric Feinberg, vice president for content moderation at CSW. “Early in January I started noticing on these pages that posts by what I would call questionable Facebook accounts were appearing, pushing these questionable vaccines from China.” The researchers observed several posts in coronavirus-related Facebook groups that referenced Covid-19 vaccines without explicitly offering them for sale. Many of those posts did, however, include international phone numbers for more information. A page identifying itself as Hongyu Medical made contact even easier by including a Facebook Messenger link in a post on January 12. The researchers reached out and asked if Hongyu was selling the vaccine. The answer was yes. The Hongyu representative sent a picture of a Sinovac vaccine box as proof. The conversation eventually moved to email, where the rep provided documentation about the vaccine’s efficacy. At one point, the seller searched on LinkedIn for the researcher, whose profile clearly states that they live in the United States. The deal only collapsed when the researcher conceded that they had no prior experience importing drugs. “You’d better contact with someone who imported medical products before, or though we send to you, the package would be held by your custom, and you will face high penalty,” the vaccine peddler wrote. The Hongyu Medical page is no longer up on Facebook. Nor is Zhejiang Hongwan Biotech, another entity that openly advertised that the Sinovac vaccine was “coming soon and available soon” in a January 11 post. It's unclear how widespread the problem has been, but Feinberg says he saw multiple vendors beyond those mentioned in the report. “We removed the Pages flagged in this report because we prohibit anyone from selling Covid-19 vaccines on our platform and are always working to stop efforts to circumvent our rules,” a Facebook spokesperson said in a statement. “We have expanded our efforts to remove more vaccine misinformation, including false claims about the Covid-19 vaccine.” But Feinberg says those efforts have not ramped up nearly enough. “The only time they do take ownership is when it’s reported, when someone like us takes the time and money and research to do this,” he says. He points to Facebook groups, in particular, as a breeding ground for this sort of activity, and the platform’s recommendation engine as compounding factor. The researchers were unable to confirm whether Hongyu Medical had a supply of legitimate vaccine or planned to ship a counterfeit. Either scenario would be alarming in its own way. But what they found on Telegram seems much more clearly to have been pure scam. One seller found in a Telegram channel called Corona Virus Vaccines claimed to be based in Richmond, Virginia, and offered the Pfizer vaccine for $150 a vial. They charged $180 for Moderna. Overnight shipping within the US tacked on another $25, with a guarantee that the doses would be “ice packed.” (Both vaccines require ultra-cold storage for long periods, which has complicated distribution even for health authorities.) More damningly, the seller requested payment in the form of an iTunes gift card—a hallmark of scam deals—before finally agreeing to PayPal. The researchers went through with a purchase of alleged Pfizer vaccine on January 25, and immediately ran into more signs of fraud. The seller said that the vial would be shipped via “Delta Express,” with a link to a supposed airline website. While there is a Delta Express freight shipping company, and while Delta did operate a subsidiary of that name from 1996 to 2003, the “Delta Express” used by the vaccine sellers appears to be a fabricated entity. According to a WhoIs records search, the site was registered on December 16 of last year. It contains multiple misspellings and capitalization errors. And WIRED found that large chunks of its “About Us” page are copy and pasted from the sites of other, legitimate logistics businesses. A call to the Delta Express phone number redirected to a Google Voice mailbox, and an email to its listed contact address went unanswered. “It’s never a surprise to find scammers or black marketeers try to take advantage of a crisis. We see it every time. We see it in fundraising after a hurricane. We saw it early on in the Covid-19 crisis with the fraudulent sale of masks and other equipment,” says Tom Galvin, executive director of the Digital Citizens Alliance. “A typical person could be fooled by seeing this website, even with the mistakes it has on it, into thinking it’s legitimate.” Within a few days, the researchers received an email from Delta Express claiming that the shipment had cleared customs. More than a week later, they received a follow-up from the same address claiming that they needed to pay an additional $150 for insurance. The preferred method of payment: an iTunes gift card. While the process should set off multiple alarms, scammers have always specifically targeted desperate people who may be more inclined to ignore those warnings. At a time when vaccine availability and distribution is still far lagging demand, there’s no shortage of potential marks. The Telegram channel from which the researchers made their purchase is still active, with well over 4,000 members. Another Telegram channel that openly advertises vaccines for sale has nearly 100 members. Telegram was the most-downloaded app in the world in January, according to data from analytics company Sensor Tower; it surpassed 500 million active users that month as well. Telegram did not respond to a request for comment. “What we want to do is public awareness so that people realize that trying to look online—we get that they’re desperate—but trying to look online for a vaccine probably will not have a good outcome,“ says Galvin. “Any situation where you have someone trying to scam people only does more to undermine trust in the vaccine itself.” Covid-19 Vaccine Scams Spread Under Facebook and Telegram's Watch
  • Create New...