●● IRC: #techbytes @ Techrights IRC Network: Saturday, February 19, 2022 ●● ● Feb 19 [00:52] *Despatche has quit (Quit: Read error: Connection reset by deer) ● Feb 19 [01:06] schestowitz " [01:06] schestowitz Hello everyone, [01:06] schestowitz While trying to export my real profile, I found out that ** anyone can access my exported data** ( profile and photos) from the Internet without any authorization ! [01:06] schestowitz I created a test user ( the present account ) to make sure I hadnt misunderstood. Sadly, the same problem happened. This seems to be a serious problem. [01:06] schestowitz Does anyone know of this ? Is my privacy at risk ? Is it a recent problem ? If not, since when this issue has been present ? [01:06] schestowitz I am worried that anyone could have downloaded my profile before and read my private messages without my consent or my knowledge. [01:06] schestowitz Can you help ? Can someone fix this ? [01:06] schestowitz Here is the example , anyone can download the exported profile for this test account : [01:06] schestowitz https://diaspora-fr.org/users/uploads/diaspora_user834534050_data_0_D0c24AaT67cbMxvbLDgg.json.gz [01:06] -TechBytesBot/#techbytes- ( status 404 @ https://diaspora-fr.org/users/uploads/diaspora_user834534050_data_0_D0c24AaT67cbMxvbLDgg.json.gz ) [01:06] schestowitz Any comment would be appreciated. [01:06] schestowitz Thanks [01:06] schestowitz user834534050@diaspora-fr.org [01:06] schestowitz user834534050@diaspora-fr.org - about 24 hours ago [01:06] schestowitz UPDATE : [01:06] schestowitz Hello everyone, [01:06] schestowitz While trying to export my real profile, I found out that ** anyone can access my exported data** ( profile and photos) from the Internet without any authorization ! [01:06] schestowitz I created a test user ( the present account ) to make sure I hadnt misunderstood. Sadly, the same problem happened. This seems to be a serious problem. [01:06] schestowitz Does anyone know of this ? Is my privacy at risk ? Is it a recent problem ? If not, since when this issue has been present ? [01:06] schestowitz I am worried that anyone could have downloaded my profile before and read my private messages without my consent or my knowledge. [01:06] schestowitz Can you help ? Can someone fix this ? [01:06] schestowitz Here is the example , anyone can download the exported profile for this test account : [01:06] schestowitz UPDATE : Sorry I mistyped the link is : https://diaspora-fr.org/uploads/users/diaspora_user834534050_data_0_D0c24AaT67cbMxvbLDgg.json.gz [01:06] schestowitz Any comment would be appreciated. [01:07] schestowitz Thanks [01:07] schestowitz Michael Fenichel [01:07] schestowitz Michael Fenichel - about 24 hours ago [01:07] schestowitz Comment: That url leads to [01:07] schestowitz 404 These are not the kittens youre looking for. Move along. [01:07] schestowitz Wondering if youre seeing your cache or relative rather than absolute link. [01:07] schestowitz Good luck. Hard enough for some of us to access our own data! Hope its private. [01:07] schestowitz user834534050@diaspora-fr.org [01:07] schestowitz user834534050@diaspora-fr.org - about 24 hours ago [01:07] schestowitz @ psych@diasp.org [01:07] schestowitz Can you try https://diaspora-fr.org/uploads/users/diaspora_user834534050_data_0_D0c24AaT67cbMxvbLDgg.json.gz ? I have corrected the mistake sorry. [01:07] schestowitz Dennis Schubert [01:07] schestowitz Dennis Schubert - about 24 hours ago [01:07] schestowitz The last part of the filename, D0c24AaT67cbMxvbLDgg, is a 128-bit key, randomly generated for each export. You cannot guess that for any given user and export, and each export will have its own unique key. Unless you yourself share the URL, nobody will know the URL, so nobody else will be able to download the archive. [01:07] schestowitz user834534050@diaspora-fr.org [01:07] schestowitz user834534050@diaspora-fr.org - about 23 hours ago [01:07] schestowitz The last part of the filename, D0c24AaT67cbMxvbLDgg, is a 128-bit key, randomly generated for each export. You cannot guess that for any given user and export, and each export will have its own unique key. Unless you yourself share the URL, nobody will know the URL, so nobody else will be able to download the archive. [01:07] schestowitz Thanks Dennis ! so it is normal. What if someone guess or use random key to access data randomly , is it possible? How long does the exported data link remain valid ? Are developers aware of this ? ( just to be on the safe side) [01:07] schestowitz Michael Fenichel [01:07] schestowitz Michael Fenichel - about 23 hours ago [01:07] schestowitz OK, @user834534050@diaspora-fr.org, Maybe moot but I got 3 .json & 1 .json.gz. [01:07] schestowitz But better and more useful the note from Dennis. Still rooting for a good resolution. [01:07] schestowitz Dennis Schubert [01:07] schestowitz Dennis Schubert - about 23 hours ago [01:07] schestowitz What if someone guess or use random key to access data randomly , is it possible? [01:07] schestowitz Its pretty much impossible. If an attacker could somehow test 1000 random keys per second (which is impossible in reality), the attacker would have to brute force for an average of 5.3 octillion years (2^128/2 = 1.7010^38 possibilities for a 50% brute). Thats not going to happen. [01:07] schestowitz How long does the exported data link remain valid ? [01:07] schestowitz 14 days. [01:07] schestowitz Are developers aware of this ? [01:07] schestowitz Yes. Given what I said above, its not an issue. [01:07] schestowitz (Whoops, I deleted my comment because I made a typo, and didnt copy its contents, so I had to write it again) [01:07] schestowitz user834534050@diaspora-fr.org [01:07] schestowitz user834534050@diaspora-fr.org - about 22 hours ago [01:07] schestowitz Thank you. I dont understand your calculus to be honest. As long as the community agreed to this and, that it is safe enough, thats good enough for me I suppose. It is just that with all the data privacy scandals around, I am becoming less confident with how my data is handled by strangers. [01:07] schestowitz user834534050@diaspora-fr.org [01:07] schestowitz user834534050@diaspora-fr.org - about 21 hours ago [01:07] schestowitz On a side note, Facebook protects data exports with a password so I guess it is important in any case. I still think that even though brute force may take years, like winning the lottery, it just takes one single strike to succeed out of millions, why taking the risk ? [01:07] schestowitz What security measures are in place to make sure someone else doesnt download a copy of my information? [01:07] schestowitz We have a number of security measures in place to help keep your account secure and protect your information on Facebook. Before you can begin downloading a copy of your information, we'll first ask you to enter your password. We may also ask you to complete additional verification steps before allowing your download to begin. To help protect your account, your download request will expire after a few days, and you can always request a new one. [01:07] schestowitz Our security systems are always running to help mitigate threats before they reach you and your friends on Facebook, and we offer tools like Security Checkup and two-factor authentication as additional ways to improve the security of your account. Learn more about keeping your account secure. [01:08] schestowitz Note: Keep in mind that your data request may contain private information. You should keep it secure and take precautions when storing or sending it, or uploading it to another service. You can always select specific sections when requesting a copy of your information. [01:08] schestowitz sources : https://www.facebook.com/help/212802592074644 [01:08] -TechBytesBot/#techbytes-m.facebook.com | Help Center [01:08] schestowitz Dr. Roy Schestowitz () [01:08] schestowitz " [01:08] schestowitz https://joindiaspora.com/posts/22282896 [01:08] -TechBytesBot/#techbytes-@podmin@joindiaspora.com: # Hello JoinDiaspora there is some unfortunate news to share. Feneas will be dissolved and as Joindiaspora is one of the services. JD will also be shut down on 1 March. This is unless we can find someone who wants to take over the service. If you think you can handle the task please contact us via [hq@feneas.org](mailto:hq@feneas.org). You can find the original post below or via https://git.feneas.org/feneas/ [01:08] -TechBytesBot/#techbytes--> git.feneas.org | meetings/agm-minutes-2021-12-09.txt master Feneas / association GitLab [01:08] -TechBytesBot/#techbytes--> git.feneas.org | meetings/agm-minutes-2022-01-04.txt master Feneas / association GitLab [01:08] -TechBytesBot/#techbytes--> git.feneas.org | Feneas GitLab ● Feb 19 [05:09] *Despatche (~desp@u3xy9z2ifjzci.irc) has joined #techbytes ● Feb 19 [06:47] *DaemonFC has quit (Quit: Leaving) ● Feb 19 [07:06] *u-amarsh04 (~amarsh04@hngiv8sdpiaf2.irc) has joined #techbytes [07:38] schestowitz https://twitter.com/BrideOfLinux/status/1494707102786412556 [07:38] -TechBytesBot/#techbytes-@BrideOfLinux: LXer is up again, but it appears we might know what happened. https://t.co/tzN1NhzkfN [07:38] -TechBytesBot/#techbytes-@schestowitz: I think we now know why #lxer is not reachable. See update in https://t.co/TRtrQG0uXT @brideoflinux @fossforce [07:39] schestowitz John Bulloch (@QuirkyForum): "Spent 35 years of my life as a political advocate.. Have been an outsider and an insider. Successful protests are funded by small domestic contributions only. Extremist elements try to infiltrate protests of all kinds. It is always about the money and how it is disguised." | nitter https://nitter.eu/QuirkyForum/status/1494674762777473024 #nitter | more in http://schestowitz.com/2022/02/19/#latest [07:39] -TechBytesBot/#techbytes-nitter.eu | John Bulloch (@QuirkyForum): "Spent 35 years of my life as a political advocate.. Have been an outsider and an insider. Successful protests are funded by small domestic contributions only. Extremist elements try to infiltrate protests of all kinds. It is always about the money and how it is disguised." | nitter [07:39] -TechBytesBot/#techbytes-schestowitz.com | Social Control Media Posts [07:39] schestowitz https://twitter.com/DankwahMorrison/status/1494639436839141377 [07:39] -TechBytesBot/#techbytes-@DankwahMorrison: An intolerant bunch...#RIP brother. https://t.co/fjNMRbjQDD [07:39] -TechBytesBot/#techbytes-@schestowitz: NEWS #AsiaNews #CivilRights Christian killed by a group of Muslims in #Lahore https://t.co/tjN8QyDe6H [07:47] *psydruid (~psydruid@jevhxkzmtrbww.irc) has joined #techbytes [07:47] *psydroid2 (~psydroid@cqggrmwgu7gji.irc) has joined #techbytes ● Feb 19 [10:36] *u-amarsh04 has quit (Quit: Konversation terminated!) [10:48] *u-amarsh04 (~amarsh04@hngiv8sdpiaf2.irc) has joined #techbytes ● Feb 19 [11:05] *psydroid3 (~psydroid@cqggrmwgu7gji.irc) has joined #techbytes [11:13] *DaemonFC (~daemonfc@zgk86ipra9utw.irc) has joined #techbytes [11:26] *libertybox has quit (Ping timeout: 2m30s) [11:27] *libertybox (~schestowitz_log@pumv3cb2rfinu.irc) has joined #techbytes [11:27] *schestowitz-TR has quit (Ping timeout: 2m30s) [11:27] *Techrights-sec has quit (Ping timeout: 2m30s) [11:27] *Techrights-sec (~quassel@pumv3cb2rfinu.irc) has joined #techbytes [11:27] *schestowitz-TR (~acer-box@pumv3cb2rfinu.irc) has joined #techbytes ● Feb 19 [13:28] *u-amarsh04 has quit (Quit: Konversation terminated!) [13:29] *u-amarsh04 (~amarsh04@hngiv8sdpiaf2.irc) has joined #techbytes [13:56] *u-amarsh04 has quit (Quit: Konversation terminated!) ● Feb 19 [14:28] *DaemonFC has quit (Quit: Leaving) ● Feb 19 [20:15] *u-amarsh04 (~amarsh04@hngiv8sdpiaf2.irc) has joined #techbytes [20:30] *u-amarsh04 has quit (connection closed) [20:45] *DaemonFC (~daemonfc@389qztengum92.irc) has joined #techbytes ● Feb 19 [21:59] *psydroid3 has quit (connection closed) ● Feb 19 [23:09] schestowitz https://twitter.com/iridesce57/status/1495126060081553412 [23:09] -TechBytesBot/#techbytes-@iridesce57: @schestowitz Played Wii Sports last night with a friend ... #Timeless [23:10] schestowitz https://twitter.com/ToolWfh/status/1495121245335359488 [23:10] -TechBytesBot/#techbytes-@ToolWfh: @schestowitz Same drama every time , corporate culture dismissed as a singular employee fault. Big4 crooks too big to catch [23:10] schestowitz https://twitter.com/StansLinux/status/1495098894711205890 [23:10] -TechBytesBot/#techbytes-@StansLinux: @schestowitz What's a better headline? :) [23:11] schestowitz https://twitter.com/danie10/status/1494981426642620417 [23:11] -TechBytesBot/#techbytes-@danie10: @schestowitz Too true! I've spent years curating free and open source alternatives to #ProprietarySoftware includin https://t.co/kvcl3XJQSF [23:11] -TechBytesBot/#techbytes-@danie10: @schestowitz Too true! I've spent years curating free and open source alternatives to #ProprietarySoftware includin https://t.co/kvcl3XJQSF [23:11] schestowitz Danie van der Merwe (@danie10): "Too true! I've spent years curating free and open source alternatives to #ProprietarySoftware including a category for Health and Medical at https://gadgeteer.co.za/opensourcesoftware/" | nitter [23:11] schestowitz

[23:11] schestowitz

[23:11] schestowitz Read more [23:11] -TechBytesBot/#techbytes- ( status 404 @ https://nitter.eu/danie10/status/1494981426642620417"> [23:12] schestowitz

[23:12] schestowitz Read more [23:12] -TechBytesBot/#techbytes- ( status 404 @ https://nitter.eu/swimming_free/status/1494953505500450818">