Skip to content

Facebook Penetration Testing is Illegal Legal Permitted Investigative Reporting

My how things change in just a few years. Today, AP reporters proudly proclaim their “investigation” of a security loophole on Facebook, describing how they used the hack to peruse materials that clearly were posted to Facebook with an expectation of privacy:

“A security lapse made it possible for unwelcome strangers to peruse personal photos posted on Facebook Inc.’s popular online hangout, circumventing a recent upgrade to the Web site’s privacy controls. The Associated Press verified the loophole Monday after receiving a tip…Using Ng’s template, an AP reporter was able to look up random people on Facebook and see the most recent pictures posted on their personal profiles even if the photos were supposed to be invisible to strangers. The revealed snapshots showed Italian vacations, office gatherings, holiday parties and college students on spring break. The AP also was able to click through a personal photo album that Facebook co-founder Mark Zuckerberg posted in November 2005. —

Just a few years ago, Adrian Lamo was hunted as a fugitive for justice for similar URL playfulness:

“Lamo has become famous for publicly exposing gaping security holes at large corporations, then voluntarily helping the companies fix the vulnerabilities he exploited — sometimes visiting their offices or signing non-disclosure agreements in the process. Until now, his cooperation and transparency have kept him from being prosecuted. Lamo’s hacked Excite@Home, Yahoo, Blogger, and other companies, usually using nothing more than an ordinary Web browser. Some companies have even professed gratitude for his efforts: In December, 2001, Lamo was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others.

They ordered Lamo to pay $65,000 for so-called “use” of Lexus Nexus (even though the usage was on an unlimited plan) and 6 months home confinement, plus probation. Truth is, when he hacked the NY Times and exposed their sloppy-at-best online security, he demonstrated how unworthy the Times was of trust, and thus how foolish some very high profile people were for trusting the New York Times:

“…he penetrated the New York Times, after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their Web browser. Once inside, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper’s employees, … a database of 3,000 contributors to the Times op-ed page, containing such information as the social security numbers for former U.N. weapons inspector Richard Butler, Democratic operative James Carville, ex-NSA chief Bobby Inman, Nannygate veteran Zoe Baird, former secretary of state James Baker, Internet policy thinker Larry Lessig, and thespian activist Robert Redford.

Today it’s not only OK for the AP reporter to browse around inside, but to write about it as if it were good investigative reporting. We only know what they tell us they looked at… they could probably have looked at anything on Facebook, which I believe, is why legislators made that sort of activity illegal years ago:

“Lamo has been charged in New York under Title 18 U.S.C. 1030 and 1029…The federal laws prohibit unauthorized access to a protected computer, and illegal possession of stolen “access devices” — a term that encompasses passwords, credit card numbers, and the like. —″